Identity today looks much different than it used to; in fact, even the nomenclature has changed. The security disciplines that used to reside within traditional categories like Identity and Access Management (IAM) have greatly expanded in scope and now fall within the broader umbrella of Identity Security. Two security practitioners, Elizabeth Butwin Mann (Cybersecurity Leader) and Mike Towers (Chief Security & Trust Officer, Veza) discuss the implications of the now-massive scope of identity security practices for businesses operating in multi-cloud environments (as well as the role of AI in securing access to data) in Veza’s latest episode of the Identity Radicals podcast.
The evolution of identity disciplines
In this episode, our two speakers explore how modern technology is impacting identity security, as well as the evolving role of identity governance in the cloud. For example, IAM used to be a discipline related to office automation. Traditional IT teams were most concerned with things like unique identifiers, while managing an access landscape much smaller than what we see today. The proliferation of access has pivoted IAM from being a back-office management of basic access to a complex battle against excess privilege amongst all identities, human and non-human alike.
This shift in scope for IT and security teams is even reflected in the common organizational debate about where identity “belongs” within the business. “Identity used to be a Service Desk problem,” says Towers. “Now identity is the biggest attack vector and it’s more of a business problem,” as well as a completely different security discipline.
A privileged identity today is like Willy Wonka’s golden ticket for an attacker. Identity is right in the bulls eye of cyberthreat.
Elizabeth Butwin Mann
With the rapid adoption of the cloud, organizations are facing significant challenges in their attempt to manage access across multiple cloud platforms. Why? Because, the cloud is another location for resources that security teams need to manage. However, unlike the on-prem and corporate application management practices of the past, the scope of managing cloud access is astronomical. There are more data, more identities, more applications and more access relationships than ever before, often in undisclosed locations. It is challenging to know where our corporate assets are when anyone can provision an environment in minutes.
If, for example, an organization has privileged identities who also get access to cloud based services and applications, how does their access proliferate in those environments? And, how does the security team track this?
Now, imagine an employee leaves the organization. How does the security team offboard them and “undo” their access if they don’t even know they have it?
The adoption to Cloud simply means the network boundaries are gone and the scope of applications, data and access are much broader than they ever were.
Leveraging automation to manage cloud access
Automation has been a critical part of IAM and IGA for years, however, it’s important to analyze the differences between the automation of yesterday and that of modern practices. Security teams used to create automation through complex workflows, manual coding the access relationships that should result from an employee taking X action or receiving Y role (i.e. provisioning and deprovisioning)
When faced with the modern threat landscape, automation can be leveraged not only to perform the tedious tasks associated with practices like provisioning, but also to inform security teams about where to focus.
Automation is critical because of the scope. We can only do manual things when it’s small scale.
Elizabeth Butwin Mann
Compliance vs. risk
Due to the increasing complexity of identity security, practitioners must find a way to separate compliance from risk. Compliance is designed to help organizations implement rules that are supposed to support the safe progression of business. But, security teams cannot treat every issue with equal rigor; no department has unlimited resources. Therefore, a thoughtful, risk-first approach can help teams efficiently allocate resources and remain secure.
Maintaining security through mergers and acquisitions
Corporate transformation is the battlefield on which many security teams find themselves fighting through a slough of risky business decisions. Security teams are often looped in at the eleventh hour to evaluate transformative decisions and asked to work backward to patch any potential risk that could come from these business-oriented choices. This can often put the security team in the impossible position of selling why the benefits of increased security outweigh the efficiency of the decisions for which stakeholders have already given their support. Put simply, security teams will always be seen as “the bad guys that slow things down” when looped in at the end of a merger, acquisition or other form of corporate transformation.
However, our speakers argue that this dynamic should change. The “magic,” as Mann calls it, is getting security professionals invited to the table early to look at the transformative opportunities ahead. This gives them the opportunity to weave security into the fabric of the transformation and address risk as a part of the business evolution.
The role of AI in identity security
The variety of available AI and machine learning technologies provide organizations with immense flexibility and opportunity to advance their businesses while enabling the ever-elusive principle of least privilege.
Permissions accumulate over time, putting security teams in the difficult position of having to rein in access on an hourly basis. AI can empower organizations to achieve least privilege by showing security teams where access can be cut and providing recommendations based on access data. This technology can be especially impactful when leveraged to manage non-human identities (NHIs).
Non-human identities tend to be forgotten or missed. Security teams need a distinct and deliberate effort around identity security for those identities not associated with a human being.
If there was one thing an organization could do to reduce their risk, it would be to really know what the non human identities are in their organization, what they have access to and how frequently they get reviewed.
Elizabeth Butwin Mann
Learn more about this fascinating discussion between Elizabeth Butwin Mann (Cybersecurity Leader) and Mike Towers (Chief Security & Trust Officer, Veza) by watching the latest Identity Radicals episode on YouTube ➡️ Watch now!
Veza introduces Access AI
This month, Veza announced their new Access AI, bringing the power of generative AI to scale access visibility and control, leading at the frontier of identity security. Watch the demo below to learn how organizations use Access AI to get instant visibility into access across the enterprise to reduce risk, remain compliant, and make least privilege a reality. Click here to request early access to Access AI.
Want more identity-related content?
- Learn about the latest Intelligent Access book from co-authors Tarun Thakur (Co-Founder & CEO, Veza) and Mario Duarte (Former VP of Security, Snowflake) ➡️ Watch now!
- Explore strategies to secure access to Snowflake in A CISO’s Guide to Effective Access Control, authored by Veza’s Chief Security & Trust Officer, Mike Towers ➡️ Read now!
- Subscribe to the #IdentityRadicals podcast on YouTube to view more conversations with cybersecurity experts ➡️ Subscribe now!