One of the security trends that is starting to gain more traction in the wake of the COVID-19 pandemic is the long-overdue shift toward identity-centric approaches to cybersecurity. With more employees working from home, it’s quickly become apparent there is a need for a more granular approach to ensuring who is allowed to access what data and applications both when and where.
A recent survey of 623 IT security leaders and 586 business decision-makers from the U.S conducted by The Ponemon Institute on behalf of Code42, a provider of a platform for detecting data loss, notes 59% of respondents expect insider threats will increase in the next two years primarily because users have access to files they shouldn’t, employees’ preference to work the way they want regardless of security protocols, and the continuing need to work from home.
Most organizations rely on a directory to control who should be able to access files and their associated applications. A separate survey of over 1,200 IT security professionals conducted by Dimensional Research on behalf of One Identity, a provider of access management tools, finds that nearly half of respondents (48%) said granting and revoking access privileges via Microsoft Active Directory (AD) and Azure Active Directory (AAD) has taken on greater significance since the start of the pandemic.
It’s even now possible to apply conditional access policies via a directory. Those policies would, for example, prevent end-users from remotely logging into applications using a device other than one that has been specifically sanctioned by IT.
The issue IT organizations will come to terms with is to what degree extending directories will be sufficient. In an ideal world, every machine and piece of software running on those machines should have a unique identity. Cybersecurity teams at a glance should be able to correlate who is using what machine when, as part of a transition to zero-trust security architecture.
Making the transition to that level of zero-trust security obviously will take time and money, both of which are in short supply. Most organizations will look to extend the identity management capabilities of existing directories as best they can. However, directories were never really intended to be security tools. They’ve been extended over time to add security capabilities. IT organizations need a more comprehensive approach to identity that spans people, machines, and software. Each element of an IT environment needs a unique identifier.
The good news is more attention to what zero-trust security actually means is starting to be paid. The bad news is there’s not yet a lot of consensus on how best to go about achieving it. At the very least, however, there’s now at least a catchphrase around which IT professionals and business leaders can have a conversation. It’s now hard for most business executives to comprehend why implicit trust in this day and age is not a good thing. Many of them may even already being calling for zero-trust architectures without even understanding what on a practical level that really entails.
Of course, it’s frustrating that it took a global pandemic to bring these zero-trust conversations about. However, as is always the case with security, it’s always better to at least have these conversations late rather than never at all.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.