What should be at the core of an organization’s cybersecurity in the cloud era? Obviously not your firewall…

As organizations actively embrace the cloud, the threat landscape is also evolving as the attack surface broadens exponentially.

CybersecAsia draws insights from Serkan Cetin, Technical Director, APJ, One Identity, on how security should not be focused on deterrence such as firewalls. Instead, the focus should be on identity as the key component of businesses’ defense in the cloud era.

What are the industry challenges and trends for cloud security?

Cetin: As enterprise’s operations expand to the multi-cloud, they are faced with an evolved set of IAM considerations to address the growing number of possible threats. Identity & access management is one of the most critical areas of cloud security as traditional perimeter does not exist anymore, identity becomes the new perimeter.

With cloud adoption growing, effective IAM is more important than ever as the first line of defense for a company. It is also essential that IAM solutions are able to support on-premise, cloud and hybrid cloud environments to cater for companies in different stages of adoption, and different requirements to support their businesses.

Having the right approach to IAM (one in which identity is placed at the center of security) can ensure the right people in an enterprise have the appropriate access to different resources. In that case, security should not solely focus on firewalls and deterrence, identity access management should be one of the key components of business’ defense.

How can we ensure that data is accessible to only those with the right credentials and access rights?

Cetin: To ensure that data is accessible to those with the right credentials, large organizations need an Identity Governance and Administration (IGA) platform to facilitate the correct access to applications and to data.

Organizations need to ensure security, control access and enforce policies, whilst providing end users with the access they need and ability to obtain additional access as and when required. IGA solutions do provide these capabilities to organizations through both least-privilege access to only provide the essential access needed, and also the access request and fulfilment capability for any additional access needed.

A common challenge organizations face is understanding what level of access is actually required by the business users. By implementing an IGA solution, organizations can benefit from the role engineering and role mining features which can then enable them to define roles-based access control models from both a top down and bottom up structure.

A traditional problem in many organizations is that IAM technologies are commonly kept in their own silos and focus on administering, securing, and governing a collection of individual accounts rather than a unified and centralized identity. This approach has left a gap and a blind spot in not being able to correctly identify the risk of a user’s access rights.

An approach that combines both IGA and Privileged Access Management are necessary in order to ensure only those with the right entitlements and access rights have access to data and systems, and also to identify and manage any risk with assigned privileges and access rights to privileged credentials.

We live in a rapidly changing world where new technologies are quickly emerging, and organizations are fast adopting these new technologies to support their businesses. In order to support this change, organizations will need to regularly test and evaluate their policies and processes and seek for an approach that maximizes unification, automation, and visibility.

How effective are IAM and PAM as the core of an organization’s cloud security strategies?

Cetin: With cloud adoption growing, effective IGA and PAM are more important than ever as the first line of defense for a company. Protecting the traditional network boundaries and perimeters is no longer adequate as organizations move towards adopting cloud technologies.

Identity has effectively become the new perimeter in being able to ensure that only those who are authorized and permitted are able to access applications and data, whether it is on-premise or in the cloud. It is essential that IGA and PAM solutions are able to support hybrid environments where users, applications and data reside on-premise and in the cloud, as this is the reality for many organizations today. 

An effective IGA and PAM approach for today’s organizations with hybrid environments should include the same security, visibility, and control that has long been the staple of on-premise environments, but coupled with the agility, flexibility, and convenience of cloud delivery.

A business-centric, identity-centered, automated, modular, integrated and data-driven approach will allow security to become a true enabler of business innovation. An IAM approach which is built upon these 5 points is able to provide organization the security and governance controls required to protect users and data, the automation of tasks and processes to speed processes and provide efficiencies, and allow for the organization to adapt to business user requirements and allow business users to obtain access to applications and data when they need it, whilst ensuring it is provided securely.

As a result, organizations are not only secure but also more agile.

How should enterprises deal with IAM and PAM when working with partners, suppliers and customers as the supply chain goes digital?

Cetin: Quest’s Digital Transformation Security Global Survey found out that 97% respondents said they are investing in digital technologies to transform their business. However, this transformation carries a unique set of risks and security challenges.

Enterprises must take into consideration that corporate access from personal devices, managing cloud and hybrid cloud environments, shadow IT and securing IoT devices – all of which provide a gateway into valuable company data and resources. IAM solutions are robust, flexible, and integrated so that they can support and protect the entire range of platforms and technologies.

With the growth of BYOD and the growing network of partners, suppliers and customers, enterprises are adopting solutions such as single sign-on and two factor authentications to provide access to these users. But it all comes down to user access, and only a universal provisioning/governance solution can truly address those needs across the evolving environment. IAM programs need to be able to cater and support the needs for managing and securing various identity types, including employees, partners, suppliers, customers and things.

IAM deployments are multi-phase projects that touch every part of an enterprise. Customers’ involvement and active participation, especially executive sponsorships, are critical success factors for any IAM deployment.