As IoT and RPA generate more digital identities to be managed, regional organizations need to secure more than just login credentials

Globally, identity management has evolved over the years. Once primarily serving governance and compliance purposes, identity security today forms a core pillar in most cybersecurity frameworks.

The industry is also expected to grow at a compounded annual growth rate of 14.5% by 2028, with the Asia Pacific (APAC) region predicted to register the fastest growth.

However, growth in this sector cannot overcome sub-optimal corporate mindsets about digital identity security, according to Chern-Yue Boey, Senior Vice President (Asia-Pacific), SailPoint in an interview with the CybersecAsia.net editorial team…

Chern-Yue Boey, Senior Vice President (Asia-Pacific), SailPoint

CybersecAsia: Can you share some key trends in the global and APAC aspects of the identity security industry?

Chern-Yue Boey (CYB): Factors driving the growth of the regional and global identity security sector include pandemic-driven workforce transformation and digital transformation, which means identity security platforms need to have the ability to integrate across hybrid environments and different types of work-from-anywhere devices.

Increasingly, the accelerated adoption of cloud computing, security priorities have shifted from being device-centric to identity-focused across both on-premises and in cloud environments. Additionally:

    • The drive for greater efficiency has also resulted in the workforce being increasingly augmented by non-human identities such as robotic process automation and IoT systems. Hence, with more connected devices and more identities than ever before, identity and access management have become incrementally critical, and organizations must ensure all identities are managed with a modern identity security solution that incorporates AI and ML.
    • With the above trends, the zero trust paradigm is no longer a buzzword: it has become a necessity. Therefore, an identity-centric approach to a zero trust model should be at the center of an organization’s security infrastructure.

One can no longer trust a user simply by whether they are part of an organization or by the password they enter into the login prompt. It is essential to look at user attributes and behavior patterns to understand who is trying to gain access, how they are gaining access, and what they do with that access.   

CybersecAsia: What are some myths and misconceptions about identity security that threat actors take advantage of?

CYB: A key common misconception is associating identity only with access management practices such as SSO (Single Sign-On) or MFA (Multi-factor Authentication).

This view of identity security is only one aspect of the full picture. Authentication helps to verify the identity of people trying to gain access, but this process does not include cross checks to determine if access to resources is allowed and or if it adheres to access policies. SSO and MFA cannot be used to manage or govern which information within a resource a user can see or touch, and this is becoming increasingly important as stricter data privacy regulations require organizations to safeguard sensitive data.

This is where identity security helps complete the picture. The concept allows for granting, securing, and managing access based on the ‘principle of least privilege’ to restrict permissions based on job function and user role.

Another misconception is that IT departments should be responsible for identity security. This is actually a business risks, so business owners must take ownership for identity security as they are best placed to define and enforce policies and controls that minimize access risks. IT/cybersecurity teams can support these efforts, but they cannot own the process. Therefore, businesses can consider automation to streamline identity processes, ease the burden on IT/cybersecurity and facilitate efficient, cross-organization workflows.

Also, identity security is more than just about gaining access: it gives context to everything an employee, partner, supplier, contractor does within the entire enterprise infrastructure. It involves setting up and defining user roles and creating policies used to govern access throughout the digital identity’s lifecycle.

When identity security is not at the core of an organization’s overall cybersecurity strategy, threat actors will find a way to break in.

CybersecAsia: What are the benefits of a holistic solution to identity security that can guarantee staying ahead of the security curve?

CYB: With the evolving threat landscape and cyber criminals being quick to exploit any vulnerabilities, enterprises must look beyond merely granting user access. From a holistic viewpoint, identity solutions must also be able to seamlessly integrate across existing systems and workflows to provide a critical singular view into all identities and their access rights. 

IT teams today are seeing an increase in the number of users, applications and data in a variety of operating environments. A holistic and future-proof identity security solution will require enterprises to steer away from manual processes and instead leverage AI and ML-based identity solutions that are also less prone to human error.

By leveraging AI and ML in their holistic identity security processes, organizations can automate the discovery, management, and control of all user access, and provide users with the right access to the right resources at the right time.

To protect the business at scale and ensure compliance, enterprises should employ a comprehensive integrated and automated identity security platform across hybrid and multi-cloud environments; remote-working scenarios and multiple devices. Also, they should keep policies up to date as the organization evolves, and preempt threats instead of react to them.

CybersecAsia thanks Chern-Yue for sharing his insights on managing identity security holistically.