How to Create an Identity Strategy - Part 3Assessing the Business Benefits of an Identity Strategy
In Part 3 of a three-part video series, CyberEdBoard member Andrew Abel, a cybersecurity and zero trust consultant, and Chase Cunningham, CSO at Ericom Software, describe the operational and business benefits of creating an identity strategy.
One of the key tenants of zero trust - a least-privilege approach to security that ensures that users, devices, applications and transactions are continually verified - is operational simplicity. Abel recommends that organizations build identity strategies around a standard operational life cycle of provisioning, access and controls, modification of existing roles, governance and suspension and offboarding of employees.
"Security should always be transparent and contextual," Abel says. "The user shouldn't even know they're being assessed continually or having security controls applied because it should never get in the way of doing what they were hired to do."
Proper planning is key to getting the most out of identity tools and will create numerous business benefits for the organization, he says.
"Find me a business that doesn’t want to reduce their risk or have more productivity or have more enabled users and be able to know what's going on and where it's going on within the organization," Cunningham says. "The value proposition for the approach is clearly evident."
In this video interview with Information Security Media Group, Abel and Cunningham discuss:
- Visualizing what human and nonhuman identities look like in an organizational context;
- The main operational benefits of an identity strategy to the organization;
- How to justify identity management projects by demonstrating the underlying business benefits.
Abel has over 25 years of experience in IT across a range of industries including finance, services, retail, resources and consulting. He has worked as a vendor and a customer in both Europe and Australia. Over the course of his career, he served in a variety of roles from support to administration, consulting and enterprise architecture, and IT and security strategy. He has deep expertise in zero trust planning and adoption with an emphasis on identity, devices and network controls.
Cunningham, aka the "Doctor of Zero Trust," shapes the strategic vision, road map and key partnerships at Ericom. He previously served as vice president and principal analyst at Forrester Research, providing strategic guidance on zero trust, artificial intelligence, machine learning and security architecture design for security leaders worldwide. Prior to Forrester, he was chief of cryptologic technologies at the U.S. National Security Agency, where he directed research and development of cyber entities to assess threat vectors, network forensics and methodologies of nefarious cyber actors across the intelligence enterprise.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Anna Delaney: Hi, I'm Anna Delaney with ISMG. This is the final part of a three-part video series, which focuses on identities as assets, and answers this question: What are the benefits of an identity strategy to the business? And with me to expand on this, our CyberEdBoard members Andrew Abel, cybersecurity and zero trust consultant, based in Australia, and Chase Cunningham, CSO at Ericom Software. Great to have you back. In our previous video, you spoke about the future of identities. What should organizations be doing now to be best prepared for that future?
Andrew Abel: Yeah, that's right. I think that the main thing that organizations can do now to set themselves up for success down the track with zero trust in the identity space is to start thinking about identities as no different to humans, like non-human identities, and humans have to be treated the same from an organizational, security and operational point of view. So, I put together a graphic that may be able to help with that. So, I'll just bring that up now. Everyone's familiar with the traditional view here. Probably, all have seen these a million times about an organizational role. But what we've been talking about through the video series is to apply organizational roles to identities, not just to people, which was the traditional approach. So, where that comes into play? Now, there's two major benefits to that is that you understand where all these non-human accounts sit in your overall organizational structure, which, in turn, helps you define what security controls need to be applied to them. For example, if you've got this tower over here is in the finance team, and all these people have access to finance information. The non-human identities that operate in that specific space within the organization can also have the same controls applied and more unique ones for the specific process and outcome that they're associated with. So, I think that's the main initial goal to get those non-human identities into your org structure and start applying roles and controls.
Chase Cunningham: I think that this is useful because I know I haven't seen a graphic like this yet, where someone said, "Here's an organizational structure, here's who does what. But, by the way, there's these other things that are identities and entities within that that you need to manage, as well." And it can get even bigger from this. It's a small picture of a small problem. But there's a lot of value in understanding that you're also responsible for all these other identities within the context of the organization. And if you think about a typical day at work, think about how many things that you touch or leverage or use that have those other accesses that you would need to take care of.
Delaney: Andrew, what are the main operational benefits of an identity strategy to the organization?
Abel: That's a great question. I drew a graphic. I think everyone, all of us in IT, in security, understand that the main thing to do, the best projects are the ones that get built, get delivered, and are easy to operate. We've all seen in situations where you either buy a platform or onboard a product or finish a project, and then six months later, there's still an operational impact. And you're probably spending more to run the solution than you ever intended. So, the goal for anything, particularly identity, is to operate it in a lean cost-out effective manner. So, I drew two graphics that will go through here - the simple identity life cycle - so the normal approach to provision and identity based on standard repeatable processes. You assign your access and controls as a starting point to what it needs to have access to, because it's doing a certain thing. And again, that's along with your organizational role that we covered in the previous slide, and then the governance. So we want to govern the activities of the identity. And again, with continuous assessment, which is one of the principles of zero trust, which is, again, the identity governance rather than the identity access management approach. So, it has to be a mix. You have to know what your identity is doing in real time, where possible. And then the fourth one, the conclusion of the simple life cycle is the offboarding or the suspension. So, if there's a security incident or some flag on an identity, you want to suspend access to everything immediately till you can investigate. And then, every identity, when it's created, also needs to have a clear offboarding trigger as well, so that we don't get to a situation where we're spending money on auditing identities in the organization to work out what is safe, what it's supposed to do, and doesn't need access to these resources and assets. So that's an important part. The offboarding part is often one of the big misses, but it's definitely one of the keys to a zero trust - a good zero trust outcome. Chase, do you want to add anything to that one?
Cunningham: Number one: everybody likes simple. Simple's more manageable. Businesses do better with some simple approaches to problems. So I think that there's a lot of value in that and the other piece to me that stands out is the piece about governance and then offboarding. That's where things go wrong. Like you were talking about another one, Andrew, it's anybody can create provision accesses and accounts and whatever else. But the management of that and making sure you have it in there, continuous assessment is super critical. This is not a one and done, this is going to have to continue to happen for the life of the business.
Abel: That's right. So, that's a simple life cycle. The idea is that that's easy to follow and operate. So the only real change to move from simple to complex is it's still the same, govern access and controls and provisioning, but there's the modify role as well. So that's where you've got identities or people or all types of identities and access requirements that change over time. So someone may move between departments. So if you've got good organizational roles and security controls defined, you've got to go back and visit them. And those controls are contextual to the person's role in the organization. And it's the same with server or non-human identities. If you make a change, and again, we talk about being outcome-focused, so if the non-human identity exists to complete business processes to achieve a specific outcome, and then that process changes or the outcome changes, you've got to shift those controls that sit over the top of that identity operation and then we get back to the suspending off board. So the idea here is to continue that continuous assessments always happening, that modification, so you don't over-provision people, because you have no process. Someone's moving from the finance department to the manufacturing department, we'll just copy someone in manufacturing, and we'll give them those rights. So, they get working because we didn't get to this ticket in time. And now, they've got cumulative privilege to finance into manufacturing and straightaway introduce risk. So that's what it's about, is keeping it simple, keeping it operable, keeping it lean, but also keeping it effective.
Cunningham: What fits in well here is when you look at these, the structure of this approach, these vectored approaches make a lot of sense. And this to me is indicative of the fact that you need application that will solve that problem for you. You're doing this as one person on a spreadsheet by yourself trying to manage, that's five or seven pieces that you're trying to take care of at speed and scale of business. Whereas if you're using a solution correctly, they're built for this type of process of one to two to three to four to five. That's what you want. So they do fit into this model.
Abel: And I think that that is also a common mistake that people buy a platform and think - an AI or machine learning - and think it's going to do all the calculations for them, but you've got to put good info in to get good outcomes out, so you definitely use a platform, but you've got to structure and build it the right way. So that it's doing, it's working for you, and not creating more work down the track.
Delaney: So Andrew, looking at the broader business benefits, what are the broader business benefits when it comes down to the dollars invested?
Abel: One of the issues with zero trust is, you're not the only person in the queue looking to get a check signed, or looking for an investment, or looking for resource time, or all the other things that go into operating security, or doing a zero trust project. So, you've got to be able to demonstrate the value and what the return for every dollar you put in are. So I think specifically in the identity strategy, having a good identity strategy that's contextual to your operation, your organization and the skill levels, and there's security awareness within your organization, they support a range of benefits to the business. So, you reduce risk, which everyone's about in the cybersecurity space, you drive productivity, security should always be transparent and contextual, the user shouldn't even know that they're being assessed continually or having security controls applied, because it should never get in the way of them doing what they're hired to do. And that touches on the enabled users as well. Let them do what they've got to do, but securely. And then privilege execution. So, set your just-in-time elevation processes, use platforms and products that support that, understand how long you want to assign privilege, never leave standing privilege against an account. And then the activity monitoring, which is a big part of zero trust, more broadly, is to know what's going on, when it's going on, and what risk it's introducing.
Cunningham: There's a lot of business value that can be seen right here. There was a study - I think IBM published it - that said that an organization that had zero trust even partially in place saved themselves about $2 million in the course of a response operation. So, $2 million is significant money to a lot of organizations, looking here to find me a business that doesn't want to reduce their risk or have more productivity or have more enabled users, and be able to know what's going on and where it's going on within an organization. The value proposition here for the approach is evident. These are all business specific things. And it's not even about security. This is about if you do the right things in the context of enabling a security strategy, it benefits the business.
Abel: And I think that's also something that I talk about a lot is that the actual dollar bottom-line benefits to an organization by taking a zero trust approach, because when you look at the amount of over investment in minimal outcomes that organizations go through, you can see so much cost saving by putting in an effective strategy.
Delaney: Well, this has been an educational series. Thank you both for your time and insight. I do hope you found this useful. Please do check out the two previous parts of this video series. For ISMG, I'm Anna Delaney.