The Next Big Thing in Identity Security: Identity Fabrics
Identity Security & Identity Fabrics
Identity security seems simple enough – make sure people are who they claim they are and give them privileges to access the applications and assets they need, nothing more. But there is a problem with this: it’s called “identity sprawl.” What used to be a fairly straightforward function – managing identities for employees in a disconnected on-premises environment – has become extremely complex, with the introduction of connected and cloud computing, and the proliferation of identities brought about primarily through digital transformation and a diaspora of unmanaged corporate identities.
As a result, today, security teams are charged with managing identities across hybrid, connected environments, and they must do so not only for employees, but also for
customers, partners, and every machine connected to the enterprise. And they also must do so across multiple clouds, each of which is its own “identity silo” with uniquerequirements. In parallel, identity security has been slower to advance than other security functions. Since threat actors look for the weakest link, it is no surprise that they focus on identity-based attacks, such as phishing, credential stuffing, and social engineering.
This notion of identity silos also makes it very difficult to discern where identity risk may appear. For example, if a corporate user has compromised private credentials, they are at risk if they are reusing credentials across accounts. Likewise, over-privileged accounts that are compromised lead to lateral movement of threat actors, granting them access to places where even legitimate credential-holder should not be allowed.
The rise of identity-based attacks has become untenable for organizations, which has caused the rise of a new paradigm in identity security: identity fabrics.
Understanding Identity Fabrics
The first thing to understand about an identity fabric is that it is not a product or platform, and no single vendor sells a one-fits-all solution. Instead, it is a larger “system of systems” that composes a greater fabric and enables organizations to manage identities in a way that is risk-aware and allows for zero trust security principles to take root.
The idea of “perimeter security” is well understood. But after years of investment and development around this notion, information security leaders are waking up to the fact that identity is the last and only perimeter that matters. This means that after years of downplaying identity as a security risk – and trying to manage it with platforms and point solutions – security leaders are now rethinking identity beyond the product level. They understand that managing identities is a basic and important process – part of everything we do in cyberspace, including making sure the machines on which we rely are who they say they are.
The other thing to understand about identity fabrics is they are an evolution, not a revolution. There’s no such thing as deploying a new identity fabric. They are achieved by deploying compatible technologies in incremental steps, usually with existing infrastructure, as the fabric gradually unfurls to different use cases. And, since all organizations have different identity requirements, no two organizations have identical identity fabrics.
Where to Start
Deploying an identity fabric is a strategic undertaking and should be treated as such. The problem historically with identity security is that solutions are thought of in terms of products rather than processes. Ultimately, identity management is a constantly changing process that no single platform can accommodate. This is one of the reasons why the typical large enterprise owns three (or more) identity and access management (IAM) systems. For example, they may own IAM products from Microsoft, a separate cloud offering and a PKI solution.
Adopting an “identity first” approach to security means realizing that identity sits at the root of modern security problems and taking steps to accommodate that. It also means shifting the understanding of identity from IAM systems to IAM processes. To accomplish this, IAM systems themselves must be able to interoperate and become part of a greater system. This is true for all identity security systems in the ecosystem and other security tools – they must be able to share all kinds of data, but especially risk data, as the basis of a greater identity fabric. Sharing risk data across systems and controls should be the first test of a functioning identity fabric.
The identity fabric’s core, then, is a set of modular IAM applications united through integrations that come from a composable tooling strategy. This provides a layer of abstraction above all tools and applications and makes it much simpler to swap out tools, since nothing is hard- wired or standalone.
Take Action Now
To take an identity-first security approach in your organization, you need to take the following five steps:
- The first step of assessing your identity fabric is to take inventory of the security infrastructure and tools you have and to understand if any alteration needs to be made to ease the integration process.
- Prioritize your identity and authentication tools from a business value perspective. “What’s the impact if our primary IDP – OKTA or MS – is compromised?” What’s the impact if that system is not breached, but is able to be compromised through untracked risks?
- Prioritize, align, and prepare to integrate your XDR solutions: these are capable of visualizing risks but typically these are “event-based” risks rather than identity-based risks.
- Unify identities: Many organizations have machine identities (endpoints, servers, cloud machines, workloads, and containers) working in IT operations while human identities are managed by working through the security department. Identity fabrics normalize identity assessment through the language and lens of risk, and to do that they need to have line-of-sight into all identities – human, machine, on-prem, cloud, internal, external, etc.
- Connect teams: Often IAM is seen as an “operational” unit, with little upward communication of risk or business impact. Connect IAM and the identity fabric strategy to SOC teams, to SIEM/SOAR teams, and to GRC efforts to optimize efforts. To illustrate why this is necessary, provide examples of overlooked identity risks that have led to compromise in your segment.
With identity security becoming such a challenge for organizations, the time has come for identity fabrics. To learn more, contact us today.