By Gal Helemski, Co-Founder and CTO/CPO at PlainID
“Data is the lifeblood of an organization.” Becoming somewhat of a platitude in the security space, it’s challenging to believe every organization truly upholds this sentiment. Yes, data is used to generate new ideas, inform decision-making, develop products faster, and so much more, but without a solid data management strategy, it’s not always guaranteed to be accessible, integrable or protected.
The threat landscape continues to evolve, yet many companies are stuck in the past, deploying a static solution that is difficult to maintain and increasingly complex to manage. Perimeter-based solutions, while they do provide some value, aren’t able to keep up with the growing complexity of the modern organization. They often require coding to make changes and are limited in the visibility they can provide.
Today, everyone is trying to solve the problem of what happens when credentials are compromised and a network is breached. The simplest approach is to minimize movement until security teams are able to resolve the incident. Cybersecurity is a defense-based mission and having a well-equipped team with smart security solutions can be the differentiating factor between a major cyber incident and an alert.
We know now that smart security has to be “identity-aware.” And identity-aware security calls for a smart, dynamic Authorization solution. Authorization is the management, control and enforcement of the connections of identities to data, functions, and apps they can access.
Identity is a Prerequisite to Smart Security
Identity-aware security is often achieved with a zero-trust architecture. Zero Trust security architecture has been studied rigorously over the last decade and could have even prevented many of the past years’ attacks if implemented correctly (or at all). At the heart of a Zero Trust architecture is the ability to decide whether to grant, deny, or revoke access to a resource. The Zero Trust ideology is paramount in the modern work environment where more companies are using data hubs like cloud to allow their employees to work more freely from anywhere. With data moving more fluidly among users in and out of an organization, it’s increasingly difficult to rely solely on traditional perimeter security methods. This rise in complexity is why smart, identity-first security will be a business necessity going forward.
One of the most significant benefits of Zero Trust is its ability to automate permissions policies that virtually eliminate human error and lower risk exposure. It also gives security teams dynamic decision-making capabilities that allow them to rely on risk signals to make real-time decisions on what users can access.
A Word on Authorizations
What’s important to keep in mind, however, is understanding Authorizations and the link between the identity world and the security of the data.
There is a growing trend to provide advanced data access controls that are identity-aware, dynamic, fine-grained and governed by policies. Data owners should think of identity-first security as part of their data access control strategy and to research their options. This is crucial for securing the organization’s most important asset: its data.
Authorization vs. Authentication
Identity-first security can’t end at the gate. Identities and their access should be verified and controlled all the way to the data the user is accessing. Security in the digital world eventually relies on who can access what. The “who” are the identities, and the “what” is mostly the data that must be protected. Authentication handles the “who,” and Authorization takes care of the “what they can access.” Both are equally important at all levels of access.
Consider the airport control system analogy: initial access to the terminal is open to everyone. There are very few controls there. To proceed, however, the traveler must present a verified ID. To access the gate, they’ll need a ticket in addition to the verified ID, and once on the plane, they must be in their own seat. Every step they take forward insists on stronger control, combining who they are with what they can access. Having access to the terminal doesn’t mean they can board any plane, and accessing a plane doesn’t mean they can sit anywhere they’d like.
This same idea should also be implemented in the digital world, combining authentication and authorization and enforcing granular controls as a user gets near data.
Understanding & Leveraging Authorization
Authorization is the practice of managing and controlling the identity’s connection to digital assets such as data. That is a fundamental part of identity-first security. It starts with the authenticated identity and continues with the controlled process of what that identity can access. Full implementation of identity-first security can’t be achieved without an advanced authorization solution that can address all paths to data applications, APIs, microservices and the data hub itself.
Data breaches will continue to become more aggressive and increasingly expensive, especially when businesses continue to consolidate their data into large data hubs. Leaders must invest in solutions that support identity-level controls at all required points of an organization’s technology stack. This measure reduces the risk of a devastating breach by restricting movement within the network until it is authenticated.
Identity-based security has gone beyond a trend and is now a business necessity. The identity space is already experiencing rapid growth as the importance of identity as the new security perimeter sinks in. Identity solutions will experience more profound and more widespread support, especially in the cloud, and provide deeper levels of control.
[Image by vecstock]