The saying that ‘data is the lifeblood of an organisation’ may feel like it is over-used within the security space, but as the threat landscape continues to evolve, sensitive company data is at an increased risk of being breached. Without a robust data management strategy in place, data is not always guaranteed to be accessible, integrable or protected.
Many companies remain stuck in the past, relying on static solutions that are difficult to maintain and often unable to meet the demands of today’s fast-paced businesses. Perimeter-based solutions, provide some value but they cannot keep up with the growing complexity of the modern organisation. They often require coding to make changes and are limited in the visibility they can provide.
Today, everyone is trying to solve the problem of what happens when credentials are compromised, and a network is breached. The simplest approach is to minimise movement until security teams can resolve the incident. Cybersecurity is a defence-based mission and having a well-equipped team with smart security solutions can be the difference between a full-blown security incident, and a security alert.
Identity – a key component to smart security
We know now that smart security solutions must be “identity-aware,” but they also call for a smart, dynamic authorisation solution. Authorisation is the management, control and enforcement of the connections of identities to data, functions, and apps they can access. By adopting these approaches, this becomes the first step to having truly ‘smart’ security.
One of the most significant benefits of zero trust is its ability to automate permissions policies that virtually eliminate human error and lower risk exposure. It offers security teams dynamic decision-making capabilities that allow them to rely on risk signals to make real-time decisions on what users can access. For example, if an already authorised user based in a UK office is trying to access Asia-specific files at midnight local time, this suspicious activity could be flagged to security teams, or the request denied automatically.
A zero trust approach is paramount in the modern work environment where more companies are using data hubs like cloud to allow their employees to work from anywhere. With data moving more fluidly among users in and out of an organisation, it’s increasingly difficult to rely solely on traditional perimeter security methods. This rise in complexity is why smart, identity-first security will be essential to businesses going forward.
The relationship between authorisation and data
What’s important to keep in mind, however, is understanding authorisations and the link between the identity world and the security of the data. There is a growing trend to provide advanced data access controls that are identity-aware, dynamic, fine-grained and governed by policies. Data owners should think of identity-first security as part of their data access control strategy and to research their options. This is crucial for securing the organisation’s most important asset: its data.
Authorisation vs. Authentication
Identity-first security doesn’t end there – identities and their access should be verified and controlled all the way to the data the user is accessing. Security in the digital world eventually relies on who can access what. The “who” are the identities, and the “what” is mostly the data that must be protected. Authentication handles the “who,” and authorisation takes care of the “what they can access.” Both are equally important at all levels of access.
Imagine this scenario as security at an airport. When you first arrive at the terminal, there are no barriers to get into the terminal – everyone can enter. However, to proceed into security, the passenger must present a boarding pass. Then, through security, they need that boarding pass again, as well as their ID, to get to the gate. Finally, a valid ID is needed to board the plane, and everyone must sit in an assigned seat.
Throughout this whole process, every additional step requires strong control and reconfirmation of identity. Even then, there is still only certain areas of the airport which an individual can access unrestricted – having access to the terminal doesn’t mean they can board any plane, and accessing a plane doesn’t mean they can sit anywhere they’d like.
This same idea should also be implemented in the digital world, combining authentication and authorisation, and enforcing granular controls as a user gets near data.
Understanding and utilising Authorisation
Authorisation is the practice of managing and controlling the identity’s connection to digital assets such as data. That is a fundamental part of identity-first security. It starts with the authenticated identity and continues with the controlled process of what that identity can access. Full implementation of identity-first security can’t be achieved without an advanced authorisation solution that can address all paths to data applications, APIs, microservices and the data hub itself.
Identity-related breaches have increased exponentially and will continue to become more aggressive and increasingly expensive, especially when businesses continue to consolidate their data into large data hubs. Leaders must invest in solutions that support identity-level controls at all required points of an organisation’s technology stack. This measure reduces the risk of a devastating breach by restricting movement within the network until it is authenticated.
Identity-based security has gone beyond a trend and is now a business necessity. As the identity space continues to grow, identity solutions will experience more widespread support, especially in the cloud, and provide deeper levels of control.