By nearly all accounts, security leaders are increasingly shifting their focus from perimeter defenses such as the long-relied-upon firewall in favor of embracing a zero-trust approach. That, in turn, has put the need for strong identity programs front and center, and more specifically has boosted the identity-first strategy into the mainstream.
Research confirms as much. Take, for example, the figures in the 2023 State of Zero Trust Security report. This report, from security software maker Okta, found that 61% of the 800-plus IT and security decision-makers it surveyed said their organizations now have a defined zero-trust initiative in place, with another 35% planning to implement one soon.
Furthermore, the report found that organizations have increased their work around identity controls as part of that nearly universal adoption of zero trust, noting that 51% of respondents deemed identity as “extremely important,” up from the 27% who said as much in 2022. Moreover, the 2023 report found that an additional 40% of surveyed leaders called identity “somewhat important.”
Report authors declared: “In a world where traditional network perimeters have all but disappeared, Identity has emerged as the new perimeter — the place where defense has to start.”
Implementing identity-first strategies can be a struggle
Despite the high value that nearly all organizations say they place on identity, security leaders also admit that they’re struggling to implement the identity-first strategy that has become central to successfully creating a zero-trust security program.
Another report, the State of Identity Security, released in September 2023 by security software maker Silverfort, quantified some of the problems. It found that 65% have not implemented multifactor authentication comprehensively enough to provide sound protection; 94% do not have full visibility into their non-human identities; and 78% said they cannot prevent the misuse of service accounts in real time due to low visibility and inability to enforce MFA or privileged access management (PAM) protection.
Additionally, the report found that only 20% said they were highly confident that they could prevent identity threats. Yet the need for improvement around identity was clear, as 83% of surveyed organizations said they had experienced an identity-related breach involving the use of compromised credentials.
Security consultants and researchers say they’re seeing similar dynamics among CISOs and their security programs, with many security chiefs believing that a solid identity function is foundational for a successful zero-trust program yet falling short in their efforts to launch an identity-first approach — and, thus, bolster their overall security efforts.
“If you don’t have a great identity program it’s going to impact your other security domains and posture,” says Rajesh Radhakrishnan, a managing director at professional services firm Deloitte.
What is identity-first security?
An identity-first strategy is all about knowing the identity of all humans and non-humans accessing points within the enterprise. In other words, the strategy calls for the organization to know each employee, contractor, and business partner as well as endpoint, server, or application that seeks to connect. It is often also called identity-centric or identity-first security.
It’s foundational to implementing zero trust because zero trust says trust no entity until that entity — whether human or machine — can authenticate that it is who it says it is and can verify it has been authorized to access the network, application, API, server, etc. that it’s seeking to access.
Everest Group, a research and advisory firm, estimates that 65% of its clients opt for an identity-based zero-trust implementation approach (versus 35% opting for the overlay network approach).
Identity is becoming the first line of defense
“Identity is becoming the default perimeter; it’s becoming the first line of defense,” says Kumar Avijit, a practice director in Everest Group’s Information Technology Services team.
As Avijit explains, no single solution delivers an identity-first strategy. Rather, it requires a synthesis of policies, practices and technology — like nearly everything else in cybersecurity. Those elements must come together to achieve three key objectives, says Henrique Teixeria, senior director analyst at Gartner, a research and advisory firm.
They must work to bring consistency, that is, applying identity-based decisions to all kinds of assets, such as networks, applications and servers. They must also become context-aware, whereby policies and controls aren’t “static and based on IP addresses but are based on the risk profile of an identity and that risk profile is adjusted dynamically based on context” such as the identity’s location, the device being used and the time of requested access.
A deviation in expected context in any of those areas may prompt extra layers of verification before granting access, with the ability to detect a deviation and request extra verification being a significant element of creating context awareness.
Additionally, this approach requires the delivery of consistency and context continuously, and not just, for example, at the time of log-in. Teixeria says all three C’s — consistency, context and continuousness — must work in concert, and they must do so across the entire IT environment.
Identity has become an interconnected concept
As he explains; “In the past identity was a silo; it was a networking thing. Now identity is interconnected. It’s no longer a siloed discipline. It’s about applying this identity consistency everywhere. Identity is now integrated.”
Multiple technologies enable and support this. One such enabling technology is the identity and access management (IAM) solution, which has been standard in enterprise security for many years. A user and entity behavior analytics (UEBA) solution, which tracks and analyzes user and entity behavior to determine what’s normal and to flag suspicious activities, is another increasingly standard tool in most enterprise security functions. Newer technologies supporting an identity-first approach include zero trust network access (ZTNA), cloud security posture management and data security posture management (DSPM) solutions.
Moreover, organizations must enable integration of these tools with the right architecture, which allows the technologies to work together for a more seamless and secure experience and to break down any remaining siloes within the identity function.
All that, Teixeria says, is essential for delivering the necessary consistency, context and continuousness while still supporting the business’ need for rapid access to systems.
Implementation challenges for identity-first security
Although research has found that nearly all organizations see identity security as critical, gaps in this area exist.
The 2023 State of Identity Security report from security software maker Oort speaks to this point, noting, for example, that the average company has 40.26% of accounts with either no MFA or weak MFA and that dormant accounts are 24.15% of the average company’s total accounts and are regularly targeted by hackers.
Such figures don’t surprise security consultants and researchers, who say a multitude of challenges face CISOs as they put identity front and center.
To start, there are cultural challenges. The granular approach required by an identity-first strategy is drastically different than the way security has traditionally devised access management.
“We’re trying to undo an entire way of existence,” says Keatron Evans, vice president of portfolio and product strategy at cybersecurity training company Infosec, part of Cengage Group. For decades IT allowed access to almost anyone physically within the organization’s physical facilities, Evans explained, “so moving to an identity-first approach goes against everything we’ve been doing for the past 50 years with computing. I think that’s the biggest challenge.”
That mindset shift is far from the only big challenge, however, according to Evans and others.
Incorporating modern identity and access solutions with legacy systems is also a challenge. Additionally, many CISOs struggle to collect and analyze the data needed to devise, implement, support, and automate strong and dynamic identity and access control policies, Radhakrishnan says.
Finding funding for identity control can be a challenge
And even if CISOs have plans for overcoming such challenges, Evans says they can often run into issues securing the money they need to address all those problems. But an unlimited security budget (not that such a thing exists) won’t solve everything, experts say. CISOs and their teams still must make all the elements — the data, policies, processes and technologies — work together seamlessly as well as nearly instantaneously and continuously. That ongoing synchronization, experts say, is itself a significant task.
And that task is one that must take priority to succeed, something that doesn’t always happen. “There is a lot of noise in the market about zero trust and identity-first or identity-centric security, but it’s often looked at as a secondary or tertiary control,” Radhakrishnan says.
However, experts say CISOs are seeing progress in overcoming those challenges. Teixeria points to a recent Gartner survey, which found that 63% of organizations have implemented continuous controls and 92% have implemented contextual signals to influence decision-making. Moreover, the survey found that the adoption of workforce access management solutions is at 58% among the respondents who have some involvement or responsibility in their organizations’ IAM.
Others note additional progress. For example, the vast majority of organizations now see identity as critical — so CISOs are gaining the necessary support from their executive colleagues to invest in planning and implementing the needed components to put identity at the center of their security posture.
They also are advancing their identity programs as their IT departments modernize legacy environments and shift from on-premise applications to cloud-based ones that come with and integrate well with modern identity and access tools.
And CISOs are shifting from static policies around identity and access to more dynamic ones — a move that’s essential in a world where virtual and distributed work environments are the norm and risks are dynamic, too.