Identity and access management will be crucial to securing workforces going forward, according to a panel speaking of experts during the Wallix Live: The State of Security event.
The speakers acknowledged the “herculean” effort of many organizations to successfully roll out mass remote working at very short notice this year after the COVID-19 pandemic struck. All the indications are that this way of working will be utilized far more going forward, and “the net result is that more people than ever before will need to access corporate data from their homes and personal devices,” said Didier Lesteven, executive vice-president sales and marketing at Wallix.
Despite the many benefits of remote working demonstrated during this period to both employers and staff, this way of working clearly adds to the security risks for organizations, who are no longer able to rely on a strong outer perimeter strategy, with information accessed across multiple devices and networks.
This requires a fundamental reshaping of organizations’ security strategies, and “identity access becomes a critical point if we are trying to secure these new ways of working,” commented Soumya Banerjee, cyber-expert at McKinsey.
Outside of the corporate buildings, it is much harder for security staff to gain visibility of the identities of those accessing different parts of the network, especially as increasing numbers of companies move to multi-cloud environments. Yet gaining this control is critical.
Laura Deaner, CISO, S&P Global, noted that within an organization, “everyone is important to a criminal because if they can get in, they will get in, so they don’t need to necessarily target C-suites – they can target anyone, including people who have privileged access and identities.”
The concept of security by design, which aims to proactively address risks early in the system development cycle, could be applied to manage access and identity more securely. Lesteven outlined that organizations must have a clear strategy by which users are identified, authenticated and the resources they are allowed to gain secure access to are managed, all of which “needs to be monitored for future auditing purposes.”
He added: “These global security process need to be by design and applied to all steps of the digital journey of any users.”
This approach needs to be taken in consideration of the expectations of users, however, as it may be a source of frustration if it is harder to gain access to data compared to being in the office environment. In the view of Banerjee, this requires security teams to learn and understand the perspective of users and what they want. “As an identity professional, my approach is now about how I can make it more human centric, experience based and then see what the technology and process enablers are for that experience.”
Ultimately, finding the right balance, and potentially compromise, is key. Deaner concluded: “The most challenging thing is the balance between usability and security. I want everyone on my network to feel like they’re able to operate effectively, but I also have to protect them.”