If It’s Not Continuous, It’s Not Secure: Reimagining Identity Management

Think about the main security functions at your organization. Most areas, like application security, cloud security, and network security are managed and monitored continuously. Why? Threats must be identified and mitigated in real time to prevent the costly consequences of a breach. There’s simply no other logical way to approach security. 

Now, consider identity security. Most organizations monitor identity and access privileges through a governance-minded approach. This generally means access is only evaluated using point-in-time User Access Reviews (UARs) that happen quarterly or yearly. 

This is a major departure from the way organizations approach other security functions, and it leaves them vulnerable to major risks. Identity mismanagement and over-provisioning are leading causes of breaches that impact organizations. With an audit-based approach, you risk overlooking issues that pop up between audits. 

Organizations need to treat identity security like any other security function — and use continuous monitoring and mitigation — to maintain a strong security posture.  

The origins of an audit-based approach

Historically, identity security has existed in service of other functions, like compliance. Organizations review and update access largely because compliance frameworks call for it. ISO 27001, for example, advises organizations that “an access control policy should be established, documented, and reviewed based on business and security requirements” and that “management should review users’ access rights at regular intervals.” As you can see, there’s no suggestion or mandate to manage identity continuously here.

Identity management tools have followed suit. Traditional IAM tools support easier UAR management and focus on that point-in-time approach instead of continuous, real-time monitoring. Traditional also don’t provide remediation capabilities.

The pitfalls of an audit-based approach 

There are many shortcomings to using a “compliance-first” cybersecurity approach when it comes to identity management. For one, compliance by nature emphasizes point-in-time audits. 

Here are the main reasons a compliance-first approach fails when it comes to identity security:

• Compliance frameworks only provide general guidelines and best practices. They often represent the minimum baseline for cybersecurity rather than comprehensive protection. They are also broad because they are intended for many types of organizations and cannot, by definition, account for the unique risks your business may face. As such, adherence doesn’t automatically equate to strong cybersecurity.

• Compliance requirements adapt slowly to emerging threats and new attack vectors. Cybersecurity is a rapidly evolving field, and relying solely on compliance means your security measures might be outdated if they are only rooted in meeting compliance. Compliance frameworks are also created by governing and standards organizations, who must necessarily be slow and deliberate about creating them and aim for them to be as widely applicable as possible. Meanwhile, the threat landscape is the Wild West and moves fast, with (for example) new zero-day vulnerabilities popping up constantly, especially in the age of AI.

• Infrequent audits don’t catch interim risk. If you manage identity security through user access review audits each quarter or twice a year, you are opening yourself up to a lot of risk in place in the interim. Bad actors won’t hesitate to exploit a vulnerability as it soon as it’s identified. As such, you shouldn’t wait for a quarterly audit to make sure your identity security is strong. 

As identity risk evolves, so should your approach to identity security. Compliance is, of course, important. But identity is not a sub-function of compliance that can be managed through governance. It’s a security issue in its own right. Companies should adhere to compliance standards and implement ongoing security-first protocols to support a strong posture (similar to how a company would create a process to identify and fix vulnerabilities within their code — even if that isn’t mandated by a compliance framework). It’s not a trade-off to decide whether to focus on security or compliance. A good continuous security approach will actually support and improve your compliance governance, too. 

A better approach to identity management

Modern organizations need to continuously monitor for over-provisioning and calibrate identity access to meet least privilege protocols. 

Monitor for over-provisioning

As with any security function, you need to identify and manage your vulnerabilities. Over-provisioned access is the biggest vulnerability in identity security. Over-provisioning is often a result of cultural norms that develop within an organization — like “birthright access,” where employees are granted access to systems and documents based on their job title or team assignment. This approach grants access based on an assumption of need instead of a documented use case of actual need. While birthright access may seem logical, it leads to a common problem across organizations where systems are only accessed by a small percentage of the users that have access. This means far more people than really need access have it.

To address this, audit your systems regularly to determine which users actually access the systems in which they are able. Usage — not assumptions based on job function or title — should determine access level. Ideally, implement a tool that can continuously monitor for unnecessary privileged access and alert you based on risk levels.

Calibrate identity access

There are simple ways to refine privileges. As a standard rule, assign minimum privileges necessary for each user in your organization. This might include implementing just-in-time (JIT) or time-bound stipulations, where users only receive access once they make a specific request for it, and only receive that access for a predetermined amount of time. 

Keep yourself accountable

To keep your organization accountable for continuous monitoring, clearly outline and document your strategy with specific protocols to follow. It’s also helpful to form a “Least Privilege Council” or “Identity Security Council” with a dedicated team of business leaders who take responsibility for implementing and sustaining ongoing change.

Security-minded identity management with Opal

Opal helps organizations build an identity security strategy that allows for continuous monitoring and threat mitigation. By bringing cybersecurity sensibilities and best practices to access management, organizations can not only meet compliance standards but also ensure a strong security posture.

Opal’s platform provides real-time insights into potential identity access-based vulnerabilities and prioritizes them based on risk — allowing organizations to take action on the most important security issues first. 

With Opal, organizations get a comprehensive look at their identity management postures across their environments and can identify, assess, and mitigate issues in one platform. This enables them to better meet compliance standards and, most importantly, is a practical way to optimize security and decrease risk. 

‍

Request a demo to learn more about Opal’s security-minded approach to identity management.