In 2006, British Mathematician, Clive Humby, boldly claimed that "data is the new oil", referring to how important information is to businesses of all sizes. Now, in 2023, Humby's prediction has primarily been made true, with companies spending incredible amounts of money to collect, store, and analyse this data. Data is now essential to do business, with it being used to fuel business decisions, from better understanding the consumer, to enacting digital transformation at a larger scale.
Whilst there are undoubtedly benefits to this explosion of information, this data can cause major problems if it falls into the wrong hands. Sensitive company information can be leaked to competitors, or personal information about customers and staff can be breached, resulting in failed compliance obligations. These threats, and more, become increasingly likely if not protected by a robust data management strategy.
However, many companies are stuck in the past. Most will rely on static solutions that are difficult to maintain, and unable to meet the demands of fast-paced businesses. Whilst perimeter-based solutions do provide some protection, they are not able to keep up, often requiring coding to make changes. This means that only those with IT backgrounds can make amendments, providing limited visibility of an organisation’s security landscape to the everyday user, and in turn, becomes much harder for these users to understand their risk responsibilities.
Today, the biggest challenge is how to respond to a bad actor accessing your network and having unrestricted visibility of company data. The simplest remedy is to limit this movement until security teams can secure the network. However, the old adage of “prevention works better than a cure”, rings true. Cyber security is a defence-based mission, and arming IT teams with smart security solutions can be the key difference between a full-blown security incident, and a security alert.
Yet, a one-size-fits-all solution will not cut it. An up-to-date security solution will be “identity aware” and adhere to the principles of “dynamic authorisation” (in this context, ‘authorisation’ refers to the management, control and enforcement of the connections of identities to data, functions, and apps they can access. By adopting these approaches, this becomes the first step to having truly ‘smart’ security.
Identity as a prerequisite to smart security
A key cornerstone to smart security is a zero trust approach to authorisation. At the heart of a zero trust architecture is the ability to decide whether to grant, deny, or revoke access to a resource, based on the conditions an access request is made in. For example, if an already authorised user based in a UK office is trying to access Asia-specific files at midnight local time, this suspicious activity could be flagged to security teams, or the request denied automatically.
This approach then acknowledges that sometimes, authorised users can have their credentials exposed, and bad actors can exploit their preauthorised access to exploit
sensitive data. Therefore, by requiring even preauthorised users to routinely reauthorise their identities, data becomes even more secure.
Equally, the zero trust ideology works well within in the modern work environment where more companies are using data hubs, like cloud storage, to allow their employees to work more freely from anywhere. With data moving more fluidly among users in and out of an organisation, it’s increasingly difficult to rely solely on traditional perimeter security methods. This rise in complexity is why smart, identity-first security will be a business necessity going forward.
Therefore, one of the most significant benefits of zero trust is its ability to automate permissions policies that virtually eliminate human error and lower risk exposure. It also gives security teams dynamic decision-making capabilities that allow them to rely on risk signals to make real-time decisions on what users can access.
The link between authorisations and data
When adopting a zero trust approach, it’s important to keep in mind the link between the identity world and the security of your data. There is a growing trend to provide advanced data access controls that are identity-aware, dynamic, fine-grained and governed by policies. Data owners should think of identity-first security as part of their data access control strategy and to research their options. This is crucial for securing the organisation’s most important asset: its data.
Authorisation vs Authentication
Yet, identity-first security cannot end there. Continuous authentication must happen at every stage down to the final file that the user accesses. This can be likened to security at an airport. When you first arrive at the terminal, there are no barriers to get into the terminal - everyone is welcome. However, to proceed into security, the passenger must present a boarding pass. Then, through security, they need that boarding pass again, as well as their ID, to get to the gate. Finally, a valid ID is needed to board the plane, and everyone must sit in an assigned seat.
Throughout this whole process, every additional step requires strong control and reconfirmation of identity. Even then, there is still only certain areas of the airport which an individual can access unrestricted - having access to the terminal doesn’t mean they can board any plane, and accessing a plane doesn’t mean they can sit anywhere they’d like.
This same idea should also be implemented in the digital world, combining authentication and authorisation, and enforcing granular controls as a user gets near data.
To summarise, authorisation is the ability to, and actively manage, the identity’s connection to sensitive data as a part of identity-first, zero trust security. This approach will only work when implemented through an advanced authorisation solution that can address all paths to data applications, APIs, microservices and the data hub itself.
If this is not properly addressed, data breaches will continue to get more aggressive, and increasingly expensive to resolve, especially as businesses continue to consolidate their data into large data hubs. Therefore, an easy solve would be to invest in solutions that require identity access controls throughout the entire technology stack. This will then reduce the impact of breaches by restricting movement within the network until its presence is authenticated, and if needed, removed.
Identity-based security has gone beyond being a fad and is now a necessity to ensure business cyber security. There is continued investment in the identity space as the importance of reconfirming identities has become common knowledge to IT and Business leaders alike. Ensure your security is not left behind.