SailPoint founder Kevin Cunningham explains why identity management is becoming central to cyber security
Cyber security is a complicated area. Businesses have become so multifaceted and hackers so sophisticated that there are now many different layers to an effective security strategy.
For example, software for network monitoring, email filtering and endpoint detection and response all play key roles, but one area that is increasingly becoming more prominent is identity and access management.
That’s according to Kevin Cunningham, founder of identity governance and cloud identity management firm SailPoint, who believes that “the management of identities themselves” now needs to be a key component of any organisation’s cyber defence.
“We help companies get a good view and a good picture of who has access to what and whether that’s appropriate for their job,” he said. “Everyone’s being mandated to provide more privacy protection, but if you can’t answer the simple question of who has access to this data, how can you possibly protect what’s inside?
“Most companies these days are assuming that they will be breached if they haven’t already, so the idea is how do I build resilience, how do I make myself strong inside so that when it does happen I can identity it very quickly and lock it down to minimise the damage?”
The issue businesses are faced with is that large corporate environments have become extremely complex, often consisting of thousands of applications and a widespread, constantly shifting workforce.
This makes it difficult to keep track of who has access to what information and whether employees are being given permissions appropriate to their roles, making the effective management of identities a key consideration.
“To do it effectively, you have to include people from outside of IT,” Cunningham explained. “You have to get people who are doing the hiring, doing the transferring, doing the firing, because they understand the dynamics of the workforce much better than IT does.
“To effectively manage identities you have to get those non-technical people involved in the process and translate detailed IT information into a language that business people can understand.”
By taking an identity-centric approach and thinking about people outside of IT, businesses can do things like keep track of joiners, movers and leavers within the company, spot patterns in behaviours and wade through the noise that accompanies complex IT environments – especaially important in regulated industries such as banking or healthcare.
From a security point of view, the most important thing about identity and access management is not just knowing who is where, but being able to monitor exactly what they are doing with the access they have been given.
Cunningham said: “Often times it’s the abuse of access that creates the potential for a breach. Someone has access to information that they used to need but no longer do, or a business partner has inappropriate access to some internal systems.”
And, thanks to the old issue of human vulnerability, hackers and cyber criminals have become extremely adept at exploiting these holes.
“They understand that the weak link in the chain is the human being. People are vulnerable, in some cases uneducated or naïve, but they also tend to be trusting,” noted Cunningham.
“If you look at the anatomy of a lot of breaches, they actually are started by a partner organisation. Somebody in that partner organisation has their identity compromised by a phishing attack or something else and the bad guys leverage that to get into company B.”
The key, Cunningham says, is behavioural monitoring. The majority of what takes place within an organisation will be totally normal, but by looking out for unusual or erratic behaviour, businesses can lock down specific identities in the event that something out of the ordinary shows up and potentially stop a breach from occurring.
“Often it’s what you’re doing with that access that will provide a clue the maybe something’s amiss,” he explained. “99 percent of what happens inside the enterprise is absolutely legitimate, we’re looking for that 1 percent. That needle in the haystack.”
Do you know all about security in 2017? Try our quiz!