In this day and age, your identity is a shared asset. Be it a calling card, passport or license — it’s the means by which you, the user, and private or public enterprises can safeguard and secure each other.
By Robert Fly is co-founder and CEO of Elevate Security
Identity is the new perimeter, and with the transition to remote work, companies have to rethink their security strategy. As end-users everywhere pushed through pandemic lockdowns and plugged in outside of company networks and security walls, there has been a visible rise in cybercrime.
According to the Verizon Business 2021 Data Breach Investigations Report, the past year saw company breaches rise by over a third compared to 2019, with ransomware doubling in frequency and passwords (stolen or taken in brutal force attacks) causing 89 percent of breaches. These statistics predated the attacks on Colonial Pipeline, JBS and Kaseya, which are only the latest examples of this trend.
A Brave New World
By transitioning to remote work, companies had to effectively cede some security controls to their employees, whose every action could – and sometimes did – render their organizations more vulnerable to malicious threats. We’re in a brave new world, where each employee’s past and future security decisions – good or bad – are now the focal point from which we validate our security posture. With this transition, we’ve begun relying on the identity of our users to verify security.
This comes down to a password and MFA code and maybe a device assessment, but we’ve forgotten an important part: each individual in our workforce has made better or worse security decisions, enjoys more or less access, and gets attacked at different frequencies. Yet we have no insight into those important factors when making trust decisions.
The old ways of managing workforce risk in the enterprise are no longer enough. Multi-factor authentication and password managers are useful but don’t fully close the gap. Awareness training and phishing simulations aren’t working either, with no direct correlation between their results and real-world attacks. And we’ve added more and more layers of technology over the last decade only to see the same attacks continue to plague us and security slowing down the business.
Confronting the Inevitable with Zero Trust and Increased Visibility
It’s inevitable that your workforce will make mistakes that could lead to ransomware, account takeover or data loss – all of which can lead to even larger reputational risks for your business – and security programs need to be built around that reality. With this reality, we need to think about how we take a Zero Trust approach to our workforce – and enhance the visibility of the human attack surface – or, the sum total of people’s actions, access, and security controls that impact an organization’s risk.
With remote work, companies have adopted identity as the centerpiece of protection. Given that at the center of identity is a person, we also need to rethink our strategy there. No one person is the same and using simple authentication based on simple risk heuristics are remnants of the old model rebranded for this new world. The one-size-fits-all workforce security controls of the past now seem a bit ham-fisted. With identity as the new perimeter, enterprise security teams need to assess the security risk of each and every end-user individually and in totality and then apply our understanding of them to feedback into proactively protecting them in our IAM solutions and beyond.
With this deep contextual visibility, we can build risk scores that
- Authenticate a user – who they are, where they’re located, and if their device is familiar, and
- Authorize a user to access applications or systems based on their past reputation for risky behavior – both the actions taken and how frequently they’ve been attacked. Precautions such as security controls and policy orchestration can then be tailored to protect the riskiest users and the company.
If step one is building deep visibility into security logs, alerts and incident data to understand workforce security risks, then step two is making use of it. While step one gives you historical views into your workforce risks, step two is a proactive step in doing something about it – helping maintain security in a Zero Trust environment while reducing security friction overall for the business. Your riskiest users see more friction, your less risky users see less. It involves fine-grained tailored security controls, direct feedback based on attacks, security decisions and risks, and deep integration into workflows to ensure appropriate decisions are made by systems and your security team.
Predict and Be Proactive
Unfortunately, most companies have not taken the step in understanding their workforce risk beyond simple implementations of IAM systems. Security teams are incredibly adept at implementing technologies for authentication and monitoring, but have lacked the tools, insights and automation to predictively and proactively protect their organization against future attacks. Our current technology stack has failed to protect our biggest risk – the user – but even when they do their job, users continue to mess up, and as recent research shows, no amount of training or simulation has made a meaningful difference. We need to take a different approach.
For too long, the onus has been on end-users to be more aware of company security and change their behavior. We need to bring balance to this equation and allow security teams to predictively understand individual risk and proactively protect employees based on the risk of who they are, what they do and what they’re trying to access. By using identity as the center point between individuals and technology, we tacitly acknowledge every user is a unique part of this equation.
With more people working from home, corporate networks aren’t able to protect enterprises as in the past. By taking a Zero Trust approach to workforce security with identity as the new perimeter, companies can gain deep insight into each user’s actions, access level, and how often they are attacked. Cybersecurity can stop reacting and start proactively protecting against the next attack, reducing both the frequency and impact of these incidents.
About the Author
Robert Fly is the co-founder and Chief Executive Officer at Elevate Security, where he leads a team of world-class engineers to help CISOs measure, communicate and reduce human risk and keep their companies safe from cyber threats. Prior to Elevate Security, Robert spent almost two decades leading security and engineering teams at Salesforce, where he was the VP of Security Engineering, and at Microsoft, where he was the Senior Software Security Lead. He is also an investor, advisor, board member and/or CISO across a dozen global startups, including Airtable, BigCommerce, RedLock, SafeBreach, Qualia and Cobalt.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.