The Evolution of Security and Identity is Key to Successful Digital Transformation 

Written By Stephen Smithers, Principal Consultant at Xalient 

Not a day goes by when we don’t hear about yet another data breach or sophisticated compromise. As a result, there cannot be a C-Suite executive that is unaware of the cyber threats their organisation faces, either through guidance from their security teams or the constant media reporting of ransomware or data theft as a result of successful cyber-attacks.  

In this heightened threat landscape, security-conscious enterprises should be aiming to reduce their cyber risk by improving the company’s security posture. This urgent focus on security comes at a time when companies are already facing operational challenges, such as more mobile and distributed workforces and the requirement to adopt digital transformation programmes to streamline operations and provide the agility to take advantage of new opportunities.  

Inertia can inhibit digital transformation  

The adoption of a digital transformation programme presents business challenges centred around existing people, processes, and technology.  

From a people perspective, end users may find the prospect of a change in the way they work daunting, which can result in additional stress and a reluctance to support the digital transformation programme.   

Additionally, having spent years investing in IT systems and processes, IT teams can also be resistant to change. This can result in a desire to utilise existing security products and services that may not provide the best security, operational, and user experience outcomes for digital transformation.   A study from Gartner found that IT workers have become increasingly concerned about the pace of change as a result of digital transformation programmes, leading to pushback from staff, heightened stress, and a loss in productivity.  

In addition to the resistance to change within a company, technical debt is another common factor that hampers digital transformation projects, with enterprises often forced to contend with cumbersome legacy IT infrastructure while modernising operations. McKinsey described technical debt as the “silent killer” of technology modernisation in a study published earlier this year.   

Security as an enabler for digital transformation  

Security is often perceived as detrimental to the user experience and operational agility.  The implementation of multiple tools and services has increased the level of user interaction, negatively affecting the user experience and adding complexity to the deployment of new business services. This also accounts for some of the resistance to change and the inertia hurdle that needs to be overcome when adopting new security models designed to support digital transformation.  

In reality, security solutions that support digital transformation can actually improve the user experience by providing a consistent, performant, and secure workflow, irrespective of where the users are located. Where the IT team is concerned, the adoption of technologies such as Secure Web Gateways and Zero Trust Network Access as part of a wider SASE implementation can consolidate the security platforms needed to enforce the company security policy, thereby reducing administrative overhead, and increasing agility.   

Evolution of Identity in security access policy expression  

In the past, when workloads and the workforce were centred around a company’s office locations and data centres, the way access policies were expressed was based on network criteria — internal, VPN pool, or external. If specific restricted access was required, the policy would be prescriptive of the IP address allocated to a user or group of users to enable more granular controls. Initially this may be based on static VLAN assignment for departments or the reservation of IP addresses based on the end users device, however these approaches were cumbersome and difficult to administer. The implementation of remote access VPN and network access control solutions enabled identity to be a factor access control policy either through IP assignment or more directly through the implementation of access control policy as a component of the authentication and authorisation process.   

The use of identity in access control policy expanded as security providers integrated their solutions with identity platforms to enable identity-based policy; although in some instances this was still based on IP addresses but with the IP mapped to a user identity.  

As business operations move to a more distributed cloud-based operating model, the use of identity in policy definition has become paramount as the value of other criteria such as IP address, office location, and device type diminish.  

The adoption of Identity as the key security criteria for access policy places additional emphasis on the user authentication process and the identity store and associated permissions. The adoption of adaptive authentication, which provides the ability to step up the authentication requirements based on the context of the request, is key to balancing the user experience and security requirements.  

As identity is core to security policy definition, the integrity of identity information must be ensured. This requires constant validation of identities and associated permissions against business requirements to ensure a strong security posture, evidencing compliance and managing licence consumption. As more workloads move to SaaS-based solutions, the complexity of managing identity across a distributed set of application providers will require the features traditionally provided by identity governance and administration solutions.  

Expanding risk criteria in policy definition.  

To limit business risk, security access policies have traditionally been expressed in terms of trust: we trust a user on a device from a location to access an application at this time, with any activity outside of the policy denied. While this approach does reduce the attack surface, it doesn’t account for user and device behaviour as well as other factors that contribute to business risk. If the policy definition is expanded to include these factors, there is a far more dynamic expression of acceptable risk that can be applied to every access request.   

The resultant policy, with additional context around the criteria traditionally used, means a trusted user identity is now combined with the behaviour of that identity in the wider environment. The evaluation is now not just about device posture but also other observed communication activity, the target application now incorporates security risk assessment of the platform for corporate activity, and lastly the sensitivity of the expected activity or accessible data is added into the policy.  

The ability to express and implement this policy in a single solution may not be an evolution, but through the combination and integration of products and services a solution that can deliver on this policy is achievable.  

Plugging the gaps  

While the deployment of security controls and dynamic risk-based policies reduce the probability of a successful cyberattack, it does not totally remove it. This is where implementation of detection and response capabilities can significantly reduce the size and business impact of a security incident. The reduction in time to detect and respond is key to improving the security outcome as well as providing context used in the policy described earlier.  

Ultimately security will become a business enabler as organisations look to adapt to change without adding unacceptable risk. This is a major transformation in the security narrative as it enables businesses to take advantage of new opportunities without bringing unacceptable risk into business models. Ultimately any security needs to be adaptive and easy to adopt.  Users want to be able to perform their task and when technology gets in the way, you’ll find not only a lack of adoption but end users will become less productive or attempt to circumvent controls which increases business risk.