Why CISO’s need to appreciate the full identity picture in 2019
- Posted on January 21, 2019
- Estimated reading time 3 minutes
This article was originally written by Avanade alum Chris Miller.
Every now and then a new idea gains traction in my industry that demands a little more context. This is the case with a recent security report from Gartner, suggesting the number one priority for cybersecurity pros is Privileged Access Management (PAM) – a solution designed to improve and secure the management of your most powerful credentialed users, such as admins and executives.
I’ve heard this story mentioned a few times with colleagues and clients, and I’m not sure whether this Top 10 list was meant to be ranked by order of importance, or whether Gartner just sees PAM as one of nine other urgent projects for the CISO. In either case, I can’t help but feel something is missing from the discussion.
PAM is part of a larger, holistic identity solution
At Avanade, we believe identity (as a whole) is at the heart of every modern security solution. PAM, while important, is just one part of the larger demand for total Identity and Access Management (IAM).
The reason we think a holistic IAM solution is so important is two-fold.
On one hand, we are seeing that “identity is the new perimeter” of enterprise security. Gone are the days of the firewall and traditional, static defenses. As both the data center and the workplace evolve to be more open and dynamic, the most practical way to protect your enterprise is from an identity-first perspective. It doesn’t matter if you are moving operations to the cloud, or enhancing your workplace with Office 365, IAM offers a central control panel to keep your users, and your data, secure and under control.
Identity is also high on the radars of bad actors and would-be criminals. Many of the emerging, social engineering attacks (such as phishing), hinge on the ability to steal identity and take advantage of human flaws. Identity is a popular target with hackers because it brings them one step closer to accessing what they are really after, your data. In fact, Microsoft says 63% of all breaches are caused by compromised identity, a problem that is only getting worse every year.
That’s not to say PAM isn’t important. It is.
Controlling and managing the access of your most powerful users is a wise and essential building block of our total security posture. We have worked with multiple clients where PAM was the most pressing, crucial priority. No doubt, some of today’s biggest enterprise trends, such as DevOps and shifting to cloud application platforms, require an immediate reimagining of PAM capabilities.
All I am saying is we should frame PAM as part of a larger security story and work out the starting point after you have considered your entire IAM maturity.
If the Gartner story had said “Identity and Access Management” (IAM) was a top concern for CISO's, I’d have nothing to add. But limiting the scope to PAM leaves out so much.
What about securing the access of all your other users, as they work from the cloud and mobile devices? What about balancing your IAM solution with a user-friendly, creative and productive experience? What about using the most advanced, intelligent tools on the market to improve and optimize your IAM management?
These are just a few of the many IAM questions that leaders are rightfully asking, as they prioritize enterprise security to combat growing complexity and sophisticated attacks.