How To Use An Identity Fabric To Manage Identity Sprawl
From HR to IT and factories to finance, the enterprise runs on SaaS. The rapid adoption of SaaS services, however, has led to the two-pronged threat of identity attacks and the hijacking of critical tools leveraged to run the digital enterprise.
With modern work depending on SaaS-delivered technologies, SaaS-generated identity sprawl has become a major concern. Likewise, ever since the first directory service to today’s SaaS-delivered identity and access management (IAM) systems, integrating IAM has always been a challenge. Often, functionality gaps lead to security gaps when identities become the last remaining enforcement point. Yet identities sprawl, duplicate and make connections far more than traditional perimeter safeguards like firewalls.
Imagine distributing thousands of firewalls and leaving them open to consume and be consumed by third-party applications with nothing but a sign-up form to make the arrangement. Does that seem safe? That is precisely what happened when the enterprise surrendered operations to SaaS—services wholly outside IT and security controls but host to thousands of corporate identities.
Why An Identity Control Fabric?
The ever-changing environments of digital enterprises are so dynamic that security controls and protection often fail to keep pace. Modern work has only accelerated this trend across the globe. In particular, identities escaped technical perimeters and now are the critical point of control as the constant corporate asset connected to cloud and SaaS services.
The distributed identity perimeter remains the largest shadow ingress, but this comes with a bright side—it is also the most durable and sustainable carrier of security at scale and adaptive to new risks. By infusing security into the identity, such as with an identity control fabric, the distributed identity perimeter can apply the right controls when apps and services consume identities.
For distributed environments supporting access from anything and anywhere, identity and context are now the final control points. These are the threads—identity and context—of the global fabric.
What Is An Identity Fabric?
The identity fabric is an abstracted layer of support for orchestrating identity domains and multiple SaaS services, apps, connections and contexts. It is an emergent outcome of a set of services for managing IAM across multiple data silos, clouds and SaaS services.
The identity fabric is a key component of a cybersecurity mesh architecture that aims to support composable security for the composable digital enterprise. According to a Gartner Inc. report: “Cybersecurity mesh architecture is a composable and scalable approach to extending security controls, even to widely distributed assets. … CSMA enables a more composable, flexible and resilient security ecosystem. Rather than every security tool running in a silo, a cybersecurity mesh enables tools to interoperate through several supportive layers, such as consolidated policy management, security intelligence and identity fabric.”
An identity control
Developing An Identity Control Fabric
To begin the process of developing an identity control fabric, organizations must focus on exploring four key elements about how identities consume and are consumed by SaaS services:
1. Visibility. Identities are spread across various silos and systems in the typical enterprise. It is essential for security teams to gain line of sight into all identity touchpoints (from Active Directory to CASB) to identity providers and IAM. Gaining a baseline of how identities are expressed and where they are used can give you a consistent picture of the identity attack surface.
2. Simplify. Most identity security comes from multiple dashboards and is a general expectation when getting started. However, simplifying products, policies and playbooks into a single identity fabric can remove the need for niche skills and disciplines operating with multiple silos. By unifying the visibility and simplifying control and policy, organizations can begin to secure the identity fabric at scale, as when a single access control policy is propagated to all places when identities perform an authentication event.
3. Continuity. Safeguarding identities through an identity control fabric demands continuity across all forms of identity governance such as regular assessments, user access reviews, newly discovered authentications and grants for extending access to third-party applications.
4. Response. Security teams must craft a plan to secure identities in the wake of SaaS compromise, phishing campaigns or risky SaaS services or functions entering the environment. This process of universalizing identity security can project control into the enterprise SaaS layer—past, present and future.
Growing complexity requires security and risk teams to wade through an assortment of tools and technologies, but these teams must be sure they are addressing the two-pronged concern of identity and SaaS hijacking. By securing identities first, security programs can remain adaptive and flexible to SaaS changes because the identity is secured regardless of the SaaS in use.