Identity, Access and Security
Becoming a Zero-Trust Enterprise
It is well-known now that today’s enterprise network boundaries are highly fluid, given the extent of user-owned devices on the network and an ever-expanding digital ecosystem of vendors and partners. To mitigate the continuously evolving threats in this type of an environment, enterprises must begin the process of becoming a zero-trust enterprise. A zero-trust enterprise works on the principle of ‘never trust, always verify’ and treats every network flow, every data movement, every access request as suspicious and evaluates it for risk, without relying on a static authentication of the user. Enterprises can begin the zero-trust journey by designating critical data, building virtual perimeters inside the network and adopting dynamic, risk-based access control.
Omni-channel security will continue to take priority in the enterprise to prevent breaches and fraud across multiple access channels. When it comes to enterprise networks and systems, newer access channels increase the attack surface increasing the risk. A comprehensive review of access channels (such as web, mobile, API, B2B, VPN), process and technology is recommended from a security and risk perspective. Two major trends we see towards effective omni-channel security are around intelligent threat detection and adaptive access control.
The use of machine intelligence in threat monitoring and detection is now well established. Given the fluid enterprise border, the diverse and inter-connected software supply chains and the meteoric rise in zero-day exploits, machine intelligence enabled tools are the only way an enterprise can stay ahead of the attackers to detect ever-evolving and unknown threats. Adoption of these tools will rise significantly in the coming years as high-quality, high-accuracy tools become more accessible and available in the cloud without requiring complex deployments and configuration by every enterprise. These tools will treat every network flow as suspect until it is cleared by the threat engine and form a key building block of a zero-trust enterprise.
Given that users are often the weakest link in enterprise security, relying on credentialed access alone is no longer sufficient, since credentials are easy to compromise. We will see a surge in adaptive risk-based authentication and authorization solutions being deployed in the enterprise. These have matured significantly in recent years and are more than ready for prime time. These solutions are key to creating a zero-trust enterprise, where every action attempted by the user is assessed for risk based on a range of factors including role, device, location, time-of-day, and application. Depending on the risk, additional multi-factor challenges may be issued to the user before allowing the action.
Data security and privacy
With GDPR already in place and newer consumer privacy protection laws on the horizon (e.g. CCPA and others across the globe), organizations need to find out what data they are storing, along with how and why it is essential for their business. If a business or regulatory justification is not found, it is prudent to discard all personally identifiable information of users that is stored. User consent also will play an essential role in usage of personal data in business analysis and transactions. New laws mandate consent, along with ability to show and purge data if requested by the data subject (or the owner). There is no comprehensive solution yet that can discover, classify, tag and enable management of personally identifiable information by internal administrators, data subject and auditors. However, a good understanding of current organization processes and inventory of personal data is essential to start complying with these regulations.
Efficiency and operational excellence are key drivers for automation when it comes to security operations. Automation is being widely adopted in security and compliance for last-mile provisioning, access requests and help-desk automation. In 2019 we expect to see pervasive automation during the modernization of security processes and infrastructure. Automation is the first step; beyond it, building intelligence is essential to implement preventive controls. The areas where artificial intelligence and machine learning will play a key role in 2019 are log analysis, access certification, user behavior analysis for risk scores, and continuous authentication
Self-Sovereign Decentralized Identity
User owned and managed (a.k.a. self-sovereign) decentralized identities anchored on a blockchain, provide the features required for a collaborative ecosystem or consortium of organizations, where no single member “owns” the user’s identity and each member wants to collaborate and share the user’s digital identity, with user consent. Self-sovereign identities will become more prevalent in use cases where an identity needs to be presented by users to a variety of service providers, where selective sharing, and data privacy is of the essence. Such domains include insurance, healthcare, hospitality, and education.
Shift to Managed Services
We see more and more organizations (especially mid-size) moving to a managed services security model as security monitoring and response are becoming critical to business operations. This becomes more of a reality as cloud infrastructure, automation and intelligence start enabling better, faster and cost-effective services.
|Self-sovereign identity for enterprise||Omni-channel security and end-to-end IoT security||Context and risk-aware security||DevSecOps automation with Machine Intelligence||Intelligent Identity Governance|
|Privacy Regulatory Compliance|
- Begin the process of creating a zero-trust enterprise by designating critical data, building virtual perimeters inside the network and adopting dynamic, risk-based access control.
- Establish an omni-channel security posture by leveraging machine intelligence driven security monitoring tools and an automated framework for rapid and precise response.
- Create a cohesive data security and privacy plan to remain compliant with the increasing number of data privacy regulations globally.