Why Identity-first Security is a Top Security Trend in 2021

A perfect storm of events this year has led to the rapid acceleration of already-planned digital transformation projects and the adoption of work from anywhere initiatives, which have rendered traditional corporate boundaries obsolete. In this new world, everyone (and every “thing”) is an outsider to the organization – whether they’re remote or office-bound.

You’ve heard it before – the concept of “inside are the good ones, outside are the bad guys” is a legacy left behind. Trust has evolved into a vulnerability. Attackers can easily leverage compromised or stolen credentials to infiltrate corporate networks and move laterally undetected. 

In fact, the recent Version 2021 Data Breach Investigations Report (DBIR) shows that 61% of data breaches involved credentials, while 70% of all misuse cases were privilege misuse.

In an era where security strategies are adapting to the “trust no one, verify everywhere and every time” mantra, validating that only authorized and authenticated people and devices can gain access to critical data and infrastructure is a necessity.

In other words…Identity isn’t the new perimeter – it’s the foundation of security in a world without perimeters. 

Businesses need to evolve their identity management program to “enable the right individuals to access the right resources at the right times for the right reasons,” as Gartner notes. This is why Gartner has highlighted identity-first security as a Top Security and Risk Trend for 2021.

“The SolarWinds attack demonstrated that we’re not doing a great job of managing and monitoring identities. While a lot of money and time has been spent on multifactor authentication, single sign-on and biometric authentication, very little has been spent on effective monitoring of authentication to spot attacks against this infrastructure,” notes Peter Firstbrook, research vice president at Gartner.

Although organizations have invested in evolving their access security solutions to include things like passwordless authentication, multi-factor identification (MFA), and single sign-on (SSO), the fact is they are only focusing on a fraction of their workforce. 

Today machines make up far more of your “digital workforce” than humans. However, investments in managing and protecting machine identities, such as X.509 certificates, often pale in comparison to investments in human identity and access management (IAM).

The bottom line is, machine identities must be a part of your IAM strategy, especially as we shift to a more digital workforce where the teams that grow and operate the business rely entirely on the machines that underpin our infrastructure (i.e. servers, containers, mobile devices, etc.).

In Section 3 of the recent Biden Executive Order (EO), the document lays out orders for “Modernizing Federal Government Cybersecurity” and specifically calls out advances in “cloud services and Zero Trust Architecture.” 

The EO outlines that Zero Trust Architecture “allows users full access, but only to the bare minimum they need to perform their jobs.” A critical component for Zero Trust Architecture is the issuance and management of digital identities – both for humans and machines.

NIST SP 800-207 defines Public Key Infrastructure (PKI) as an essential component to achieving Zero Trust Architecture. In fact, an executive survey recently showed that 96% of IT security leaders agree that PKI and digital certificates are essential to Zero Trust.

Gartner notes that “Identity-first security puts identity at the center of security design and demands a major shift from traditional LAN edge design thinking.” The problem is that security teams struggle to enforce best practices around managing and protecting these credentials.

This is crucial, as the number of digital identities is skyrocketing across the entire enterprise ecosystem – identities are no longer human-centric, but they help authenticate and authorize a wide range of devices, DevOps processes and services. 

However, research shows that:

• 55% of organizations do not have sufficient IT security staff dedicated to their PKI.
• 60% of organizations have no formal access controls for code-signing keys.
• 40% of organizations still use spreadsheets to manually track digital certificates.

Relying on error-prone and time-consuming manual processes leaves many blind spots and creates security holes that adversaries continue to exploit to compromise data. Impersonation attacks, certificate-related outages, and malware masquerading as legitimate software are only a few of the examples that should convince every CISO that it is time to evolve their IAM practices to involve both humans and machines.

Cryptography is now critical infrastructure for digital business and machine identities are the foundation for digital trust. As the world digitally transforms, machines will continue to play a bigger role in business and society.

Learn more about how to effectively integrate machines into your IAM strategy in our webinar with VP and Gartner Analyst, David Mahdi,  on “How PKI, Crypto, and Machines make the Digital World Go Round.”  Watch it here.