Three Key Pillars of Smart Identity

Three Key Pillars of Smart Identity

For years, identity and access management (IAM) was that painful necessity that businesses knew they had to spend time and resources on, but it was always done kind of grudgingly. Oh, how times have changed! CIOs and CISOs alike have recognized the critical role that identity plays in an overall digital transformation and security program centered around Zero Trust .

IAM is all about providing secure, frictionless access for any user to access any resource. In the context of identity, “user” represents a very broad category of people and things. People include privileged users, the workforce at large including employees and contractors, and consumers. Things include servers, service accounts, application programming interfaces (APIs), and even internet of things (IOT) devices. To enjoy a consistently secure and frictionless environment, these users need a common experience regardless of whether the resource they are accessing resides on-premises, or across various public and private clouds.

Organizations understand that this can’t be accomplished with a hodge-podge of identity solutions that only work in specific silos: one solution for access management, another one for governance, another one for privileged users, another one for customers, and so on. At the same time, ripping and replacing all existing IAM solutions is rarely an option that organizations are willing to explore. What if there were a smart, modernized and modular platform that could integrate into the existing environment and provide a consistent, secure experience and the ability to adopt new use cases over time? What would the three key pillars of this solution look like?

Tap Into Contextual Insights

The more an organization can tap into deep contextual insights such as behavioral biometrics, device attributes, user behavior patterns, environmental attributes, and user activity, the less need there is for the friction associated with authentication. A central tenet of Zero Trust approaches is to never trust and to always verify, but a smart identity solution leverages adaptive access that uses artificial intelligence (AI) technology to perform this “always verify” step in the background. AI can be used to help build risk scores, or, as I prefer to call them, “trust scores,” determining the level of trust associated with each user at any particular time.

When these AI capabilities are combined with an access policy engine, they allow the organization to make dynamic decisions based on that trust level. Low-risk accesses can be given a streamlined or even passwordless experience, while high-risk accesses can be challenged with multifactor authentication (MFA) or denied access. Contextual insights allow the verification process to occur continuously and transparently so that the friction associated with MFA is minimized without sacrificing security.

Context in the form of identity analytics can be used to help decision makers make better decisions. Gone are the days of rubber-stamp approvals that are fine for checkbox compliance but actually do nothing to reduce risk in the business. Analytics can be used to get a 360-degree view of access risks and then recommend actions based on those risk insights.

Finally, context is a critical part of a modernized threat management program. The telemetry that identity solutions provide must be integrated for consumption by Security Incident and Event Management (SIEM) solutions. If adaptive access indicates risk is high, incident response cases should be automatically created for follow-up. But the context needs to be bi-directional too so that if remediation is needed, IAM can become a control point. Automated response playbooks should be able to perform remediation tasks such as password resets and account suspension without human intervention.

Source : Three Key Pillars of Smart Identity

Mots-clés : cybersécurité, sécurité informatique, protection des données, menaces cybernétiques, veille cyber, analyse de vulnérabilités, sécurité des réseaux, cyberattaques, conformité RGPD, NIS2, DORA, PCIDSS, DEVSECOPS, eSANTE, intelligence artificielle, IA en cybersécurité, apprentissage automatique, deep learning, algorithmes de sécurité, détection des anomalies, systèmes intelligents, automatisation de la sécurité, IA pour la prévention des cyberattaques.