Why air conditioning (and identity security) is crucial: A cautionary tale from a Texan

The SailPoint Blog
| Mike Kiser | Market Views

The high temperatures here in Austin have been hovering at 105F / 41C for a week or two, meaning that the simple invention of air conditioning shifts from a “nice to have” to a “must have.” The irony is that despite being an essential component of houses and businesses HVAC systems are often ignored until they break down. And once the heat starts climbing, air conditioning moves from essential to the number one priority.

The recent report from the Identity Defined Security Alliance, “2023 Trends in Securing Digital Identities,” illustrates how identity plays a similar role in organizations: it’s on the rise in importance within enterprises, but it’s not the top focus until something goes awry.

Identity: A key emphasis

Identity security continues to be front of mind for most organizations. The report points out that 61% of respondents have managing and securing digital identities in their top three priorities, with 17% identifying it as their top item overall.

The driving forces behind the recognition and proliferation of identity security are both technical and cultural. The report describes how the number of identities is rapidly increasing, and we see some of the usual suspects that reflect the shift to remote work and the aftermath of the pandemic:

  • Adoption of more cloud applications
  • Remote work
  • Additional mobile devices

But immediately after these comes an interesting pair in the list:

  • Increase in third-party relationships (consultants, partners, service providers)
  • Machine identities (system, IoT, bots, etc.)

These items drive home that identity crosses borders: lines of division between organizations and previous definitions of what constitutes an identity. Recent work in supply chain and a “software bill of materials” (SBOM) has assisted in securing these logical connections that similarly span organizations; it seems likely that there is a place for a similar SBOM-like approach to identity security. As an identity comes into the organization, what risk level is it introducingand how is that risk level assessed and monitored?

This focus on identity security is welcome, but just like a long-ignored air conditioning unit, challenges to ensuring that it remains a top priority remain.

Challenges

The report calls out a number of barriers that prevent companies from securing identities well, and the top three are telling:

  • Identity frameworks are complicated, with multiple vendors and different architectures
  • Our technology environment is very complex
  • Insufficient budget

Complicated frameworks and competing architectures have long been an issue, but the challenges are not merely technical, as the third item highlights.

If you want to see the values of any enterprise, follow the flow of investment. If identity security is a real priority, it must be backed with real funding.

Almost a third of organizations need help allocating financial resources to their identity programs. Rather than supporting identity security to secure the enterprise, they’re waiting for things to flare up before they respond.

Not yet proactive

This reactive approach to identity security is perhaps one of the most significant findings of the report—it describes how only 49% of respondents state that their leadership “understands the risk and proactively invests in protections, even when they haven’t been directly impacted by a big incident.”

It seems clear that many organizations are waiting until something happens before implementing protective measures, and the hindsight of “what should have been done” is revealing.

Three of the top four actions that would have minimized the business impact of the incident are all centered around the discovery and access review of sensitive data or privileged access. Thus, oversight and governance of identities remain a primary mitigating control for reducing negative business impacts that result from these incidents.

AI/ML as a sign of hope?

There are signs of progress called out in the report as well, particularly the identification of key use cases for the use of artificial intelligence (AI) and machine learning (ML). All too often, ML feels like a hammer in search of a nail, and it is helpful to see the following concrete uses called out specifically:

  • Identifying outlier behaviors
  • More efficient administration, onboarding, and offboarding
  • Assist with access approval decisions
  • Helping to make better access review decisions

Using ML wisely in concrete ways is key to making that shift to a proactive strategy for identity security, particularly as identity continues to be ubiquitous.

Identity continues to be crucial

The onset of summer in Central Texas guarantees the arrival of scorching weather and serves as a reminder to residents that air conditioning is . . . NOT optional. Those who have prepared well—installed capable systems, and have invested in keeping them maintained—will feel the (icy-cold) benefits of their work. Those who wait until the system breaks down will find themselves on a different path.

And the same is true for identity security, as this report from the IDSA reminds us. Identity security, just like cooling systems in Austin, is essential for the success of organizations—and deserves proactive investment and engagement.

If you want to elevate your organization’s security program, learn how SailPoint’s identity security solutions can help automate the discovery, management, and control of all users.