False Sense of Security

The SailPoint Blog
| Mark McClain | Market Views

We’ve hit an identity security inflection point over the last few months. This was largely brought about as more organizations paid closer attention to how they were connecting their workers to the systems and data needed do to their job – particularly after last years’ massive pivot to “working from anywhere”. It wasn’t just a keener eye on how efficiently workers were given access, but a better understanding and emphasis on properly securing those access points. It sounds like a minor nuance – enabling vs. securing access – but it’s actually critical to understand in order to properly protect the modern enterprise. Going down the wrong path, where you are only looking at enabling access, can be a dangerous one.

A changing perimeter

Today’s business is surrounded by a perimeter, but that perimeter is no longer the traditional network security “moat” that keeps the adversaries out. Today’s perimeter is all about identity. These identities comprise everything from full or part-time employees, to contractors, business partners or even software bots today. And with each one, comes hundreds, if not thousands of different points of access as these workers connect to the systems, tools and cloud resources needed to do their job. Every identity and every connection point becomes a point of risk if not properly secured.

This is the identity thread that some organizations have missed –until recently. If you are simply opening the door to enable your workforce without also wrapping the right security controls around every single one of your identity access points, you’ve just opened your business to a significant level of potential risk.

For many, there’s been an assumption that by enabling your workforce, connecting them to the technology they need to do their job with strong authentication, like MFA, that you’re safe. But to truly secure your perimeter – your workforce – you need to balance the enabling of your people with securing their access to technology. This requires taking it a few steps further beyond simply granting access.

The Identity Security Inflection Point

Let’s play out what could happen if an organization went down the enablement path, where the company only focuses on the granting of access.

Say a typical employee requires access to upwards of, in some cases, hundreds of applications, data and business resources to do to their job. This includes both the more traditional software-based applications and the influx of SaaS apps most companies now have to manage.

Just because a worker requests access to certain files, systems and applications, doesn’t mean they should just get it based on a cursory approval. In fact, it begs a slew of very important questions:

  • Who is this worker requesting access and what is their role in the business?
  • Should they have access?
  • What should they be able to do with their access?
  • How long will they need that access?
  • What if their role changes, should their access privileges also change, be refined, or even removed?

And those are just the most basic questions on the list.

The problem is – if you’re simply granting access without having the ability to easily and quickly address each of these questions (and more), you’ve just opened your business to a flood of potential exposure.

But truly, all it takes is one.

One compromised worker.

One point of access that has been compromised.

One point of exposure.

That’s all it takes for an adversary to breach today’s modern enterprise.

A false sense of security

You see, granting access in the name of keeping the business moving forward without taking into account if/how/why your workforce has the access they have, is a fatal flaw for organizations today. You don’t want to travel that road alone.

In fact, we believe that enablement without control introduces a false sense of security.

You’ve allowed all of these workers into the proverbial building, but without a layer of identity security controls in place to ensure that access is necessary, that it falls in line with security policy and is relevant to that worker’s job and role, you’re exposed. And you might not even realize it until it’s too late.

It’s time to rethink the notion that the granting of access is enough. It’s really only just the beginning. To truly secure the modern enterprise, we have to move beyond that false sense of security and truly secure every identity and every access point. The only way to achieve “full security” is by ensuring that every worker and every point of access they have is protected with identity security. That’s the secure path forward.