As perimeter defenses fall, the identify-first approach steps into the breach

Additionally, this approach requires the delivery of consistency and context continuously, and not just, for example, at the time of log-in. Teixeria says all three C’s — consistency, context and continuousness — must work in concert, and they must do so across the entire IT environment.

Identity has become an interconnected concept

As he explains; “In the past identity was a silo; it was a networking thing. Now identity is interconnected. It’s no longer a siloed discipline. It’s about applying this identity consistency everywhere. Identity is now integrated.”

Multiple technologies enable and support this. One such enabling technology is the identity and access management (IAM) solution, which has been standard in enterprise security for many years. A user and entity behavior analytics (UEBA) solution, which tracks and analyzes user and entity behavior to determine what’s normal and to flag suspicious activities, is another increasingly standard tool in most enterprise security functions. Newer technologies supporting an identity-first approach include zero trust network access (ZTNA), cloud security posture management and data security posture management (DSPM) solutions.

Moreover, organizations must enable integration of these tools with the right architecture, which allows the technologies to work together for a more seamless and secure experience and to break down any remaining siloes within the identity function.

All that, Teixeria says, is essential for delivering the necessary consistency, context and continuousness while still supporting the business’ need for rapid access to systems.

Implementation challenges for identity-first security

Although research has found that nearly all organizations see identity security as critical, gaps in this area exist.

The 2023 State of Identity Security report from security software maker Oort speaks to this point, noting, for example, that the average company has 40.26% of accounts with either no MFA or weak MFA and that dormant accounts are 24.15% of the average company’s total accounts and are regularly targeted by hackers.

Such figures don’t surprise security consultants and researchers, who say a multitude of challenges face CISOs as they put identity front and center.

To start, there are cultural challenges. The granular approach required by an identity-first strategy is drastically different than the way security has traditionally devised access management.

“We’re trying to undo an entire way of existence,” says Keatron Evans, vice president of portfolio and product strategy at cybersecurity training company Infosec, part of Cengage Group. For decades IT allowed access to almost anyone physically within the organization’s physical facilities, Evans explained, “so moving to an identity-first approach goes against everything we’ve been doing for the past 50 years with computing. I think that’s the biggest challenge.”

That mindset shift is far from the only big challenge, however, according to Evans and others.

Incorporating modern identity and access solutions with legacy systems is also a challenge. Additionally, many CISOs struggle to collect and analyze the data needed to devise, implement, support, and automate strong and dynamic identity and access control policies, Radhakrishnan says.

Finding funding for identity control can be a challenge

And even if CISOs have plans for overcoming such challenges, Evans says they can often run into issues securing the money they need to address all those problems. But an unlimited security budget (not that such a thing exists) won’t solve everything, experts say. CISOs and their teams still must make all the elements — the data, policies, processes and technologies — work together seamlessly as well as nearly instantaneously and continuously. That ongoing synchronization, experts say, is itself a significant task.

And that task is one that must take priority to succeed, something that doesn’t always happen. “There is a lot of noise in the market about zero trust and identity-first or identity-centric security, but it’s often looked at as a secondary or tertiary control,” Radhakrishnan says.

However, experts say CISOs are seeing progress in overcoming those challenges. Teixeria points to a recent Gartner survey, which found that 63% of organizations have implemented continuous controls and 92% have implemented contextual signals to influence decision-making. Moreover, the survey found that the adoption of workforce access management solutions is at 58% among the respondents who have some involvement or responsibility in their organizations’ IAM.

Others note additional progress. For example, the vast majority of organizations now see identity as critical — so CISOs are gaining the necessary support from their executive colleagues to invest in planning and implementing the needed components to put identity at the center of their security posture.

They also are advancing their identity programs as their IT departments modernize legacy environments and shift from on-premise applications to cloud-based ones that come with and integrate well with modern identity and access tools.

And CISOs are shifting from static policies around identity and access to more dynamic ones — a move that’s essential in a world where virtual and distributed work environments are the norm and risks are dynamic, too.