Secure Business Identity Strategy

listen to - something different! podcast on goodpods

By Chern-Yue Boey

Cybercrimes have been on the rise in Malaysia. In 2021, more than 20,000 cybercrimes were reported, involving losses of RM560 million. More recently, we saw several large scale cyber incidents, like the iPay88 data breach and the AirAsia ransomware attack which compromised the personal data of millions of consumers and employees. In a recent study by Surfshark, Malaysia was ranked 11th globally for the most number of data breaches, with over 660,000 Malaysian accounts breached from April to June 2022.

The growing number of cyber attacks are a cause for concern, especially as Malaysia aims to build smart cities and is heading towards Industrial Revolution 4.0. Also, as the digital economy is expected to contribute to the country’s GDP in the upcoming years, a strong cyber security posture is crucial to avoid any major impact resulting from cyber attacks. So how can Malaysian enterprises stay protected?

Today, organizations are managing numerous identities across their digital ecosystem which include employees, contractors, partners, customers and non-human identities.
Our report shows machine identities makeup 43 per cent of all identities for the average enterprise, followed by customers (31 per cent) and employees (16 per cent). Machine identities and customer identities are also the two identity types projected to grow at the fastest rate over the next 3 – 5 years.
More identities mean more access points that may present significant risks to organizations, which is why it’s critical to control and manage access for all identities, giving them only the minimum amount of access they need to do their job. In order to secure all identities and access to resources, enterprises must have a comprehensive identity security strategy in place.

What exactly is identity security and why is it important?

No business can safely grant their workforce access to technology without putting proper security controls in place—this is where identity security comes in. Identity security is critical to keeping enterprises secure because it simplifies access and accelerates the business, starting with the users. 
Identity security provides multiple layers of business value such as reducing risk, automating IT processes, as well as enhancing the employee experience. 
Access management practices such as Single Sign-On or Multi-factor Authentication are just one aspect of identity security. Authentication helps to verify the identity of who the user say they are, but does not include cross checks to determine if access to resources is allowed and adheres to access policies. These practices cannot be used to govern the information a user can access, and this is becoming increasingly important as stricter data privacy regulations require organizations to safeguard sensitive data.
Identity security enables granting, securing, and managing access based on the principle of least privilege, which means every single identity in a company’s network only has the minimum amount of access required for their job. By restricting permissions based on job function and user role, enterprises will reduce the risk of users having access to restricted information, and the chances of a data breach.

Best practices to develop an identity security strategy

Understand the business objectives

The first step is to find out the challenges the business is trying to solve with identity security. For example, an organization’s helpdesk could be overburdened with access requests and password resets, or the organization could have recently failed a compliance audit. It could also be that the IT team discovered excess user permissions, or the adoption of cloud-based applications has decreased security visibility while increasing the complexity of the IT ecosystem. Or worse, the company could have experienced a data breach. Hence, it is important to determine the business goals and align the identity security project to the overall objectives.

Remove high-risk systems

It is imperative to move from a legacy system to a cloud service provider to enhance security through patch management, segmentation, encryption, and secure access requirements. Organizations may be reluctant to move from on-premises solutions to those in the cloud for fear of increased security threats. However, on-premises data centres and applications tend to be more risky as cloud service providers provide several security capabilities that cannot be matched by onsite resources. Also, on-premises systems require more manpower and resources to combat threats, which are just not sustainable in the long term.

Pay attention to user access  

As users in an organization change roles or departments, their access needs to be adjusted accordingly. For employees that leave the company, their account should be deleted immediately to avoid being an easy target for security attacks. For onboarding and offboarding employees, contractors, vendors and partners, an automated process helps to easily streamline access and privileges based on the user’s role and removes access on their last day—improving their experience, reducing the burden for HR or IT teams and lowering the risks for errors. 

Embrace AI/ML

With digital transformation and the hybrid workforce today, enterprises need a modern identity security solution that incorporates artificial intelligence (AI) and machine learning (ML), especially as the volume of identity data and complexities have increased beyond human capacity.  
AI and ML makes it possible to learn about and analyze potential cyber threats in real-time, and enables organizations to get deep visibility and understanding of all user access, including trends, roles, outliers and relationships. They can also automatically modify or terminate access based on changes to a user’s attributes or location, and perform remediation actions when risky activity is detected. 
With automation, identity security tasks such as access requests and access certification are fast, seamless and effective. By automating complex identity security processes, and with an ongoing, comprehensive analysis of behavior patterns, enterprises are better equipped to manage access to prevent conflicts of interest, information theft and compliance violations as users get only the right amount of access at exactly the right time.
Ultimately, as the threat landscape continues to evolve, investing in identity security is no longer optional, but a business essential to secure today’s enterprise. A strong identity strategy can protect and empower the business, and also ensure growth and success in the long term. 
Take this assessment to find out the maturity of your organization’s identity security capabilities.

About the author: Chern-Yue Boey is the Senior Vice President, Asia-Pacific, SailPoint.This is an opinion column. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of this publication.

Leave a Reply