Basketball can teach us a lot about managing the cybersecurity of an enterprise: it takes teamwork. ESPN’s documentary The Last Dance covered basketball legend Michael Jordan’s last season with the Chicago Bulls. By this stage of his career, Jordan had secured six NBA championships and was well known for his formidable competitive streak. Jordan’s desire was to not only be the best player, but to also play with the best team. Jordan knew that the skill of his teammates was an essential factor for ensuring victory. He even flew to Vegas to force Dennis Rodman to practice. The Last Dance highlighted that it takes a team to be the greatest and that breaking bad habits, such as in the case of “practice skipping” Rodman holds the key to success.
For this reason, The Last Dance is a great allegory for enterprise cybersecurity: it takes the whole team to win. This is perhaps most evident as organisations seek to adopt zero trust principles. The zero trust concept is not new, but I hear more organisations discussing it than ever before—driven by a desire for greater security, more flexible access, and accelerated by the shift to remote work due to COVID-19. At its core, zero trust focuses on providing least-privilege access to only those users who need it. Put it this way: don't trust anyone and even when you do, only give them what they need right now. This security philosophy would make Jordan proud, but in that vein, zero trust would not work without another player: identity management.
Operating on a new playing field
There is no doubt that enterprises' digital transformation efforts have accelerated in the last year, which means different things for different organisations. It could mean the transition from on-prem to either hybrid or cloud-only environments; it could mean the shift towards employees using their own computers, tablets, and phones (BYOD – Bring Your Own Device).
This shift in work from anywhere drives the need for increased self-service and password management and new ways to maintain the security of a workforce beyond an enterprise's traditional network perimeter.
The team strategy must be a zero-trust strategy
In order to work, the zero trust method must be applied to all users and systems regardless of location—home or office, but where to begin? First, set a detailed plan for how you will implement zero trust over time. Budgets for this rarely exist, so outline a process in the context of broader organisational security. This will ensure stakeholders across your organisation understand the vision, intent, and timing to achieve this. Next, you need to know where all your applications and data reside now and where will they be in the future. Cybersecurity is like basketball; it's a team sport. You will need to tap different plays and strategies to maintain this high level of visibility of users and applications/data.
Here’s the play: leverage solutions that continuously monitor, recognise, and automate changes in security posture, job assignments, and access policies. Consider solutions that integrate out-of-the-box via standard protocols to ensure your solutions are built to work together and are future-proofed. Centrally managed authentication and authorization controls are essential to your zero trust implementation. These answer the most basic questions of “are you who you say you are?” and “are you allowed to access the resources you’ve requested?”
Home team advantages
I cannot stress this enough—what will keep enterprises moving forward is to see centrally, control, and manage change in their homecourt. This is not something that can be accomplished by basic access management and authentication, because they lack context. They know what is happening in real-time, but they don’t necessarily know the way things should be—who should have access to what. With identity management, you have the brains behind access at your fingertips, regulating how and if access should be granted or revoked and monitoring that access over time as a workers' role changes.
Identity management is about answering three main questions: who has access to what (current state), who should have access to what (desired state), and how is that access being used? For all users, all applications, and all data. This play is the strategic lynchpin for organisations because identity management controls the link between the entire user population and applications and data amid an enterprise’s digital transformation.
The way enterprises operate today may not be the same tomorrow. With this in mind, IT leaders must ensure they are continually evaluating security and compliance implications whilst balancing productivity and automation. This is why identity security is so critical. It is my fundamental belief that identity security and company wide best practices are the keys to winning on the cybersecurity court.
SailPoint | Identity Security for the Cloud Enterprise