CYBERSECURITY
IDENTITY AND THE FUTURE OF SECURITY
Better insight into users leads to more secure systems and more productive employees.
SPONSORED CONTENT
CHRIS NIGGEL
DIRECTOR OF SECURITY AND COMPLIANCE, OKTA
AS SECURITY PROFESSIONALS, we are faced with the impossible task of securing an ever-changing application landscape against increasingly sophisticated threats.
We tend to respond by creating more restrictive cybersecurity policies, making it more difficult for an attacker, but also reducing usability. Without a transparent framework for policies and controls, these piecemeal attempts to enhance security can often have a negative impact because they drive employees from agency-approved solutions, which they see as a roadblock to getting their work done.
Choose Controls That
Match the Level of Risk
A more cohesive approach to cybersecurity
begins by understanding the types of information employees are handling and how they’re handling that information. Then an agency can begin
to create threat models by asking how that information might be misused or modified by an external or internal attacker. That knowledge leads to choosing controls that match the level of risk.
The future of information security is inextri- cably tied to identity management. According to Verizon’s 2017 Data Breach Investigations Report, 43 percent of reported incidents last year were identity-related. For incidents that resulted in the loss of data, 81 percent were identity-related.
Employees need to be productive no matter where they are or what system they’re working on. The cloud has helped provide that mobility, but it means traditional approaches to network security no longer work. Moving the security perimeter from the network to the identity is essential to safely enable this new distributed style of working in a secure manner.
Tie Access to Identity
Identity is not just about the person, but also
the device he or she is using. Is it a government-
managed laptop, a secure mobile device, or
the kiosk at a hotel’s business center? In each of those cases, agencies need to change or control the amount of information to which the employee has access. If an employee is working at a business center, he or she should have access to email, but not to an HR system containing personally identifiable information.
Conversely, if employees are on government-managed laptops and are signed into government-managed networks, they
may not be required to use multifactor authentication to get access to lower risk data. When the security controls don’t match the risk posed by the data they protect, employees will find ways to circumvent them. A better approach is to create systems that offer a better user experience. Employees will use secure, agency-approved solutions when they’re made easy to use. They don’t want to be systems administrators—they just want to do their jobs.
Similarly, agencies should make it easier
for Cloud Service Providers (CSPs) to help them modernize and adopt cloud services by standardizing the types of controls they use, the documentation they are required to provide, and the frequency with which they require
that documentation. CSPs must ensure they respond to all those requests, which can be needlessly complex and often conflict with one another. The Federal Risk and Authorization Management Program (FedRAMP) and others have created structures that can be used across the government, and we need to keep moving in that direction.
The cloud has dramatically changed the way we work, and when we view access holistically with identity and risk, we can enable both better security and productivity.
Chris Niggel is director of security and compliance at Okta.
S-14