Published on the 02/07/2024 | Written by Heather Wright
From efficiency tool to big player…
Identity security has finally gained its seat at the security table across New Zealand and Australia, with organisations recognising the importance of proper identity controls – and realising how valuable identity management is, both as a security tool and a threat target.
That’s according to Frank Briguglio, US-based public sector identity security strategist for enterprise identity security provider SailPoint.
“When implemented appropriately, cost savings will come.”
Briguglio is a regular visitor to Australia and New Zealand and has just been in this part of the world, meeting with customers, partners and prospects across the region.
“Identity security used to be looked at as only an efficiency tool streamlining access to multiple applications, with a focus on the user experience,” he says.
Then the market evolved to have more of a compliance aspect, with enforced separation of duties and ensuring the right person has the right access.
“But we still didn’t quite have that seat at the table with the rest of the security tools.”
When the perimeter got ‘crunchy’ and, at the same time, became more pliable, a more modernised approach to cyber security put controls around data, applications and systems, requiring organisations to have a better handle on identity governance and identity security.
It’s known in the industry as the ‘zero trust’ approach though Briguglio prefers to call it a modern cybersecurity architecture.
“Things like role-based access control (RBAC) that have been around forever are becoming more dynamic to include things like identity context – the things we know about a person – to grant access based on a user’s needs according to their position.”
It is, he says, effectively turning the person into the keys to the kingdom.
“We need to make sure that data is accurate, that it’s being shared in a timely way, which includes with partners through federation, so the identity becomes a key aspect in all areas.”
Briguglio says New Zealand and Australian organisations, both commercial enterprises and government agencies, are embracing identity security and the modern cybersecurity architecture and maturing ‘at a pretty good clip’.
“Enterprises have recognised that zero trust has its valid points, but was an over-marketed term, and they’re defining what zero trust means to their organisation.”
That’s backed by the State of Identity in Australia and New Zealand report, commissioned by SailPoint and conducted by IBRS. It surveyed 565 organisations across Australia and New Zealand and found identity and access has moved from being an issue to be solved by the end-user computing and architecture team, to being a CxO-level imperative, with 49 percent saying identity access management is important for their organisation, while 29 percent deemed it ‘essential’.
“When I started working heavily with government agencies in Australia about eight years ago, zero trust wasn’t even a topic,” he says. “It was a ‘we’re not ready’.
“But they were eager to resolve the identity and access problem and that was a good sign. And it’s the same thing on the New Zealand side.”
He says local organisations are also coming to understand that beyond the efficiency and user experience challenges they can solve, identity security is becoming more of a control in terms of ensuring all identities only have the right amount of access to resources, systems and data at the right time – nothing more, nothing less.
“There are a lot of efficiencies where, when implemented appropriately, cost savings will come when done right.”
Large identity security and cybersecurity projects both require automation, which means a reduction in the amount of manual processes and human involvement required. Those people can be redeployed elsewhere.
“Just automation itself is going to reduce cost – it’s proven that just reducing helpdesk calls for password changes is a significant reduction in cost.
Briguglio is particularly passionate about National Institute of Standards and Technology (NIST) Zero Trust Architecture, leading SailPoint’s work with the NIST Cybersecurity Centre of Excellence.
The company is one of 17 vendors in a cooperative research project to demonstrate various configurations of the NIST 207 trust architecture – highlighting a key point about security according to Briguglio: Identity security is a team sport.
“What makes the model work is that vendors are willing to work with each other, because if there are no open APIs and collaboration between organisations, it gets really hard to integrate some of these technologies,” he says.
So, what’s the first step in embracing the modern cybersecurity architecture?
“Visibility.
“We can’t protect things we don’t know exist. So where is all your data? What’s contained in that data? Is it in cloud buckets? On file shares? In SharePoint? In a database?
“Where does it reside and how is it classified?
“And then the same thing with identities, taking that inventory of the ‘who’, because we’re not just talking about humans anymore – there’s RPAs and bots, APIs… they all have identities, and we have to know where they exist and look at them from the perspective of whether they are appropriate for the action they’re taking.”
Once you have that inventory, the protection model can be built, be it a dynamic access model, or an attribute-based one.
“As we go to this dynamic model, we have to understand the attributes of data, systems and users.
“Once we’ve built the model, it allows us to detect anomalies with behaviour analytics and continuous monitoring.”
Briguglio notes many organisations already have a lot of the tools they need – with organisations having been doing the likes of privilege account management, lifecycle management, single sign on, token-based authentication, and so on for many years – but they might not be configured for a zero trust model.
“When we’re putting the controls around the applications rather than relying on a perimeter firewall, we’re using micro-segmentation.”
Briguglio also urges A/NZ companies to be clear about what will happen when an incident occurs, saying while we might assume a breach will happen, not all are prepared for when it occurs.
“When we’re in that forensics stage, do we know where all the data is that we need to look through? Do we know who to notify within the organisation? Who takes action, and what our processes are?
“We have to do these exercises.”
Harking back to his earlier comment that identity security is a team sport, Briguglio says within organisations it’s critical for all players to be involved.
“I see too many times where cybersecurity programmes, especially identity security, are being done in a vacuum.
“If it’s being led just by the security team and they don’t have operations, or IT, or the business owners marching with them, whatever policies or protections they want to put in place, they’re not going to get cooperation.
“Cybersecurity and identity security touch the entire organisation and require top-down buy-in and leadership.”