The building blocks of modern enterprise identity
Why should companies modernize their enterprise identity approach?
What are the different stages of enterprise identity modernization?
The days of the network as a security perimeter are long past. As companies increasingly shift their data and operations to the cloud, they also have to safeguard each access point. With today’s distributed workforce, that can look like devices and IP addresses from around the world, software-as-a-service (SaaS) tooling, and bring-your-own-device (BYOD) policies that make it possible to work from personal computers.
Most organizations are in some stage of digital transformation or cloud migration—by 2026, Gartner expects that 75% of organizations will adopt a digital transformation model that relies on cloud, and McKinsey estimates that cloud adoption could generate $3 trillion by 2030 across 2000 of the world’s largest companies.
So, if network security is out of fashion for cloud-based enterprises, what takes its place?
As companies increasingly rely on the cloud to operate and store sensitive data, it’s imperative that they build a strong identity program, to ensure the right users and devices have secure access to the right files and applications. 80% of cyber attacks today involve an identity-based technique, and these types of compromises can allow an attacker to blend into the target environment like a normal, valid user. By focusing on an identity-first security strategy, today’s enterprises can better adapt and be resilient to modern attackers and techniques.
On Atlas, I’ll explain the fundamentals of a modern enterprise identity program and how any founder or security leader can start building one for their business.
Identities represent the different touchpoints to your organization’s technology—think users, devices, applications, and other systems. Enterprise identity, then, is the overall process for managing and providing these entities with access to the resources across your environment.
When considering your overall enterprise identity architecture, you’ll want to build a strategy that touches on three main dimensions: the different types of identities, the identity lifecycle, and identity governance and administration.
1. Identity types: Identities can map to humans, devices, and software.
2. Identity lifecycle refers to the beginning, middle, and end of a digital identity—its creation, ongoing operation and management, and deprovisioning, which is the process of removing user, device, or software access to company data.
3. Identity governance and administration refers to the set of tools, processes, and teams managing the identity lifecycle and will reflect an organization’s culture, risk tolerance, compliance, and regulatory obligations. A robust identity program is always active: for employees, from onboarding through offboarding; and for devices and software, during replacements and migrations; and for all identity types, ongoing monitoring and analytics reporting.
The interplay of these dimensions is captured in the following infographic:
The old way in enterprise security was to trust all users and devices inside a network, as long as they passed an initial checkpoint or two—much like passport control, or having a ticket and ID in hand to enter a concert venue. But today’s enterprises have far more than a single point of entry. As much as 98% of enterprises using public cloud services have adopted a multicloud strategy, meaning they already use or plan to use at least two cloud infrastructure providers. In addition to infrastructure, most enterprises use dozens or hundreds of different SaaS applications.
Cloud infrastructure and SaaS adoption lets companies innovate and implement new capabilities quickly, but it also presents a host of new security concerns that growing enterprises have to proactively address.
There are four main reasons why you should rethink your enterprise identity approach and make it more current:
Any investment you make in your identity program is a step forward. But given how many facets there are to enterprise identity architecture, it can be difficult to determine the right sequence of priorities. Like any other security investment, there is a logical progression to identity investment—it’s important to lay the groundwork with baseline functions and capabilities, and from there, as your company matures, those programs will scale, too.
To help frame the journey, it’s helpful to think about a spectrum of features that map to a maturity curve. Just like a growing plant, I recommend thinking about identity modernization in three key development phases—Seed, Sprout, and Bloom. First you’ll form your identity program, then you’ll help it grow, and finally you’ll support its maturity. While this approach doesn’t include all possible identity functions, it’s intended to provide a usable model for planning and implementing an enterprise identity strategy.
We’ll look at this maturity curve and implementation progression using a Seed (forming), Sprout (progressing), and Bloom (advanced) framework.
The main directive of the Seed phase is to build the foundations of your identity program—the elements upon which you’ll build and refine. Key Seed phase activities include:
Once your identity program’s foundations are in place, it’s time to refine your program operations, strengthen security measures, and make identity a focal point of your company’s integrated security strategy. Key Sprout phase priorities include:
As your company matures, so does your identity program. In the Bloom phase, it’s time to maximize and mature your identity investments and capabilities. When in this phase, you will leverage identity data for a variety of purposes, and your workforce’s experience with your identity systems should be increasingly sophisticated and user-friendly. Key Bloom phase agenda items include:
Just like the Seed, Sprout, and Bloom phases, it’s important to break down any cybersecurity modernization project into incremental stages—this implementation structure helps make the changes more concrete and approachable, and each individual action contributes to a long-term strategy. For example, as a founder or CISO, you might plan on first making a few tactical shifts as your organization commits to enterprise identity modernization.
These transitions could look like going from:
Finally, you might consider building an identity strategy around specific workflows in your employees’ lifecycles and day-to-day responsibilities. For instance, you can focus on all the identity needs around employee onboarding and offboarding, and when and how to grant access to sensitive assets.
There’s no reaching enlightenment in the world of cybersecurity—there’s too much risk to mitigate and change to navigate, and even the largest enterprises know that. So, while it can seem daunting to think about developing a modern, enterprise-grade identity program, remember that it’s a process: it doesn’t have to all happen at once.