Why identity and access management is at the core of the gulf between these two C-suite roles.
Leslie K. Lambert
CSO | Dec 7, 2016
The push and pull between the priorities of CIOs and CISOs can be tricky to maneuver. This is especially true for the CISO, as she/he is expected to support the speed and productivity gains anticipated by the CIO’s programs. However, if a data breach occurs or security is not in step with the CIO’s technology direction, this spells problems for the CISO. That’s both the nature and challenge of the job.
CIOs are driving innovation. Their goal is to move the business rapidly through the adoption of technology to mobilize and empower the workforce and optimize productivity, often leveraging cloud, mobility and the gig economy. This creates a borderless and flexible environment that places extra stress on legacy perimeter defenses, known threat detection and identity and access management.
The CISO’s mission is to align information security initiatives with enterprise programs and the business’ objectives, ensuring that information assets and technologies are adequately protected while reducing risk. CISOs need to align with the CIO’s evolving environment and the associated growth of digital activity to analyze and manage risks.
There is one interesting dichotomy in the CIO-CISO relationship. Namely, that most CIOs own an organization’s identity and access management systems (IAM), even though these systems are at the core of many security issues that keep CISOs up at night, such as account compromise.
As a result, identity-based threats may remain a large unknown to security teams who are focused on malware, advanced threats and modern declarative defenses. This means large volumes of excess, outlier and unknown privileged access risks can continue to be blind spots for organizations, especially with digital assets spread across the data center and multiple clouds.
From a cyber-attack perspective, the compromise of access credentials is an easy path to evade declarative defenses in the perimeter or “Red Zone”. Red Zones are susceptible to compromise of signatures, rules and patterns, where the network’s interior or “Green Zone” only requires access validation.
Based on industry reports, this approach is working well for external intruders. However, a new “Gray Zone” is now emerging due to the borderless and flexible environments being created by CIO programs. The gray zone is placing current defenses at a disadvantage since there is no perimeter to defend.
Given the growing abundance of access entitlements associated with users, entities, business partners and customers, the gray zone is vulnerable to a wide range of gaps and threats including account hijacking and compromise, malicious insiders, etc. This is driving the need for CISO’s to proactively risk score both access and event activity in the gray zone in order to detect and prioritize threat investigation and remediation, plus remove access risks. Especially since data volumes make manual determination of what constitutes “real” threats and access risk unfeasible.
There are two gaps within the gray zone gaining more attention with CISOs and analysts. The first is the awareness gap for identity and access management. This gap is between what access has been provided and what users are actively doing with it. Identity analytics can close this awareness gap by risk scoring both access and activity to find excess access and access outliers. In essence, cleaning up access down to the entitlement level, a futile task for humans. How did we get to being over privileged with excess access? Years of rubber stamping certifications and access cloning are the primary drivers.
The second gap within the gray zone is discovery of privileged access, which is difficult to achieve using current manual process and rules-based approaches. Legacy methods of account naming, tagging and group domains are no longer able to keep with the advent of cloud and mobile accounts. With risk officers requesting the discovery of privileged access, CISOs are faced with the fact that 50% or more may reside outside of lists and vaults today.
Monitoring and risk scoring access and activity in the Gray Zone (using automation and analytics) can enable CISOs to overcome the fact that IAM systems are outside of their purview. It can also help them adapt the organization’s defenses to the increasingly borderless world being implemented by CIOs.