Humans are often pegged as the weakest link in cybersecurity — and to a great extent, that’s true. But in my experience, this axiom misses the bigger point: The reason it’s true is that most companies do not have effective access control.
While training employees to think like hackers can certainly make your company more resilient to cyberattacks, there is always a risk that someone will be compromised. The surest way to limit your organization’s exposure to such risks is to verify the proper controls are in place at the individual level, governing what people can access, when and how.
Companies that haven’t solved for access control are not only putting themselves at risk — they are also suboptimizing every dollar of their cybersecurity spend. What good is spending a million dollars on a firewall if hackers can slip right past it by pretending to be someone else?
Unfortunately, this is the reality for many companies today, especially legacy organizations making the transition to the cloud. In this new environment, the on-premise model for access control breaks. How do you fix it? Here’s what 15 years of experience in identity and cybersecurity risk management have taught me about access control in an increasingly cloud-native and API-connected world.
There Is No Security Without Access Control
Today, the vast majority of companies worldwide (90%) rely on a tool called Active Directory to manage access to IT systems and data. As the name suggests, it’s a directory of who has access to what and when. But while Active Directory gives companies an efficient way to provide network access to employees, partners and vendors, it was never built with security in mind, which makes it easy to exploit.
Specifically, Active Directory does not secure the digital identities of users, which means hackers can gain more than just the keys to a company’s treasures by compromising a single user’s Active Directory account. The hacker, in effect, becomes an insider threat disguised by the accounts they steal, making it virtually impossible for cybersecurity solutions to find them.
The first step in fixing the access control problem, is understanding that access management (giving people access to systems) is not the same as access control (controlling their access to those systems)
Access Management Is Not Access Control
In an on-premise world, security was relatively simple because access control was fairly straightforward. When IT systems operate in air-gapped environments, keeping them secure is largely an exercise in knowing who your customers, partners and employees are and then managing physical access to various systems. In other words, it’s good old-fashioned locks and keys, along with additional layers of real-world identity verification for people with higher levels of access.
But with the rise of cloud and APIs, traditional security measures are no longer enough. Instead, security must be implemented at virtually every touch point between systems — a tall order as systems become deeply interconnected and network complexity grows.
Once again, it ties back to Active Directory and access management versus control. Today, the average enterprise organization runs software from hundreds of different vendors at any given time. What’s more, many vendors maintain their own access databases, which means there are hundreds of identities for every individual in the organization. This fragmentation is a big reason why Active Directory remains so widespread to this day. At the same time, however, it’s also what makes access control so challenging — there is no concrete definition of “you” in the digital world, and that makes it virtually impossible for organizations to answer the single most important security-related question about a user: Are you who you say you are?
The first step in fixing the access control problem, then, is understanding that access management (giving people access to systems) is not the same as access control (controlling their access to those systems). Put into practice, that means transitioning ownership from the infrastructure organization, where it currently resides — and where efficiency is the primary goal — to the security team, which prioritizes operating in a secure fashion.
If You Don’t Control Access, You Can’t Move Fast Enough
Companies that don’t solve for access control are on an unsustainable path that only gets more challenging to correct with time. What’s the holdup? Given the poor condition and historical oversight of systems like Active Directory, fixing the underlying problems can result in temporarily shutting down key applications, both intentionally and unintentionally.
For many organizations, that’s a non-starter — at least at first blush. So, instead of fixing the problem, they turn to cybersecurity software vendors to help close the gaps with additional layers of security on top of the existing system.
There are two fundamental problems with this strategy: First, it’s risky. Layering security on top of a flawed foundation because fixing it is too costly in the near term is the same as crossing your fingers and hoping for the best. You are trying to manage the unknown while simultaneously refusing to actively control the known (i.e., your users). It’s a tacit acceptance that you are willing to get hacked, based on the hope that an add-on security solution will either stop or mitigate your losses.
Second, it’s costlier in the long run. Ignoring these underlying issues means you get less and less functional security out of your cybersecurity budget. Instead, you spend ever-escalating amounts of the budget on licensing, maintenance and support for solutions that are, at best, securing only small portions of your overall risk landscape. The more money, time and resources you pour into this strategy, the harder it becomes to respond to crisis events. You’ll spend days, weeks or even months combing through logs and alerts from dozens of security solutions in the hope of finding what went wrong, only to find that someone from the outside managed to steal the identity of someone on the inside and cleaned you out.
With the average cost of a data breach now at $3.86 million in damages to a company, optimizing the money spent on cybersecurity solutions by fixing the identity foundations that feed into them only makes sense. The cybersecurity world simply moves too fast to not operate at full capacity.