Embracing the cloud, an increased mobile work-force, the possibility working from home and a need to access resources from anywhere and anytime has caused a disruption to the norm, where IT-assets were accessed from within the corporate parameters.
This disruption, if not taken systematically and without understanding the practical and ethical considerations of the undertaking, may cause many digital transformation initiatives to be treated as a change rather than a “transformation”. A transformation is in its nature disruptive and radical. It plans to achieve something that is not visible at the moment and is fully backed by a clear vision and thorough planning.
An important security paradigm shift that entails the changed parameters is that identity and access management have now replaced the concept where authentication and authorization used to happen at the edge.
This is because the assets and resources are moved to the cloud and are perhaps geo-replicated. These can be accessed from the internet and are available to anyone without proper security. If access is only granted at the edge (with or without VPN), chances of pivoting are very real. It must be understood that the threat landscape actually increases in the cloud, because of its ubiquitous accessibility, multitenant architecture and management from internet. The individual pieces that make up the hardware and software components of the cloud platform (OS, RAM, CPU etc.) were not designed with multitenancy and virtualization in mind.
The mass movement towards digital transformation requires full understanding of the undertaking. If not done in phases, with systematic approach that is replicable, stepwise, well planned, and continuous, the initiative may fail.
So with the current state of security parameter shift, a very important aspect is to implement identity and access management (IAM), where not only the username and passwords are checked, but also many other signals like time of access, location of access, the application which is accessed, time window in which access is made available, device type, device security status etc. are checked and then one of the following four decisions are made:
2. Limited Access
4. Challenged with an MFA
Any digital transformation initiative which does not consider the use of Identity and Access Management as the main parameter-check at a strategic and operational level, along with constant monitoring and auditing of the access, is bound to fail. This not only shows in the bottom-line, but above-all can risk data loss resulting in loss of trust.