A New Chapter in Modernizing Security with Cloud-Native Technologies: Identity Management
The cybersecurity event RSAC2020 has wrapped up in San Francisco. In Hangzhou, more than 10,000 kilometers away, Xiao Li spoke about the theme of this year’s conference, the Human Element. 2020’s conference kicked off with a focus on the Human Element of cybersecurity. What effect does this have on China’s cybersecurity market and what makes empowering the Human Element essential?
Gartner’s 2020 Planning Guide for Identity and Access Management states that IT must advance IAM (Identity and Access Management) initiatives, which necessitates the trends of identity governance and management, and gives hybrid- and multi-cloud environments more momentum.
This interview deciphers the relationship between the human element, identity, and the cloud, and sheds light on the infinite possibilities among them.
Human Element: Understanding Human-Based Vulnerabilities
We often say that the essence of safety lies in the confrontation between people. The human factor makes the offense-defense confrontation a dynamic and enduring process. During this time, the means, tools, and strategies of attackers are changing while the protection capabilities of defenders are improving. The ongoing conflict between the two systems keeps the security level fluctuating.
Throughout the offense–defense confrontation, humans are both defenders and attackers. In many cases, confrontation occurs not only between an enterprise and the outside world but also within an enterprise.
Humans are the absolute core of security. This was the principal message of this year’s RSA conference. While focusing on building the cybersecurity capacity and enhancing skill for humans, it is also necessary to note that humans’ vulnerabilities make themselves a weak link in security. While enterprises deal with external attacks, learning how to prevent threats from insiders is equally critical.
According to a Kaspersky Lab report announced in 2017, 46% of IT security incidents are caused by employees. This proportion has now risen to 70% to 80%. The escalation could be caused by an increase in cases such as internal developers failing to abide by the security regulations or lacking security skills and therefore leaving security flaws in applications, or the security threats posed by non-standard operations or malicious behaviors of current and ex-employees.
“The security system is definitely not just about safeguarding against network worms. They are only the tip of the iceberg.”
Facing the security implications brought by the “human factor”, Xiao Li believes that the root cause of the problem lies in an inadequately disciplined security baseline. Many enterprises are emphasizing threat detection and response. Indeed, this is useful, but it is not enough. “What demands our attention should not be how to solve problems, but how to take precautions and prevent the problems from happening.” Therefore, defining security baseline policies proactively is more critical than subsequent detection and response. Security baseline policies for enterprises include:
- Applying centralized identity authentication and authorization for all application systems.
- Setting red lines to ensure secure operations.
- Establishing a system to integrate security into application development by specifying standards for developer training, internal security exams, and certifications.
Developing and implementing a security baseline discipline is only going halfway. To create an enhanced security infrastructure, enterprises must also improve their threat detection and response capabilities. Since “identity” is the intuitive persona on the Internet, identity management plays a vital role in reducing the risk of internal security breaches.
Identity: Alternating Boundaries with Zero-Trust Security
The year 2010 marks a turning point in the formulation of corporate security strategies, where identity gained significance to become the paramount security concern.
Xiao Li said, in the past, especially from 2000 to 2010, boundary isolation was the primary means of enterprise security protection, but after 2010, this situation changed dramatically.
- Fundamental changes in the IT architecture: As the workforce becomes more mobile, managing and securing access across the internal and office networks becomes more complex on mobile and Internet-of-things (IoT) devices, making it difficult to preserve isolation.
- Migration of enterprise databases from on-premises information data centers (IDCs) to the cloud: More businesses are considering a cloud transformation as they choose to migrate the entirety (or 50%) of their services to the cloud, which introduces unique security concerns.
- Enterprise Software-as-a-Service (SaaS) services: Services and applications like cloud content collaboration software and DingTalk are enjoying a significant rise in demand, which means that the processing of more workflows, data streams, and identities have to rely on external applications, instead of running in the original isolated environment.
The traditional boundary will gradually disappear as the IT environment keeps evolving. As a result, security can no longer be guaranteed by adopting network isolation alone. Zero trust addresses this modern security challenge and reestablishes trust boundaries around corporations with unified identity management controls.
The zero trust approach allows enterprises to build centralized authentication and authorization systems to manage accounts, authentication, and permissions. For example, zero trust protects corporations against the security vulnerabilities that could result from employees’ departure. Enterprises must implement security measures that ensure one-click permission updates for employees that are transferred or leave the organization so that the system permissions of former employees can be promptly deleted from internal systems.
Some security risks are completely avoidable if proper identity authentication and management measures are taken. An example of this is the recent Weimob incident where an employee deliberately sabotaged the company’s production environment and database. Xiao Li shared his thoughts on this issue:
- Enterprises should follow the principle of least privilege (PoLP) when implementing IAM. Different privilege settings are assigned to different types of user accounts to grant only the privileges which are essential to perform intended functions. The privilege of deleting a company database should never be granted to any employee.
- An internal abnormal behavior detection system should be deployed so that even if an employee issues such a command, this attempt could be detected, identified as a deviation, and the command will be denied.
Technical implementation and baseline security standards are important but the most important things are identity authentication and management. According to Xiao Li, the level of authority and influence of the security team in a company determines whether a baseline can be established and implemented effectively. This answer can be found by checking the organizational structure of the company to see whether the security team is independent and reports directly to the CTO or the CEO.
In the future, IAM will become a prominent pillar of organizations’ zero-trust strategies and will play out in several identity management scenarios. “Identity authentication” and cloud resources will be mutually reinforcing and be used together to build a cloud-based zero-trust system.
Mark McClain, CEO and co-founder of the identity management company SailPoint, once said, “The world of governance is about who has access to what, who should have access to what, and whether they are using it correctly. Most customers are so far away from the first two, they should not even worry about the third yet.” Fortunately, IAM tools and services are becoming easier to use and are designed to deploy seamlessly in the cloud.
Xiao Li said that “cloud-native services feature outstanding advantages when security is concerned.” The cloud has almost become an enterprise operating system that provides IaaS, PaaS, and SaaS services. Cloud service providers invest huge amounts of money, manpower, and material resources in developing cloud security products and technologies, and bring benefits of cloud-native security to enterprises.
Alibaba Cloud, like other cloud service providers, facilitates its customers’ journey to the cloud with maximum security, allowing them to not have to manage the underlying cloud infrastructure themselves.
Furthermore, cloud-native security delivers an integrated set of capabilities: comprehensive cybersecurity controls and network isolation measures, real-time and intelligence-driven monitoring with automatic incident response, cloud-based and centralized solutions for identity management and authentication, reliable hardware infrastructure for building a trusted environment, and the DevSecOps philosophy that injects security into the software development lifecycle. Cloud computing allows organizations to choose the right compute options for security management by adopting a “unified” security model instead of stitching together “fragmented” solutions.
Many organizations are embracing the cloud to run their applications, which means that cloud-based IT infrastructure and Internet-based core technologies will ultimately transform enterprise architectures. As enterprises migrate to the cloud, they start to explore how IAM can be strengthened in hybrid- and multi-cloud ecosystems.
- Hybrid cloud: A solution where an organization uses a mix of on-premises and public cloud services.
- Multi-cloud: A strategy that typically involves a mix of public cloud providers.
To help simplify what could become a complex hybrid environment for businesses, managing identities across the hybrid cloud consolidates the multiple identities employees are creating for both on-premises and cloud networks. Permissions are assigned dynamically based on the analysis of cloud infrastructure, which enables employees to access internal resources anywhere and anytime. Multi-cloud allows the use of Active Directory to service the load for identity management.
Cloud-based IAM solutions offer a series of capabilities that would be much harder for on-premises solutions to accomplish. IAM solutions across the hybrid- and multi-cloud environments will become the new strategic pivot for enterprises.
Finally, the data security issues that come with the adoption of IAM solutions also deserve attention. Data security led to the hottest topic of discussion in 2019. People experienced frequent leaks that affected hundreds of millions of data entries and witnessed several data privacy laws and regulations being introduced. One thing is being addressed for sure, the importance of data security.
At the end of the interview, Xiao Li also talked about Securiti.ai, the winner of the RSA Conference 2020 Innovation Sandbox Contest. Interestingly, two of the past three winners of the Innovation Sandbox Contest were recognized for their prowess in data security. This seems to have raised market attention in the next direction of cybersecurity defense.
First, data security itself poses a major challenge. The mobility of data makes data security critical among all domains of cybersecurity and presents risks in all aspects of business. Second, the market demand for data security solutions is huge. Enterprises have an urgent need for ensuring the security of internal data and customers’ data. “Perhaps next year’s winner will also specialize in data security,” Xiao Li joked.
In the next 5 to 10 years, if security companies can develop core technologies or make breakthroughs to rid users of data security threats, such as providing visibility into the location and identification of sensitive data, they will win substantial market share from other players.
Xiao Li remarked that market demand is now stimulating technological activity. There is a pressing need for technological advances in the field of data security.
About the Author
Xiao Li is a Vice President of Alibaba Group, the General Manager of Alibaba Cloud Intelligent Security Division, and the first security engineer of Alibaba Group. He has been deeply engaged in the construction of enterprise security architecture and cloud computing security and has nearly 20 years of technical and managerial experience.