20 December 2021
As the world of identity and access management dcontinues to grow and evolve into a central focus on how businesses operate, supporting tools to help you manage and align all the pieces, platforms and niche solutions will also arise. Recently in the market a new term is popping up Identity Security Posture Management or ISPM which is proof to the evolution of IAM platforms and their importance to our core business. To understand this new thing that seems to be creeping in from the edge of the space, lets look at what Security Posture Management has been traditionally.
There are many Security Posture Management tools in the realms of Data, Cloud, Application, Networks and Device, but we can look at where they all overlap, what do they do and how should this apply to ISPM. In general Security Posture Management tools have a few features they all support. The first is being able to monitor the domain they are in. Using data as an example a data security posture management tool will monitor all the databases or data medium types that an organization hooks it up to. They allow you to create a baseline for how things should look for example all databases should be configured for encryption at rest. Then they report on what’s not meeting the baselines for security in your organization. Sounds nice right? Great way for the security team to get that eagle eye over all data security without having to bug the database team every month to check up on things and we start seeing the minimum value for *SPM platforms.
Better *SPM platforms take that eagle eye lens and move it from 180 degrees to 270 degrees by looking in its peripheral. Again let's use data as an example and talk about what that means. In the world of data that means let's start looking and reporting on infrastructure as well because what do databases run on? Infrastructure. So better *SPM platforms start looking for potential security issues. Imagine a new S3 bucket pops up, let's look at it before data is even there, look at it before it becomes an issue. Same thing with discovering a new EC2 instance with port 5432 running. Sounds like a POSTGreSQL database that as a platform I do not yet have my hooks in to tell you more about. Let's fix that. The idea is to start looking for problems before they become problems constantly keeping the security team apprised of the ever changing architecture, every changing attack space for and allowing them to keep up with the speed of business. Covering Minimum and better what makes one the best you might ask? Being able to correct those issues with the push of a button. Automated correction of Security posture issues initiated from the security team without having to call a DBA …Hey DSPM finds out that a database isn’t using the latest encryption, change it let the DSPM tool Correct the posture not just tell you its bad. Move from Data Security Posture Management to Data Security Posture Correction.
That was a lot of words to get to the meat of the talk, but as always when older paradigms are being applied to new spaces (or new to the paradigm space) its always good too look to how the paradigm has always existed to get an idea how it should/will morph for the new space. First off this will be one of the more interesting morphs since Identity is overarching so monitoring the posture of how applications, apis, microservices, data all USE identity will have to be a bit different than looking at data rules, or cloud rules or network rules. So to begin with it will have to have a way to tie into multiple different applications and service layers to monitor HOW an identity is used? Is everyone using risk scores correctly and consistent with the security policies? Is everyone using the correct System of record that the enterprise knows is up to date in a decent manner or is someone using stale and old data? Is everyone using Level of assurance and Level of authentication consistently and correctly in the system?
Let’s look at the second level. What pieces of technology can an ISP look at for potential threats of misuse of identity? Can it look at the API layer to see new APIS are registered but might not be following the standard. Will it see what micro-services are put behind envoy or Kong or whatever the newest micro-service controller is to be able to determine that new services are coming on line that might not adhere to the standard best practices defined by the security team.
Finally lets look at the last bit the best features of *spm platforms. How will identity posture management tools help you control and fix this misuse of identity? This misuse of risk, and threat signals associated with identity and access management decisions? How will it align to Zero trust principles of re-evaluating trust at every digital interaction and not only align but can it help us as organizations achieve that asymptote that is Zero Trust?
These are interesting times and I look forward to seeing what answers the market will put forth to these questions. To learn more, contact us.