CSO perspective: Why a strong IAM strategy is key to an organization’s cybersecurity approach

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Alissa “Dr. Jay” Abdullah, Ph.D., Deputy Chief Security Officer of Mastercard and former Deputy Chief Information Officer in the Executive Office of the President for the Obama Administration. The thoughts below reflect Alissa’s views, not the views of Microsoft, and are not legal advice. In this blog post, Alissa talks about the role data and identity play in the future of cybersecurity.

Brooke: How did you get into cybersecurity?

Alissa: I started out as a radio DJ while I was an undergraduate at Savannah State University. Originally, I was a mass communications major, but my university English professor urged me to move away from that. At the same time, my mathematics professor was urging me to change my major to math. Ultimately, I decided to major in math.

After graduation, I used my mathematics degree to work my way into information technology and began a career within the Department of Defense. As a certified Cryptologic Engineer, I toggled between information technology and information assurance—both cyber-adjacent areas. Over the course of my career, I have sought out roles that let me grow in both areas. This approach took me across the private sector before I was eventually appointed by President Barack Obama to help lead White House technology (which included cybersecurity) in 2012. It was while I served in the White House that my passion for—and appreciation of—cybersecurity really took off. 

Brooke: Why is comprehensive identity and access management (IAM) necessary within an organization’s cybersecurity approach?

Alissa: If you think about the future of cybersecurity, it is an amalgamation of many different aspects.  One of those is the future of data. 

The relevance of data is built on many different aspects—specifically calling out the importance of identity tied to the data, whether that is a human identity, machine identity, or something else. So, as we talk about where we are now with cybersecurity and where we will be in the future, it greatly hinges on IAM. It hinges on the identity tied to data and tied to systems. It hinges on getting access to what you need, when you need it, and how you need it without going further than that. 

The strategy of the future contains boundaries that give you what you need while limiting yourself to include only those things. That way, you shrink the threat landscape in anticipation of a bad day. A strong IAM strategy provides just that. It protects aspects of the various identities while allowing for the appropriate amount of access. The future of cybersecurity will hinge on how well we handle identities and access. 

Brooke: What are the most common access security gaps within organizations? 

Alissa: I sum up the gap with one word—culture. That is the most common gap. What I mean by that is we are used to the idea of having carte blanche access. The change to a Zero Trust mindset is a paradigm shift that can often cause angst in many environments. Some developers or data owners are anxious that the limitations provided in a Zero Trust environment will impact innovation. When done right, it enhances innovation and pushes security to the edge. 

Brooke: Compromised passwords are the number one way in for attackers. What should organizations do to address this?

Alissa: The easiest solution for me to recommend is a passwordless environment, but to be honest, no solution is attack-proof on its own. We have heard attacks that include multifactor authentication fatigue and those where the adversary is paying employees to provide multifactor authentication approvals to compromised accounts. The best step for most environments is to move to passwordless, but the work does not stop there. A security-aware culture will be an additional line of defense.  

Brooke: President Biden’s 2021 Executive Order on Cybersecurity mandated a Zero Trust approach for all government agencies. What can private organizations learn from the Executive Order?

Alissa: The Executive Order really formalized the work that organizations in both the public and private sectors were doing together through strong partnerships and a collaborative working relationship. We have had many conversations around Zero Trust and its implementation together and separately. We can continue with the good foundation started and expand the learnings between the different environments. 

Brooke: Microsoft recently released multicloud Microsoft Entra Permissions Management, based on the Cloud Knox acquisition, within the Microsoft Entra product family, which also includes Microsoft Azure Active Directory and Microsoft Entra Verified ID. Why is permissions management important as part of a strong identity strategy?

Alissa: Let us start with two assumptions: 

First, a lot of the future will be based on identities. If you start to decouple identity information from the data, the data becomes less relevant. Second, the future relies heavily on cloud-based architectures. These are not absolutes but are statements that describe the future as we know it today. 

If we take both of those as great starting points, then you easily move into the need to manage entitlements and permissions in the cloud environments. We cannot be myopic in our view of identities. Just as we seamlessly want to manage user identities, those entitlements in the cloud are equally important and we should not have to chase down entitlements in every cloud platform. An integrated model helps with visibility, automation, and policy management.

Brooke: What basic elements of security should organizations expect to be built into any cloud platform for a strong security foundation? 

Alissa: Cloud platforms have many security elements ready to customize that will provide the level of security that you need for your data. Some examples that I can think of are data encryption, intrusion detection with event logging, and application security protections, just to name a few.  

It is important to think of security protections in layers—data, application, and infrastructure. Cloud platforms have options that allow you to protect each layer and negotiate the level of security for your situation with the cloud service provider.

Brooke: What are three things an organization should absolutely make sure they have implemented for a strong digital identity framework? 

Alissa: First, a strong digital identity framework should include many layers, but those layers cannot be seen as complexities. The layers should help provide clarity on the security state of digital identities within an environment. 

Second, solutions have to be adopted and executed in a timely way so that the biggest benefit is reached. Solutions like multifactor authentication and passwordless not only enhance your digital identity framework but also enhance your user experience. 

Third, the identity framework needs to be comprehensive. There are so many different types of identities, and the framework needs to include the management and security of all identities—including employee, machine, service, and cloud. If you miss including one area, you could potentially open that area up to the adversary. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.