With tens of millions of employees working at their kitchen tables and in their home offices, and billions of consumers purchasing goods on their phones from anywhere and everywhere, protecting mission-critical and other sensitive data within a complex ecosystem of suppliers and partners has never been more essential. In an environment where cybercriminals are often just a click away, organizations should adopt a zero-trust mindset and architecture, with identity and access management at the heart of it.

The demand for frictionless experiences

The explosive pace of digital transformation among both public organizations and private enterprises — especially during the pandemic — in addition to a rapidly normalizing work-from-home structure, has provided bad actors with a window of opportunity. As a result, there have been an unparalleled number of cyberattacks in recent months, particularly ransomware events and supply-chain attacks. Current identity and access management (IAM) models, originally built to manage digital identities and user access for single organizations are now being re-conceptualized to offer the right level of resilience, as well as deliver critical authentication features suitable for federated, private, public or multi-cloud computing environments.

More and more, customers, suppliers and corporate users expect frictionless experiences, unencumbered by ever-changing passwords and multiple layers of digital identification. Extended ecosystems of third-party partners, contractors and gig workers — all extensions of an enterprise’s workforce — require access at different times to different levels of sensitive corporate data. Unfortunately, a lack of purpose-built processes for these constituencies too often results in significant breaches in the security chain.

The line between business-to-consumer (B2C) and business-to-business (B2B) security continues to blur, with enterprises moving away from separate security disciplines. Rather, organizations are in many cases merging the two in terms of their authentication management approaches. As security technology matures, there may be a broad move to identity proofing and passwordless authentication, not just for consumers, but also for enterprises. Scalability is likely to be an issue when it comes to the sheer numbers of B2C and B2B clients relative to corporate cyber professionals.

As an automated approach that can help eliminate costly and cumbersome manual processes, reduce an environment’s attack surface and establish fit-for-purpose cyber policies and principles — the zero-trust security model is increasingly being viewed as a viable security approach in the post-pandemic world. With identity at its core, zero trust enables organizations to evaluate whether a user is properly authenticated; isolate the resource the user is attempting to access; determine if the request is from a trusted, stolen or third-party device; and confidently decide whether access should or should not be granted.

The emergence of zero trust represents a mindset shift in which the cyber team assumes compromise in connection with system access, and makes security decisions on the basis of identity, device, data, and context. With users demanding ever-faster access, and cloud-centric structures expanding the attack surface, existing security solutions and resources may not be formidable enough to adequately protect data as it moves through the network.

The zero-trust model and architecture can’t succeed without placing identity at the center. Develop your zero-trust roadmap around identity to facilitate adoption and strengthen ROI.

Benoit Watteyne
Director, Technology Advisory
KPMG in Belgium

What’s your move?

To address the growing access and identity risks that continue to destabilize organizations financially and operationally, as well as respond to an expanded regulatory environment, enterprises and institutions should consider new standards, tools and strategies to better secure their systems, data and infrastructure.

In a post-pandemic business setting in which many, if not most, workers are remote, interim fixes and temporary Band-Aids will likely prove to be unable to keep up with the pace and virulence of cyberattacks and threats that are already bombarding businesses and government agencies. Soon, users will likely no longer need to be ‘on network’ (i.e., through a persistent virtual private network (VPN) connection). Conditional access is expected to come from the trust and assurance that is engendered by the devices people use, and the authentication and decisioning processes organizations implement.

The concept of zero trust is a growing point of interest, but many CISOs — and even more so, CIOs and Heads of Infrastructure — should continue to work toward the most effective means of implementing an organization-wide zero-trust architecture, as well as a set of principles that aligns with business and operating priorities. And, of course, all of this should be considered within the context of the organization’s overall cyber security, risk management and technology programs.

The principle of least privilege is perhaps one of the simplest ideas relating to the way data is protected, yet, it’s also one of the most important. The general idea is that users, processes, workloads, and applications should only be granted the lowest degree of system resource access rights necessary to carry out their role. For example, web designers don’t need access to financial records, and individuals responsible for updating the product listings, don’t need admin rights. Organizations should continue to view the least-privilege access principle as a core element of the zero-trust model.

Zero trust is not a feature, it's not a technology, it's not a standard. It's an approach to and a framework for security, with identity as a key component.

Jim Wilhelm
Global IAM Leader, KPMG International
Principal, KPMG in the US

Some key actions to consider for 2022

  1. Experiment or begin to have a strategy around passwordless authentication for selected use cases.
  2. Be sure your identity program has a sound data and analytics foundation.
  3. Embed a zero-trust mindset into your overall cyber strategy.
  4. Commit to creating a frictionless experience to enhance user and customer experience by streamlining authentication and identity management.
  5. Automate security functionality to enable highly skilled professionals to focus on more strategic activities.
  6. Accept that adopting a zero-trust approach is a journey — it takes time to implement.