Many enterprises recognize the importance of a security strategy built around a Zero Trust maturity model. The problem? While many aim to fortify their position with mature identity-based cybersecurity, there is often a considerable gulf between intent and attainment, leaving room for hackers to take advantage, target, and gain control of data and infrastructure.
It doesn’t have to be this way. Follow Bravura Security’s identity and privileged access maturity model, and you can foster a gradual, achievable, and sustainable security program that creates a roadmap to grow beyond these early levels toward optimization and Zero Trust operational maturity. This four-stage approach will help your organization narrow the targets and eliminate the threats to safeguard your data and infrastructure.
Least Mature: Maturity Level 1 - Fragmented Identity
At this stage, you’re just starting to focus on establishing identity information quality. Even though you’ve realized the complex nature of identity-based security, your organization’s approach is reactionary and sporadic.
Users may have many loosely correlated identities across various systems and directories. Internal identities are fragmented, and there are several sources of identity information. Privileged access is unmanaged or ad-hoc at best with many built-in accounts.
Some tell-tale signs of level one maturity include:
- High reliance on the perimeter
- Unreliable directory data
- Many unmanaged applications in the cloud or on-premises
- Passwords shared via whatever means possible
Maturity Level 2 - Unified IAM
As you progress, you should focus on establishing and implementing central identity management. Your organization has defined identity creation, change and deletion processes, and is starting to establish basic birthright roles used during provisioning.
At the very least there is a primary directory with a single source of truth for most (if not all) internal identities. Privileged access leverages an enterprise-wide vault which allows secure sharing of credentials and may have basic integrations established for managing built-in administrator accounts.
Components that organizations should target in this level include:
- Single sign-on system established for core systems (email, collaboration, etc…)
- Unified source of trust for identity information in a single, authoritative directory.
- Automated (de)provisioning across core directories and systems.
- Vaulting of privileged accounts
Maturity Level 3 - Contextual
Once you’ve transitioned into the latter half of your organization’s identity management roadmap, access should be contextual. You should be implementing role-based or attribute based access control strategies and preventing the proliferation of entitlements through regular access review processes.
The primary directory is the only source of authority for internal identities. Privileged access is well managed using job-specific or consistently controlled shared and individual administrator accounts.
You can achieve and surpass the contextual level by aiming your attention at:
- Context-based access policies (RBAC or ABAC)
- Automated joiner/mover/leaver processes have been extended to most, if not all LOB applications
- Regular access reviews by system/business owners
- MFA is deployed comprehensively and contextual access policies deployed to enable frictionless authentication
- Your privileged access strategy includes service accounts, non-human accounts, containers, and app-to-app credentials
Most Mature: Maturity Level 4 - Adaptive Assessment
In the final measures of your identity and privileged access management maturity, you should concentrate on integrating identity-driven business systems after embracing Zero Trust principles and adopting most identity and access management best practices.
A very high degree of consistency is maintained by synchronizing and monitoring directories for changes by the IAM tool. The primary directory is the only source of authority for internal identities. Privileged access leverages JIT-created individual administrator accounts for most access with auditing from a PAM tool.
Your organization can achieve the highest level of maturity by:
- Risk-based access guidelines
- Adaptive and continuous authorization and authentication
- Diminished emphasis on the perimeter
- Centralized provisioning
Why Maturity Matters
Advanced identity and privileged access management measures are a key component to your overall cybersecurity and Zero Trust strategy. As you transition to a perimeter-less network, identity naturally becomes your perimeter and is leveraged to consistently validate users and provide the right level of access when needed. However, recent data from Bravura Security reveals most organizations are currently at the beginning stages of their identity management roadmap — vulnerable and unprotected across a landscape of developing threats. Cybersecurity maturity matters because these less sophisticated access management programs often have more irregular validation abilities, forgo regulatory compliance mandates, and may be missing privileged access management entirely.
The Next Level
Identities are the heart of all access in your organization. They’re also the target for most attacks, attackers don’t break in, they log-in, and leverage lateral movement techniques to establish a foothold with high-privileged access within your environment, but you can be ready with the only singular platform and maturity model for identity and privilege, Bravura Security Fabric.
Learn how to build it from a fragmented access management state to a connected shield of an identity and privilege cybersecurity maturity model across this converged identity and privileged access management platform on January 27 at our Power of One Summit.
Join Bravura Security security-based identity experts to help assess maturity and take it to the next level with an achievable strategy at session three of our Power of One summit, Shots on Target: Fortifying Your Cybersecurity Maturity.
A widening gap exists between aspiration and achievement for organizations attempting identity-based security strategy modernization. Many organizations have identified...
Months have passed since the DarkSide Colonial Pipeline ransomware attack, yet some antivirus vendors are still unable to detect the malware used. This demonstrates that...