{"id":2575,"date":"2025-04-01T19:08:38","date_gmt":"2025-04-01T19:08:38","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2575"},"modified":"2025-04-01T19:08:38","modified_gmt":"2025-04-01T19:08:38","slug":"how-cisos-can-use-identity-to-advance-zero-trust","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2575","title":{"rendered":"How CISOs can use identity to advance zero trust"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

AI is the best thing that\u2019s ever happened to cybercriminals. It allows them to weaponize trust and launch identity-based attacks with staggering scale and sophistication. I\u2019m talking about mutating polymorphic malware, prolonged ransomware sneak attacks that lead to double-extortion and deepfakes that defraud victims every few minutes.<\/p>\n

CISOs must adapt to this reality by implementing\u00a0zero trust\u00a0strategies that focus heavily on identity. This transition isn\u2019t always easy because, historically, CISOs delegated identity-related matters to Identity and Access Management (IAM) teams, viewing it primarily as a check-box compliance exercise. Now that identity security has become so crucial to the success (or failure) of an organization\u2019s overall cybersecurity strategy, CISOs must have a solid executive understanding of its role in protecting the enterprise.<\/p>\n

This post aims to provide security leaders with the essential insights needed to actively engage in identity-related architecture and strategy decisions.<\/p>\n

Identity: The decision point<\/strong><\/h3>\n

Perimeter-based security models built to keep attackers out won\u2019t work when\u00a060% of breaches<\/a>\u00a0now involve valid credentials. As my colleague Andy Thompson says, \u201cIt\u2019s much easier to log in than hack in.\u201d<\/p>\n

Every entity (human or non-human) accessing a resource (applications, data or other entities) requires an identity. That\u2019s why identities are so valuable. Attackers can target them instead of sniffing out vulnerabilities or deploying malware to exfiltrate sensitive data\u2014tactics that take time and effort. With valid credentials linked to a human or machine identity, attackers can slip in, bypass security controls and operate undetected\u2014sometimes for extended periods\u2014without anyone knowing.<\/p>\n

In more good news for the bad guys, identities are everywhere. The average staff member has\u00a0more than 30 digital identities<\/a>, and the total of non-human (or machine) identities outnumbers human identities by as much as 45-to-1. That number keeps growing: the average organization expects identities to surge by\u00a03x<\/a>\u00a0in the next 12 months. Given this, it\u2019s unsurprising that 93% of organizations have experienced at least two identity-related breaches.<\/p>\n

This data helps explain why identity has replaced the perimeter and become the only common decision point from which to evaluate risk and apply dynamic security controls. It also shows why protecting identities is now a core cybersecurity priority.<\/p>\n

Identity security: A business enabler<\/strong><\/h3>\n

Mature organizations understand that structured processes enable automation, which is key to securing identities. For example, HR can automatically create digital identities for new employees, ensuring they receive only the minimum necessary permissions for their role through the use of lifecycle management within identity governance.<\/p>\n

This automated identity lifecycle is governed by identity security control planes, which ensure that access requests, privilege escalations and governance are managed securely.<\/p>\n

Unlike process-heavy IAM systems of the past, identity security serves as a business enabler by optimizing workflows, decreasing friction and minimizing disruptions. CISOs can effectively communicate identity security\u2019s value to stakeholders and align security efforts with business goals by understanding these identity-related controls organized into three pillars.<\/p>\n

The three core pillars of identity security<\/strong><\/h3>\n

1. Privilege controls<\/strong><\/p>\n

Excessive privileges are a top target for cyberattacks and a major cause of security breaches. An effective zero trust approach encompasses four key privilege controls that, together, reduce operational risks associated with unauthorized privileged access:<\/p>\n

Least privilege\u00a0access<\/strong>\u00a0\u2013 ensuring accounts only have the permissions they need.<\/p>\n

Secrets management<\/strong>\u00a0\u2013 securing credentials and API keys.<\/p>\n

Just-in-time (JIT) access<\/strong>\u00a0\u2013 granting elevated access only when necessary.<\/p>\n

Zero standing privileges (ZSP)<\/strong>\u00a0\u2013 eliminating persistent admin rights.<\/p>\n

2. Access management<\/strong><\/p>\n

Managing and securing access in a decentralized IT environment requires a complementary set of controls, including:<\/p>\n

Adaptive authentication<\/strong>\u00a0\u2013 dynamically adjusting access controls based on risk.<\/p>\n

Single sign-on (SSO)<\/strong>\u00a0\u2013 improving user experience and reducing attack surfaces.<\/p>\n

Multi-factor authentication (MFA)<\/strong>\u00a0\u2013 adding extra layers of security beyond passwords.<\/p>\n

3. Identity governance<\/strong><\/p>\n

Identity governance is all about ensuring visibility, compliance and overall risk reduction by:<\/p>\n

Defining\u00a0who has access to what, when, and why<\/strong>.<\/p>\n

Automating access reviews and certification processes.<\/p>\n

Implementing\u00a0role-based and attribute-based access controls<\/strong>\u00a0(RBAC and ABAC).<\/p>\n

Together, these comprise a holistic identity security architecture. It shifts cybersecurity away from outdated perimeter-based controls toward dynamic, scalable and risk-adaptive access. With this as a foundation, organizations can be consistent about security across all entities (users, devices, applications, and services), make real time risk assessments so they can detect and respond to threats as they emerge, and continuously verify identities and access permissions to enforce zero trust.<\/p>\n

Prioritizing identity security: A CISO\u2019s roadmap<\/strong><\/h3>\n

Of course, implementing these identity controls isn\u2019t something that happens overnight. It\u2019s a journey. The best way to maximize business resilience is to create and then follow a high-level roadmap for orchestrating identity security controls.<\/p>\n

Having a roadmap in place is not just crucial for goal setting and business justification; it\u2019s also essential for identifying dependencies to ensure that controls work together in harmony. A structured identity-first strategy keeps the big picture in focus. Instead of constantly fighting fires and making tactical fixes, teams can concentrate on building a sustainable, outcome-based security program.<\/p>\n

AI-driven threats are evolving faster than ever before. The vast majority of CISOs have embraced Zero Trust as a philosophy, and as part of that, they approach security as if their organizations have already been breached. With continuous and adaptive identity security, it doesn\u2019t matter whether the attacker is inside or outside. What matters is that they will be stopped in time and shut down before it\u2019s too late. This advantage deserves every CISO\u2019s full attention.<\/p>\n

Download \u201cThe Identity Security Imperative\u201d<\/em> for insights on how to implement identity security using practical and proven strategies to stay ahead of advanced and emerging threats.<\/em><\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

AI is the best thing that\u2019s ever happened to cybercriminals. It allows them to weaponize trust and launch identity-based attacks with staggering scale and sophistication. I\u2019m talking about mutating polymorphic malware, prolonged ransomware sneak attacks that lead to double-extortion and deepfakes that defraud victims every few minutes. CISOs must adapt to this reality by implementing\u00a0zero […]<\/p>\n","protected":false},"author":0,"featured_media":2574,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2575","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2575"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2575"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2575\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2574"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}