“Identity is the new perimeter”. You’ve all heard it before, mostly from people trying to help you build that perimeter. But building the perimeter alone misses two critical aspects of a perimeter.
- Making sure that what’s inside the perimeter is what you want to protect
- A perimeter is not just a wall, you need to keep watch because unguarded walls can be scaled.
Addressing these two problems is the reason why Hydden Control exists. To provide continuous assurance that your identity perimeter is exactly where you want it to be.
To understand how, let’s take these critical aspects one at a time.
Protecting what’s inside your perimeter
When identity is your perimeter this means making sure that the right identities have access to the right data.
How do people do that now? A combination of identity governance tools to try to grant the appropriate access entitlements to users as they join or move around the organization and, if you’re paying enough attention, revoking that access when they leave. That’s great, if you can completely predict what access anyone will need. Spoiler: You can’t. So inevitably there will be some changes as users get access to new systems. In an attempt to manage this drift, and persuade your auditors that you are paying attention, you have access reviews. Once, twice or even 4 times a year you pull together access data and ask application owners, and team managers to find the problem access needles in a haystack of spreadsheets. Everybody hates this. Team managers and application owners are dragged away from their real jobs to pore over reams of access data in a spreadsheet and determine if everyone has the correct access. And even if there is something to find and correct, it’s buried under so many items that just get a rubber stamp that it’s almost certain to go unnoticed. These reviews aren’t governance or security, they are performative.
Hydden Control aims to solve this. At the core is Hydden’s, complete and accurate view of your identity infrastructure. In order to make good decisions you must have good data. Layered on top of that is the recognition that the “right access” is defined by a combination of factors.
- An identity’s role
- Any external regulatory and compliance requirements
- Internal security and access policies
- Actual day to day practice in the organization
In general the first 3 can be expressed in policy terms and assessed by a governance solution but the fourth is a little different. Hydden Control builds unique policies for your organization based on the way that access is really used. You can carve up the policies by role, team, location to suit your organization. If your US HR team uses different tools from their European counterparts, no problem. You can see what the reality of identity and access is. You can then choose which of these policies you want to incorporate into your identity perimeter and handle them automatically. Automate out the irritating mindless approval rubber stamping. Leaving you to focus on the outliers, the access that does need someone to dig in and consider whether it’s valid, and as a bonus, don’t annoy your users every quarter.
And if you still need to generate that report for your auditors, no problem.
Keeping watch on your perimeter
Having defined what should be inside your perimeter, you need to monitor for changes.
Again, Hydden’s underlying data layer of complete and accurate identity information is the foundation on which we will build defenses.
Changes to your environment are inevitable. Some are necessary, some extremely undesirable. The key to a good perimeter is identifying which is which and acting quickly. Not in 3, 6, or 12 months at your next scheduled access review. The future of the identity perimeter is continuous monitoring and control of those changes. Hydden’s data layer can pick up changes in seconds. From there we will assess risk and enable Hydden Control to compare the change to your existing policies and accepted common practices. You only need to worry if the change is outside those definitions. Then you can review immediately and either incorporate into your perimeter, or reject the access change and revert it. Respond in minutes rather than months and incorporate changes to your identity fabric as they are needed.
That is the vision for Hydden Control. Continuous monitoring leading to continuous compliance. Find out about changes your care about as they happen and respond rapidly. And when your auditors come knocking, you can confidently prove that not only are you compliant and in control there and then, but you were at every moment since the last audit.
This week we unveiled Hydden Control and took a giant leap towards that vision, but there is more to come. Watch this space for more on the road to an identity perimeter worthy of the name.
