Cyber threats against businesses grow every year. The onslaught of cyberattacks faced by businesses is relentless. When one of those attacks succeeds, it can take a steep toll on an organization, causing data loss, fines, legal fees, and reputational loss.
Organizations are understandably eager to strengthen their security posture. To manage cyber risk and maintain compliance with regulatory requirements, many business leaders turn to one of two well-established cybersecurity frameworks: the ISO/IEC 27001 and the NIST CSF.
- The ISO/IEC 27001, developed by the International Organization for Standardization and the International Electrotechnical Commission, is a certification that serves as a global standard for information security management systems.
- The NIST CSF, created by the U.S. National Institute of Standards and Technology, offers an adaptable approach to managing and reducing cybersecurity risks. It is commonly used across industries and is particularly popular in the U.S.
These frameworks are a lifeline for organizations, but neither is a silver bullet. Navigating the dense guidelines in each framework can be overwhelming. It’s often difficult to know exactly where to begin.
There is a clear starting point, which is identity hygiene.
Why is Identity hygiene crucial?
Identity hygiene refers to any principles, processes and policies that manage access to your organization’s digital assets.
Effective identity hygiene reduces the risk of security breaches, supports compliance efforts and ensures that only the right people have access to the right resources at the right times. Identity hygiene encompasses not just what you need to do now but what you need to do forever. A long-term identity hygiene strategy requires you to analyze the protection status of identities in your ecosystem and determine potential risks. To ensure your organization remains protected on a continuous basis, it’s important to establish an automated discovery and remediation process.
Why focus on identity hygiene when implementing cybersecurity frameworks?
Both the ISO/IEC 27001 and NIST CSF frameworks emphasize controls around access, authentication and authorization—all of which are foundational elements of identity hygiene.
By focusing on identity first, you can effectively address core requirements across both frameworks, including:
- Limiting account permissions to safeguard access to information
- Monitoring access to data and managing access rights
- Protecting credentials from unauthorized access
- Controlling elevated privileges
In other words, prioritizing identity hygiene simplifies the implementation of these frameworks, creating a domino effect of cybersecurity improvements.
3 steps to getting started with identity hygiene
- Start with access: Many of the fundamental security controls revolve around managing and protecting access within your organization. You have to actively manage the reach of an identity to protect credentials from being stolen and used by bad actors. Gone are the days of periodically reviewing a checklist and feeling secure. You need tangible evidence that you can measure and track. Start by understanding who has access to what within your organization, and take steps to limit individual access to only what is necessary.
- Build outward: Think of identity as the nucleus of your cybersecurity strategy and expand other requirements from that central focus. Once you evaluate access to your systems, you may uncover vulnerabilities you didn’t know were there. Maybe you integrated with another company through a merger or acquisition. Maybe legacy systems or accounts still exist that are no longer valid. Zoom in on identity first, then open the aperture a little wider, bit by bit, to build more security protocols and improve compliance.
- Leverage automation: Manually cataloging and managing identities across your organization is not scalable. Adopt automated identity hygiene solutions that can continuously discover, assess and resolve identity-related risks.
Identity hygiene is key to compliance with NIST and ISO
Cybersecurity frameworks are invaluable. Leaders can use frameworks as a foundation to manage security requirements in their organizations, update their boards, and improve their security postures.
As crucial as they are, these frameworks have a few drawbacks. For example, manually cataloging and managing identities across your organization is not scalable.The ISO/IEC 27001 is technical and the certification process is rigorous. NIST CSF is so broad that it’s difficult to tailor to an organization’s specific needs.
In both cases, a focus on identity hygiene can help. Adopting a holistic approach to identity hygiene simplifies implementation,simultaneously quantifying risks, maintaining compliance and enhancing an organization’s overall security posture.
About the Author:
Rita Gurevich is the CEO and founder of SPHERE, a leading identity hygiene company redefining how organizations achieve access control across their environment.
Rita began her career at Lehman Brothers, where she oversaw the distribution of technology assets after the organization’s bankruptcy in 2008. From this, Rita gained a deep understanding of analyzing identities, data platforms, and the overall application and system landscape distributed across buying entities. With this knowledge, Gurevich founded SPHERE, an organization that provides critical governance, security, and compliance solutions centered around the expanding access control issues plaguing organizations. Rita has driven the growth of SPHERE through its evolution to a cutting-edge software company that also provides services to clients with the only end-to-end access management solution available today
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information. BSM is cited as one of Feedspot’s top 10 cybersecurity magazines.