In today’s digital landscape, the way organisations manage identities is fundamentally broken, contributing to a staggering 80% of all cyberattacks involving identity. Hackers aren’t just hacking in anymore – they’re logging in. This highlights a critical need for a new approach to Identity and Access Management (IAM).
The Disconnected Reality of Identity Management
Traditionally, organisations separate the management of human identities from non-human (machine) identities.
• Human identities, often managed by IT teams, include:
◦ Workforce Identity and Access Management (WIAM) for internal users.
◦ Consumer Identity and Access Management (CIAM) for external users like customers or citizens. Organisations frequently rely on a mix of old, homegrown systems (some 20-25 years old) and newer cloud-based tools, leading to a fragmented approach. Many legacy applications don’t even support crucial security features like multifactor authentication (MFA) or passwordless technologies, often storing user IDs and passwords in insecure ways like side files or SQL tables. Furthermore, managing human identities across hybrid multicloud environments adds another layer of complexity.
• Non-human identities, typically managed by platform or DevOps teams, are often much larger in number. These include:
◦ Machine identity (for applications or workflows).
◦ API keys and API access.
◦ Public Key Infrastructure (PKI).
◦ AI and AI agents, which are rapidly proliferating and often require elevated access, alongside managing the identity of the person using the agent.
This siloed approach, with disconnected teams and tools, creates a significant “mess” that leaves organisations vulnerable to cyberattacks.
The Solution: An Identity Fabric
Instead of advocating for a complete overhaul, the concept of an identity fabric proposes a pragmatic approach: take the technologies you already have and augment them with AI-based capabilities. This creates a unified “fabric” where all your existing tools and identities can work together seamlessly. The ultimate goal is to enable consistent enforcement of policies, such as least privileged access within a zero-trust framework.
The Six Critical Use Cases for Enhanced Cyber Trust
The current fragmented state of identity management makes several crucial security practices nearly impossible. Based on their client conversations, IBM and HashiCorp have identified six top use cases that an identity fabric helps address:
1. Identity Observability (also known as Identity Security Posture Management or ISPM): This involves the ability to find sloppy implementations of human and non-human identities that could lead to an attack. Key aspects include:
◦ Identifying secrets hardcoded into applications.
◦ Discovering shadow directories or shadow assets that IT isn’t aware of.
◦ Crucially, observing how non-human and human identities are interacting – for example, if multiple inactive human users suddenly start using a non-human service account, indicating a potential problem.
2. Frictionless Access: This aims to remove usernames and passwords from the login experience, making access easier and more secure through methods like passkeys. While it radically improves user experience and security, legacy applications often pose a significant barrier.
3. Centralised Secrets Management: This involves establishing a central control plane to store, revoke, and audit secrets for non-human identities, such as API keys, database credentials, and cloud credentials.
4. Dynamic Credentials: Building on centralised secrets management, this encourages a shift from static secrets (which are often long-lived and rarely changed) to just-in-time created credentials. Dynamic credentials significantly reduce the risk of secret leakage (e.g., from accidental GitHub commits), as they are ephemeral and bound to specific callers and targets. As an intermediate step, rotating static secrets regularly is also beneficial.
5. Privileged Access Management (PAM): Despite being a long-standing security requirement, many organisations have only rolled out PAM controls to 20-70% of their privileged human and non-human users, leaving a significant portion unprotected. This poses a major issue with auditors and cyber insurance providers. The goal is to achieve 100% PAM rollout.
6. Identity Threat Detection and Response (ITDR): This focuses on real-time protection by moving threat detection closer to the identity engines themselves. ITDR specifically aims to find policy bypasses, such as:
◦ MFA bypass.
◦ ZTNA (Zero Trust Network Access) bypass.
◦ VPN bypass.
◦ Secrets management bypass. It also involves detecting direct attacks on the identity system itself.
A Three-Phase Approach to Achieving Cyber Trust
To tackle these challenges and implement an identity fabric, the video outlines a three-phase approach:
1. Inspect: This initial phase is all about discovery and visibility.
◦ Secret Identification and Discovery: Finding all your secrets, no matter where they are hidden (e.g., in code, configuration files, Confluence pages, Jira, wikis, ServiceNow tickets).
◦ Identity Security Posture Management: Identifying shadow identities, shadow directories, and shadow assets. As a CSO once stated, “If you can’t see it, you can’t secure it”.
2. Protect: Once you know what you have, this phase focuses on implementing protective measures.
◦ Centralised Secrets Management.
◦ Privileged Access Management (PAM).
◦ ITDR and Behavioural Analysis: Specifically, behavioural analysis is crucial for detecting attacks that leverage a compromised, valid credential. While such attacks typically take 292 days to identify and contain, behavioural analysis (e.g., monitoring typing rate) can detect them in as little as 10 seconds.
3. Govern: The final phase ensures long-term consistency and control.
◦ Lifecycle Management: This involves governing the complete lifecycle of both human and non-human identities, from onboarding and offboarding to revocation and denial, treating them as consistent workflows.
◦ Consistency, Protection, and Discovery: Governance provides the framework for consistent identity management, protection secures your assets, and inspection continually reveals hidden vulnerabilities.
By adopting an identity fabric approach, organisations can move beyond disconnected tools and fragmented strategies, building a more secure and resilient cyber trust foundation for both human and non-human identities.
