A new way to view identity
Today companies still view identities and their roles/rights as something that is setup once and changed infrequently. Why do we do that? Hotels do it better than we do. When you check in, you get a key card: the card knows who you are, and the card enables you to enter your room. Then when it is time to check out the card no longer works. It’s a dynamic identity service, giving you only the rights you need at a certain time and then taking them away when you no longer need them.
If you want to port this over to the IT environment, see how some universities utilize a single-sign-on (SSO) portal for all students. If a student doesn’t access a resource for 30 days, their access is disabled. If they attempt to access low-risk assets after they have been disabled, a message is displayed asking if they are still a student. The student self-attests and is granted access. For other resources they need to get approval and work through an automated flow.
This model changes everything. No more figuring out who should have access to what; just let the system figure it out. You no longer have a huge attack aperture with everyone having access they don’t really need. Of course, this model will not work for all environments, but it is one to strive for.
Don’t forget the foundations
The basic building blocks have stayed the same and it is critical that they remain the foundation of all good security programs:
- Know your customers
- Know the risks they face
- Focus on risk not security
- Be practical and think about the level of security the customer needs
- Implement good cyberhygiene (check out this blog for more details: Why Practicing Good Cyberhygiene Critical)
- One tool will not solve all the problems
- Be proactive and not reactive whenever possible
- Link security to the business and be practical
- Focus on security architecture and not individual components
The foundations are critical but as MSPs you also need to embrace the future and adapt. Look for new technology and new models that help you and your customers prepare.
For more security advice, check out our Security Resources Center.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.