COMMENTARY: Our world continues to revolve around data – and that’s why the evolving security landscape demands new processes and technologies to secure it.
By 2025 the global dataverse will reach a massive 181 zettabytes. While this explosion will undoubtedly lead to unprecedented opportunities for business, it also amplifies the risk factors – particularly when it comes to protecting business-critical data.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
One security challenge stands out: identity. After all, we must make data accessible to business stakeholders, whether internal, or third-party, for it to get used to enter new markets, analyze customer insights, and develop new products to outpace the competition.
In the age of AI, where 72% of teams say they are already leveraging some form of AI services at work, the lines between data and identity security are starting blur more than ever.
Think about an enterprise Co-Pilot, like Microsoft Co-Pilot or Glean. Those of us in the industry refer to these as non-human identities (NHI). These apps let employees quickly and efficiently find the information they are looking for across Microsoft 365, Google Drive, Box, Confluence, Notion, and many other platforms. However, the ability to do so securely depends on the native permissions in these platforms.
The challenge of aligning data and identity
So why we are only now discussing the need to align data and identity. To me, it’s a simple answer: few security vendors in the market address this convergence effectively. This forced security teams to manually stitch together disparate processes and tools on their own. Data discovery and classification tools of the past struggled with speed, the ability to support hybrid environments, and had poor precision – which led to false positives, and weakened data security posture.
But technology was not the only factor. Siloed internal security processes, disparate organizations, and a lack of communication across these teams also played an important role. Data was left to the data security team. Identity was left to the identity management team.
Moving forward, the days of viewing data and identity as distinct entities are numbered. These two sides of the same coin must be integrated more closely than ever before. Data security teams are asking where their sensitive data resides and who has access to it, and identity teams are asking if this user should have access to this data. This helps make it simpler for security teams to align data security with identity management, and helps foster the zero-trust principle of minimizing over-privileged access.
Data security programs must work to include identity access management, and identity access management programs must work to include data security. We don’t have to make this difficult: Security teams need to know where their sensitive data resides and who or what has access to that data. And, identity managers need to know what identities are operating within their environment, and then, under what context.
When speaking with CISOs about this, I like to use what we call “The OneDrive” scenario. Consider the security implications if a service like OneDrive were compromised for the company’s top 20 executives:
- Would the team know what data was impacted?
- Could the team determine who had access to it?
- Was the breach a compliance violation?
- How long would it take to assess the damage and its cost and determine materiality?
In 99% of cases, nobody knows. It’s critical that organizations can quickly discover and classify their data across all of their environments, understand who and what – both human and non-human identities – have access to sensitive data – as well as remediate unnecessary access.
The inability for most to respond to these questions underscores the importance of understanding the interconnectedness of data and identity. By getting this right, the time to value becomes immediate. Teams can minimize overprivileged access to align with zero-trust principles of data access. They can safely adopt AI without increasing business risk.
The future of security lies in a unified approach that treats data and identity as two sides of the same coin. It takes co-evolution – the process of continuing to evolve together. Only such as unified approach will let us adopt AI securely. Security teams that do this well will win the hearts and minds of the businesses.
Tamar Bar-Ilan, co-founder and CTO, Cyera
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
