Is Identity a Security Product?

About a year ago, my then manager, challenged me to put some thoughts together why Identity Management products are part of Cybersecurity family rather than more of a general infrastructure product like network. The timing, however, worked out for the best since this January marks my 25 years working in IT industry. And, while I’m not ready to reminisce about years past, as my journey in the industry continues, I thought I’d share my thoughts on this topic as a way to mark this milestone.

I’d like to start exploring this question by looking at endpoint protection products as an example. Endpoint Detection and Response products were one of the first stand alone software packages designed for one purpose to, secure computing environment against attacks executed by malicious code and I’m and ex-McAfee EPO administrator.? Typically, Endpoint Detection and Response products or EDR, work in a similar way: you have an agent analyzing code\activities against known attacks patterns and then taking a pre-determined action when a match is found. Administration is done with a standalone management console to control deployments, settings such as exemptions and scan schedules, and generate reports.

The notion of identity management began around mid-1950s with Computers and Automation magazine using the term "computer user" in the way we use it today. As computing resources became more varied and accessible, mainframe owners had to manage shared access to mainframe resources. Over time, identities were also used for security purposes such as restricting access to data and individual computing devices. As an aside, before remote work became widespread, all identity systems depended on building access as an informal Multi Factor Authentication (MFA) method. After all, if all corporate resources are only available through local area networks, portable computers are too costly to be distributed widely, and remote access is too slow to support more than a few users simultaneously, building access is an effective, though not foolproof, second authentication factor. Even in smaller organizations that do not use badges, coworkers would, normally, notice a stranger using a computer in a cube\office that is not theirs.

For a long time, identity management software stayed the same for more than 50 years until about ten years ago. A new person in an organization gets an account with a secret to prove ownership. This only enables user authentication, not device or data access, which requires authorization or verification based on rights assigned by system administrators. This can be called “proactive” identity management, as users without valid credentials or authorization can't do anything, even if they don't exhibit a threat pattern. This is on of the major reasons some people don't view identity management as a security product, it overlooks signs of malicious activity as long as both authentication and authorization are successful.

On the other hand, most descriptions of ransomware attacks begin with "Attacker compromised a user and then gained higher privileges until they could evade security products". This suggests to me that identity management system is a security product that supports the security of all other security tools. And I think, the progress made in the identity management area in the past five years, affirm this way of thinking.

The newest identity management systems have features that use Machine learning AI to check behavioral patterns before completing user verification/authentication alongside more traditional tools, dynamic ?rules to assess of the security posture of users and devices during the authentication process and make authentication decisions based on variety of facts such as type of MFA used, application access requested etc. ?Additional features such as “just-in-time” privilege escalation add to the complexity of modern identity management products that ends up needing ?as much work in configuration and monitoring as the most advanced EDR packages.

Today’s identity management products are not just infrastructure tools that enable user access; they are essential components of a robust cybersecurity strategy that protect the organization from one of the most prevalent and dangerous threats: identity compromise. As the digital landscape evolves and new challenges emerge such as cloud migration, remote work, and zero trust architecture, identity management products will continue to play a vital role in securing the organization's most valuable assets.

P.S. Disclaimer Microsoft Copilot for Word was used liberally to improve style and readability.