Michael Jordan is zero trust, then identity governance is Scottie Pippen — Why cybersecurity is a team sport | 2020-11-20

If Michael Jordan is zero trust, then identity governance is Scottie Pippen — Why cybersecurity is a team sport

In the documentary The Last Dance, ESPN took us on a trip down memory lane by exploring Michael Jordan’s final season with the Chicago Bulls. With six NBA championships under his belt, Jordan’s unwavering competitiveness at being the best — and control of his teammates — was an essential factor in carrying the team to victory. He once flew to Vegas to force Rodman to practice. Talk about taking the bull by the horns. In addition to showing Jordan’s fierce commitment, the documentary also revealed the supporting characters that made him even greater: Pippen, Jackson, and even “practice skipping” Rodman. It took a team to win those championships, not one person, even if that person was Michael Jordan.

Basketball can teach us a lot about managing the cybersecurity of an enterprise: it takes teamwork. This is perhaps most evident as organizations seek to adopt zero trust principles. The zero trust concept is not new, but I hear more organizations discussing it than ever before — driven by a desire for greater security, more flexible access, and accelerated by the shift to remote work due to COVID-19. At its core, zero trust focuses on providing least-privilege access to only those users who need it. Put it this way: don't trust anyone and even when you do, only give them what they need right now. This security philosophy would make Jordan proud, but in that vein, zero trust would not work without another player: identity management (perhaps it’s the Pippen factor!).

Examining the Playing Environment

There is no doubt that enterprises' digital transformation efforts have accelerated in the last year, which means different things for different organizations. It could mean the transition from on-prem to either hybrid or cloud-only environments; it could mean the shift towards employees using their own computers, tablets, and phones (BYOD – Bring Your Own Device).

This shift in work from anywhere drives the need for increased self-service and password management and new ways to maintain the security of a workforce beyond an enterprise's traditional network perimeter.

The Next Play

In order to work, the zero trust method must be applied to all users and systems regardless of location — home or office, but where to begin? First, set a detailed plan for how you will implement zero trust over time. Budgets for this rarely exist, so outline a process in the context of broader organizational security. This will ensure stakeholders across your organization understand the vision, intent, and timing to achieve this. Next, you need to know where all your applications and data reside now and where will they be in the future. Cybersecurity is like basketball; it's a team sport. You will need to tap different plays and strategies to maintain this high level of visibility of users and applications/data.

Here’s the play: leverage solutions that continuously monitor, recognize, and automate changes in security posture, job assignments, and access policies. Consider solutions that integrate out-of-the-box via standard protocols to ensure your solutions are built to work together and are future-proofed. Centrally managed authentication and authorization controls are essential to your zero trust implementation. These answer the most basic questions of “are you who you say you are?” and “are you allowed to access the resources you’ve requested?”

Homecourt Advantage

I cannot stress this enough — what will keep enterprises moving forward is to see centrally, control, and manage change in their homecourt. This is not something that can be accomplished by basic access management and authentication, because they lack context. They know what is happening in real-time, but they don’t necessarily know the way things should be — who should have access to what. With identity management, you have the brains behind access at your fingertips, regulating how and if access should be granted or revoked and monitoring that access over time as a workers' role changes.

Identity management is about answering three main questions: who has access to what (current state), who should have access to what (desired state), and how is that access being used? For all users, all applications, and all data. This play is the strategic lynchpin for organizations because identity management controls the link between the entire user population and applications and data amid an enterprise’s digital transformation.

There are myriad external factors that are changing the way we do business today. With this change, CIOs must grapple with the security and compliance implications and the challenge of automating processes to ensure their people are productive. That's why it is my fundamental belief that identity is your right-hand person — the Pippen to your Jordan in today's enterprise.

Grady Summers is EVP, Product and Solutions at SailPoint. Summers specializes in identity and governance management.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.