3 Steps to an Identity Security Strategy
The Three Box Solution is a strategic framework developed by professor Vijay Govindarajan that involves balancing energy, time and resources in three domains: present, past and future. Perhaps a bit philosophical, but applied to (identity) security, the model can provide a shift in perception.
TEXT: BART BRUIJNESTEIJN IMAGE: SHUTTERSTOCK
Many multinationals have successfully applied it to their business models, and it can also provide a welcome change of approach to security strategy. At its core, it is about breaking out of linear thinking, enabling organisations to respond more effectively and quickly to what lies in the future. This means optimising security measures for current identity systems so that legacy systems do not create unnecessary risks. Next, old identity management practices should be phased out. The third ‘box’ is to build a modern Zero Trust architecture.
Three Box Solution
The Three Box Solution is a strategic framework based on an ancient Hindu philosophy, as described in Govindarajan’s book of the same name. It addresses the balance of energy, time and resources in three domains or ‘boxes’: the present, the past and the future. Govindarajan argues that the more leaders focus their plans on opportunities, the more likely they are to create a successful future.
The model promotes non-linear thinking and requires a shift in the traditional view of time as a series of successive events. It suggests that organisations must ‘make’ the future every day in order to achieve it. They do this by managing the present (optimising existing processes and systems), selectively forgetting the past (eliminating outdated practices) and creating the future (developing new ways of thinking and working).
To be successful, leaders need to demonstrate specific behaviours at each point on this continuum, as shown in the table below.
Box 1
Manage
the present
Focus on improving and protecting current systems and processes. Manage the current environment with maximum efficiency and reliability
Actions and behaviour
- Define goals to achieve maximum performance
- Use data to determine inefficiencies
- Optimise to do less with more
Box 2
Selectively
forget the past
Leave the past behind by letting go of activities, ideas and attitudes that are no longer relevant; new technology creates new opportunities and challenges
Actions and behaviour
- Encourage divergent ideation
- Do away with the so-have-we-always-done-it attitude
Box 3
Create
the future
Innovate and invest in new technology to be future-ready. Integrate new ideas into products and create opportunities by embracing contemporary best practices
Actions and behaviour
Encourage experimentation
Test hypotheses about products, services and market development.
Application to identity security
Global organisations such as GE and PepsiCo have applied the Three Box Model to transform specific areas of their business operations. CISOs and security leaders can also apply this proven approach to improve their identity security strategy.
Box 1: Manage the present
Optimising security measures for current identity systems is often a matter of protecting legacy systems and improving monitoring and response.
Legacy systems often lack modern security features, making them vulnerable to identity-related attacks. Implementing strong authentication mechanisms such as multi-factor authentication and regularly auditing access controls are critical steps. In some cases, a gateway can be installed to visibly maintain and control legacy systems, meet audit requirements and isolate legacy systems.
Visibility is critical. By implementing comprehensive monitoring solutions that provide real-time insight into user activity, security teams can quickly detect and respond to suspicious behaviour. Security teams are increasingly turning to AI to protect privileged access across environments and provide real-time support and guidance.
Box 2: Selectively forget the past
It is necessary to identify and eliminate outdated identity management practices. Traditional approaches to identity management have often provided excessive privileges, increasing the risk of abuse. Adopting a ‘zero standing privileges’ model, where users are given the minimum level of privileges required only when necessary, can significantly reduce this risk.
Legacy systems that are no longer supported or secure should be decommissioned. This will reduce the attack surface and simplify the IT environment. Of course, this is no easy task. So find a way to isolate and reduce legacy systems to only those elements that require restricted access. This will diminish the chance of (known) vulnerabilities being exploited.
Box 3: Create the future with Zero Trust and modern identity security solutions
Looking to the future means embracing new security paradigms and technologies. Consider Zero Trust architectures, modern identity and access management (IAM), and zero standing privilege access in multi-cloud environments.
The Zero Trust model assumes that threats can come from anywhere and mandates continuous identity verification, device state monitoring and strict access controls. Implementing Zero Trust requires a shift from the traditional perimeter-based security model to one where access is granted based on dynamic risk assessments.
Identity security can be significantly improved by using advanced IAM solutions that support technologies such as biometrics, adaptive authentication (based on risk levels) and machine learning. These technologies provide more accurate user authentication and can adapt to changing risks and threats.
Setting just enough permissions to comply with the principle of least privilege (POLP) means limiting permissions to what is necessary. By removing all persistent access and enabling just-in-time privilege elevation, the risks associated with sensitive sessions in the public cloud are significantly reduced. Enterprises are increasingly turning to SaaS solutions to manage cloud access and achieve operational efficiencies. But what are the steps for a CISO looking to implement such a scientific approach?
Bart Bruijnesteijn is solutions engineering director North Europe at CyberArk
