The Expert View: Putting identity at the heart of security

When businesses think about cybersecurity, they often picture defending systems and data. Increasingly, though, the real front line is identity. As Scott Shields, Sales Engineer at Delinea, explained at a recent TEISS dinner briefing, “identity is the new security perimeter”. It is at the core of modern frameworks like zero trust, where no user, device or system is trusted by default, but it brings its own challenges.

 

At this roundtable, held at the House of Lords in London, senior security professionals discussed how identity management is evolving and what steps businesses can take to strengthen one of the most critical elements of their security posture.

 

The new perimeter

The growing focus on identity is being driven by attackers themselves. “You’re owned when your identities are owned,” said one attendee. Many cyber criminals now target credentials, whether through phishing, credential stuffing, or exploiting poor identity governance.

 

While many organisations talk about adopting zero trust principles, the details often differ. One delegate said some businesses assume they have implemented zero trust but without considering features like passwordless authentication, which can be a core part of the framework.

 

Yet, Passwordless systems present their own trade-offs. One-time passwords (OTP) are common, but increasingly vulnerable to interception or spoofing, so participants agreed that it is important to move to biometrics. One contributor noted that behavioural biometrics are a growing area of interest, promising the ability to identify users based on how they interact with their device.

 

A business-wide challenge

Implementing effective identity access management (IAM) is not purely a technical project. “It will fail without buy-in from the whole business,” one attendee said.

 

Governance is critical, but difficult to enforce, especially in decentralised organisations where different brands or divisions have varying needs - and their own budgets. Centralised identity solutions may look ideal on paper but often struggle to accommodate complex organisational structures.

 

An added complication is users holding multiple identities within the organisation. Someone working across two business units, for instance, may end up with conflicting or duplicated access rights, increasing the risk of accidental privilege escalation or governance failure.

 

Getting the board on board

As with many aspects of security, identity management ultimately depends on securing the necessary investment and participants discussed strategies for budget conversations. Most agreed that the issue must be framed in terms that resonate with decision-makers, such as how spending will improve the business’s risk profile or the potential lost revenue if systems go offline due to a breach.

 

An uncomfortable truth is that the organisation’s official risk appetite may not match reality. Organisations might say they have a certain risk appetite but might be willing to ignore that if they can save money.

 

That can make it hard to enforce governance because staff get into the habit of simply accepting risk, even if that contradicts standards. This is a particular problem for internal audits, attendees said, which are easier to dismiss, so external audits or regulatory oversight is often vital to good governance.

 

The practical steps that are often missed

Admin accounts and service accounts - non-human credentials used by applications or systems – emerged as a persistent governance headache. “Very few businesses have solved the problem of service accounts and shared accounts,” Mr Shields said. “There are many more of these than human accounts, but companies don’t know where they are or how many they have.”

 

AI tools offer potential solutions, such as automatically identifying dormant accounts or flagging credentials that are no longer required. But tools alone are not enough. Without clear processes and oversight, automation can add complexity rather than reduce it.

 

Security leaders also face growing tension between strong governance and smooth user experience. Some participants emphasised the principle of least privilege, giving users only the access they need, but recognised that this must be balanced with usability. If security measures are too restrictive, employees may find insecure workarounds.

 

The growing use of personal devices adds further complications. In sectors like retail, asking employees to verify their identity on personal phones can create problems. For instance, in France, workers cannot legally be required to use personal devices for work. Even where it is permitted, customers may perceive staff checking phones at the till as unprofessional.

 

No simple fix

Looking further ahead, some organisations are exploring Bring Your Own Identity (BYOI) models, where individuals use independently verified credentials issued by trusted providers like Microsoft. While still in the early stages, BYOI could eventually offer a more flexible and user-friendly approach to authentication.

 

As the briefing concluded, Shields reminded attendees that identity security is not something that can be solved in a single project. Rather than a single fix, it requires multiple standards and processes. Metrics and regular reporting are essential to track progress and demonstrate ongoing improvements.

 

What emerged from the discussion was not a sense that any one organisation had solved the identity challenge entirely, but rather that many are wrestling with the same issues. Sharing experiences, Shields suggested, may prove one of the most valuable ways forward.

---

To learn more, please visit: www.delinea.com