By nearly all accounts, security leaders are increasingly shifting their focus from perimeter defenses such as the long-relied-upon firewall in favor of embracing a zero-trust approach. That, in turn, has put the need for strong identity programs front and center, and more specifically has boosted the identity-first strategy into the mainstream.\n\nResearch confirms as much. Take, for example, the figures in the 2023 State of Zero Trust Security report. This report, from security software maker Okta, found that 61% of the 800-plus IT and security decision-makers it surveyed said their organizations now have a defined zero-trust initiative in place, with another 35% planning to implement one soon.\n\nFurthermore, the report found that organizations have increased their work around identity controls as part of that nearly universal adoption of zero trust, noting that 51% of respondents deemed identity as \u201cextremely important,\u201d up from the 27% who said as much in 2022. Moreover, the 2023 report found that an additional 40% of surveyed leaders called identity \u201csomewhat important.\u201d\n\nReport authors declared: \u201cIn a world where traditional network perimeters have all but disappeared, Identity has emerged as the new perimeter -- the place where defense has to start.\u201d\n\nImplementing identity-first strategies can be a struggle\n\nDespite the high value that nearly all organizations say they place on identity, security leaders also admit that they\u2019re struggling to implement the identity-first strategy that has become central to successfully creating a zero-trust security program.\n\nAnother report, the State of Identity Security, released in September 2023 by security software maker Silverfort, quantified some of the problems. It found that 65% have not implemented multifactor authentication comprehensively enough to provide sound protection; 94% do not have full visibility into their non-human identities; and 78% said they cannot prevent the misuse of service accounts in real time due to low visibility and inability to enforce MFA or privileged access management (PAM) protection.\n\nAdditionally, the report found that only 20% said they were highly confident that they could prevent identity threats. Yet the need for improvement around identity was clear, as 83% of surveyed organizations said they had experienced an identity-related breach involving the use of compromised credentials.\n\nSecurity consultants and researchers say they\u2019re seeing similar dynamics among CISOs and their security programs, with many security chiefs believing that a solid identity function is foundational for a successful zero-trust program yet falling short in their efforts to launch an identity-first approach -- and, thus, bolster their overall security efforts.\n\n\u201cIf you don\u2019t have a great identity program it\u2019s going to impact your other security domains and posture,\u201d says Rajesh Radhakrishnan, a managing director at professional services firm Deloitte.\n\nWhat is identity-first security?\n\nAn identity-first strategy is all about knowing the identity of all humans and non-humans accessing points within the enterprise. In other words, the strategy calls for the organization to know each employee, contractor, and business partner as well as endpoint, server, or application that seeks to connect. It is often also called identity-centric or identity-first security.\n\nIt\u2019s foundational to implementing zero trust because zero trust says trust no entity until that entity -- whether human or machine -- can authenticate that it is who it says it is and can verify it has been authorized to access the network, application, API, server, etc. that it\u2019s seeking to access.\n\nEverest Group, a research and advisory firm, estimates that 65% of its clients opt for an identity-based zero-trust implementation approach (versus 35% opting for the overlay network approach).\n\nIdentity is becoming the first line of defense\n\n\u201cIdentity is becoming the default perimeter; it\u2019s becoming the first line of defense,\u201d says Kumar Avijit, a practice director in Everest Group\u2019s Information Technology Services team.\n\nAs Avijit explains, no single solution delivers an identity-first strategy. Rather, it requires a synthesis of policies, practices and technology -- like nearly everything else in cybersecurity. Those elements must come together to achieve three key objectives, says Henrique Teixeria, senior director analyst at Gartner, a research and advisory firm.\n\nThey must work to bring consistency, that is, applying identity-based decisions to all kinds of assets, such as networks, applications and servers. They must also become context-aware, whereby policies and controls aren\u2019t \u201cstatic and based on IP addresses but are based on the risk profile of an identity and that risk profile is adjusted dynamically based on context\u201d such as the identity\u2019s location, the device being used and the time of requested access.\n\nA deviation in expected context in any of those areas may prompt extra layers of verification before granting access, with the ability to detect a deviation and request extra verification being a significant element of creating context awareness.\n\nAdditionally, this approach requires the delivery of consistency and context continuously, and not just, for example, at the time of log-in. Teixeria says all three C\u2019s -- consistency, context and continuousness -- must work in concert, and they must do so across the entire IT environment.\n\nIdentity has become an interconnected concept\n\nAs he explains; \u201cIn the past identity was a silo; it was a networking thing. Now identity is interconnected. It\u2019s no longer a siloed discipline. It\u2019s about applying this identity consistency everywhere. Identity is now integrated.\u201d\n\nMultiple technologies enable and support this. One such enabling technology is the identity and access management (IAM) solution, which has been standard in enterprise security for many years. A user and entity behavior analytics (UEBA) solution, which tracks and analyzes user and entity behavior to determine what\u2019s normal and to flag suspicious activities, is another increasingly standard tool in most enterprise security functions. Newer technologies supporting an identity-first approach include zero trust network access (ZTNA), cloud security posture management and data security posture management (DSPM) solutions.\n\nMoreover, organizations must enable integration of these tools with the right architecture, which allows the technologies to work together for a more seamless and secure experience and to break down any remaining siloes within the identity function.\n\nAll that, Teixeria says, is essential for delivering the necessary consistency, context and continuousness while still supporting the business\u2019 need for rapid access to systems.\n\nImplementation challenges for identity-first security\n\nAlthough research has found that nearly all organizations see identity security as critical, gaps in this area exist.\n\nThe 2023 State of Identity Security report from security software maker Oort speaks to this point, noting, for example, that the average company has 40.26% of accounts with either no MFA or weak MFA and that dormant accounts are 24.15% of the average company\u2019s total accounts and are regularly targeted by hackers.\n\nSuch figures don\u2019t surprise security consultants and researchers, who say a multitude of challenges face CISOs as they put identity front and center.\n\nTo start, there are cultural challenges. The granular approach required by an identity-first strategy is drastically different than the way security has traditionally devised access management.\n\n\u201cWe\u2019re trying to undo an entire way of existence,\u201d says Keatron Evans, vice president of portfolio and product strategy at cybersecurity training company Infosec, part of Cengage Group. For decades IT allowed access to almost anyone physically within the organization\u2019s physical facilities, Evans explained, \u201cso moving to an identity-first approach goes against everything we\u2019ve been doing for the past 50 years with computing. I think that\u2019s the biggest challenge.\u201d\n\nThat mindset shift is far from the only big challenge, however, according to Evans and others.\n\nIncorporating modern identity and access solutions with legacy systems is also a challenge. Additionally, many CISOs struggle to collect and analyze the data needed to devise, implement, support, and automate strong and dynamic identity and access control policies, Radhakrishnan says.\n\nFinding funding for identity control can be a challenge\n\nAnd even if CISOs have plans for overcoming such challenges, Evans says they can often run into issues securing the money they need to address all those problems. But an unlimited security budget (not that such a thing exists) won\u2019t solve everything, experts say. CISOs and their teams still must make all the elements -- the data, policies, processes and technologies -- work together seamlessly as well as nearly instantaneously and continuously. That ongoing synchronization, experts say, is itself a significant task.\n\nAnd that task is one that must take priority to succeed, something that doesn\u2019t always happen. \u201cThere is a lot of noise in the market about zero trust and identity-first or identity-centric security, but it\u2019s often looked at as a secondary or tertiary control,\u201d Radhakrishnan says.\n\nHowever, experts say CISOs are seeing progress in overcoming those challenges. Teixeria points to a recent Gartner survey, which found that 63% of organizations have implemented continuous controls and 92% have implemented contextual signals to influence decision-making. Moreover, the survey found that the adoption of workforce access management solutions is at 58% among the respondents who have some involvement or responsibility in their organizations\u2019 IAM.\n\nOthers note additional progress. For example, the vast majority of organizations now see identity as critical -- so CISOs are gaining the necessary support from their executive colleagues to invest in planning and implementing the needed components to put identity at the center of their security posture.\n\nThey also are advancing their identity programs as their IT departments modernize legacy environments and shift from on-premise applications to cloud-based ones that come with and integrate well with modern identity and access tools.\n\nAnd CISOs are shifting from static policies around identity and access to more dynamic ones -- a move that\u2019s essential in a world where virtual and distributed work environments are the norm and risks are dynamic, too.