“Who are you?” is one of the first questions when we meet strangers.
It’s also the first question a security system asks when anyone tries to access a network. Without verified identity, access is denied.
Yet identity management — and its twin, access management — is still a huge problem. According to the 2022 Verizon Data Breach Investigations Report, 40 per cent of the 3,875 incidents it looked at involved the use of stolen credentials.
According to a survey of 100 IT and security pros done last year for identity provider Radiant Logic, 61 per cent reported that their business views identity management as too time-intensive and costly to manage effectively on an ongoing basis (although almost the same number agreed it is of vital importance).
These numbers should be kept in mind because today is the annual Identity Management Day, observed on the second Tuesday in April. It’s a day when IT leaders should think about their identity and access management strategy — or lack of one.
As part of the event today, the U.S.-based Identity Defined Security Alliance is holding a day-long webinar, while Canada’s IdentityNorth starts a two-day online symposium on Wednesday.
“As we celebrate Identity Management Day, IdentityNorth wants to emphasize the importance of advancing trust in all aspects of identity management,” said Krista Pawley, digital transformation and inclusion leader and event co-chair of Identity North. “This includes trust in data, building trust with users, and future-proofing IT systems. With sensitive information at risk, building digital trust must be a top priority for IT managers.”
According to the Identity Defined Security Alliance, this is a day to raise awareness about the dangers of casually or improperly managing and securing digital identities.
Account management is important enough that it ranks Number Five in the Center for Internet Security’s Top 18 security controls — and access control management is Number Six.
“Treat identity management like a plan, not a one-time project,” urges Geoff Cairns, a principal analyst in Forester Research’s security and risk practice.
Identity management starts, Cairns said, with having executive buy-in to having a plan that recognizes not everyone can access everything. Some employees will have access limited by their roles.
Briefly, experts say, this means management agreeing to a zero-trust approach to security: Don’t trust everyone who can log into the network. There has to be regular authentication for accessing sensitive assets.
Related content: Zero-trust advice: Start small, but get started
Access to data or an application can be through role-based access control (based on a user’s role) or attribute access control (everyone in the human resources department can access a project management tool), or both. The IT leader will have to find a solution that automates provisioning.
This is followed by security control Two: Inventory and rank your software assets — because management can’t decide what employees and customers can access if doesn’t know the data it holds.
Then follow access control best practices and policies to limit access to data to only those who need it.
In some circumstances, notes access provider StrongDM, the principle of least privilege doesn’t provide the necessary flexibility that certain situations require. For instance, a help desk associate may need a temporary elevation of privileges to troubleshoot a customer’s urgent ticket. One way to enforce identity and access management best practices, yet still support the principle of least privilege without compromising user experience, is by leveraging just-in-time access.
A vital step in identity management, Cairns said, is limiting identity sprawl — making sure that identities are revised when staff changes roles and revoked when they leave the organization. That’s where identity governance — regularly auditing usage and reducing unnecessary standing permissions — can pay dividends, he said.
Password management is another step. Although passwordless solutions such as biometrics are increasingly being used by organizations, experts say passwords will be with us for some time. So a login password — or passphrase — policy is a good place to start. This is especially important if the organization uses single-sign-on tools. Adding multifactor authentication — either biometric or sending a one-time code — these days is vital. Look for phishing-resistant MFA.
Finally, don’t forget that machines — such as sensors, servers, PCs, smartphones or POS devices — may need identity management as well as people.
Chris Hickman, chief security officer of Keyfactor, notes that Google’s initiative to shorten digital certificate lifespans to 90 days from 398 days will complicate identity management. On the one hand, the shorter the window of opportunity to use a stolen certificate, the greater reliance a system can put on the authenticity of the device or workload presenting that digital credential. On the other, “it’s a significant jump and would require a higher degree of automation to manage frequent updates, or significantly more manual labor to keep up,” he said in an email.
The biggest mistake IT or identity leaders make is trying to do everything at once, Cairns said. “Break down things into chunks that you can prioritize. Getting your arms around what you have — your user base, user population, the different roles and attributes … is at the top of the list.”
Another big mistake is expecting a technical process to solve what is fundamentally a process problem, he added. Identity management depends on a solid strategy and plan that covers people, business processes and technology.
“Identity Management Day underscores the importance of protecting our digital identities now that identity-related data breaches are becoming more frequent,” said Stuart Wells, chief technology officer of Jumio. “Organizations and the public alike must adjust to the current cyber threat landscape and take action by securing and responsibly managing their digital identities. After all, identity-related information remains one of the most coveted data by hackers, and commonplace security measures like passwords, two-factor authentication and knowledge-based authentication are no longer enough to keep data safe. Although cybersecurity is enhanced and developing daily to safeguard data, cybercriminals continue to find new and better ways to access it.”
“It is crucial for IT and security teams to effectively manage and regularly safeguard all digital identities in their environment, as most breaches today start with compromised identities,” said Kevin Kirkwood, deputy chief information security officer of LogRhythm. “The best chance of defending against fraudsters trying to access sensitive data is for organizations to deploy the requisite level of security that supports identity access management (IAM) solutions along with enabling consistent identity and single sign-on (SSO) through SIEM (security information and event management) integration.”
Hackers don’t break in; rather, they log in, said Almog Apirion, chief executive officer and co-founder of Cyolo. “So, when we talk about enterprises, we need a shift into a robust zero-trust framework to protect all forms of user data. Identity-based access control enables businesses to strengthen their security posture while also gaining visibility and control over the access to their most critical systems.”