Tuesday, April 13, 2021 is the first-ever Identity Management Day, a special day of awareness founded by the Identity Defined Security Alliance (IDSA), to educate and engage business leaders and IT decision makers on the intersection of identity management and security.
Julie Smith, executive director of the IDSA, says recent research by the IDSA revealed that 79% of organizations have experienced an identity-related security breach in the last two years, and 99% believe those identity-related breaches were preventable.
Also supporting Identity Management Day is Kelvin Coleman, executive director at the National Cyber Security Alliance (NCSA). As NCSA’s executive director, he leads organizational growth by facilitating strategic partnerships and alliances with government, industry and non-profits, and recognizes how deeply necessary it is to raise public awareness around the cyber threats that result from weak identity protections.
EXPERT COMMENTS
Alex Pezold, CEO, TokenEx
“Identity Management Day is a great opportunity to talk about the privacy-protecting benefits of de-identification. De-identification, also known as pseudonymization, is the process of removing certain identifying elements from a set of sensitive data so that it no longer identifies the individual from whom it was collected. By removing these identifiers via tokenization or similar technologies, organizations can continue to use the data while reducing the likelihood that it could be re-identified to reveal the original data subject in the event of a breach or other exposure.”
Art Gilliland, CEO, Centrify
“In the last year, 90% of cyberattacks on cloud environments leveraged compromised privileged credentials. This alarming finding illustrates how cyber-attackers are easily accessing critical systems and sensitive data through improperly managed credentials — and leveraging identity sprawl across a threatscape expanded by digital transformation.
“The reality is that these adversaries no longer ‘hack’ in – they log in, using stolen identities and weak or default credentials. Identity Management Day not only reinforces the need for good cyber-hygiene but also to use technology solutions available to vault, authenticate, manage, and secure privileged identities and access.
“Modern privileged access management (PAM) solutions based on Zero Trust principles can minimize shared accounts and allow human and machine identities to log in as themselves. These tools should automate privileged access controls, reduce administrative risk, and strengthen compliance postures to protect the keys to the kingdom.”
Ralph Pisani, president, Exabeam
“Exabeam continually cautions its customers and partners on the pervasiveness of credential-based attacks. Login credentials have significant value, and the threat of theft persists from adversaries. The challenge is that usernames and passwords remain critical in our daily lives, from helping us complete work to carrying out personal matters like online shopping, banking or connecting with friends over social media.
“Billions of previously stolen credentials live on the dark web, and we’ve just accepted that they fuel the underground economy and enable more credential stuffing attacks. We know that the hackers are bold and unconcerned with being detected on the network because they use sophisticated methods that mimic typical user activity. If their access is gained using valid credentials, it makes them even more difficult for administrators to catch.
“We strongly support efforts, like Identity Management Day, that raise public awareness and can help to combat this issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional identities and credentials to prevent credential-based attacks from continuing. Organizations across industries can invest in machine learning-based behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
Nick Santora, CISA, CISSP, Curricula CEO
“The biggest challenge I see is the ‘set it and forget it’ mentality. Although we all want to be able to set something up once and forget about it forever, identity management is not the case. Someone is coming in and inputting this data at some point. A regularly scheduled internal ‘pulse check’ is good to see if what we expect is being done, is actually being done. Sometimes you would be surprised at what a quick review can uncover with out-of-date or incorrect information lying around.”
Don Thibeau, OpenID Foundation, Open Identity Exchange, Global Open Finance Center of Excellence
“The biggest challenge related to identity management/identity security is, like plumbing, when installed correctly it is silent, secure and reliable, and when maintained well, vital to one’s health. The one piece of advice would I give; patience.”
Jerome Becquart, COO, Axiad
“As the number of remote users and devices on company networks increases, many customers are searching for a passwordless solution to protect them against the threats of today and tomorrow. However, there’s currently no one credential that can authenticate all business use cases. Our customers are finding themselves adopting multiple identity credentials to meet all use cases, such as YubiKeys, smart cards, TPM, mobile authenticators, and more. This can strain their IT resources and is complex for their end users to manage and keep track of.
“We advise customers to stop managing their credentials in silos. They can instead use one credential management platform to manage all their identity credentials. This streamlines deployment and lifecycle management for IT teams and simplifies the user experience. By taking a holistic approach to identity management, businesses can accelerate their journey to passwordless and ensure identity security for all their users and devices.”
Greg Keller, CTO, JumpCloud
“In a phrase: Remote work. The biggest challenge facing our customers is properly securing their employees as they shift – many permanently – to home office and remote work. Given this model, the concept of a traditional ‘domain’ has essentially imploded, leaving IT and security professionals scrambling to ensure their employees’ devices are secure, that they are the only devices allowed access to corporate resources, and that users accessing those same resources really are who they say they are. At a minimum, IT must ensure their MFA game is strong and establish an identity management system that has no prerequisites to being on-premises any longer. Those days are gone.”
Kristin Judge, President/CEO, Cybercrime Support Network
“Many consumers still think that multi layered authentication is a technical tool only designed for people who understand computers. With the advances in MFA over the past few years, that is no longer true. Strong authentication is for anyone!”
James E. Lee, COO, ITRC
“Without a doubt the biggest threat we see to identities is the dramatic shift to credential theft and away from traditional personally identifiable data acquired in mass attacks. Threat actors are far more interested in collecting personal and business logins and passwords that can be used in credential stuffing, BEC, and supply chain attacks. Why attack 1000 consumers to gain $300,000 when you can attack one business and walk away 3x that or more?
“The advice we give consumers and businesses is simple: good password & cyber hygiene. Long, memorable passwords (12+ characters); a unique password for each account; no sharing passwords at work & home; multi-factor authentication with an app, not SMS when possible; and, never click on a link in an unsolicited email, text, or social media DM – check the sender to see if it’s a legit address and contact the sender directly if in doubt.”
Rebecca Archambault, Trust Identities Leader at Highmark Western and Northeastern New York
“You cannot fully transform your digital presence, or your digital business, without focusing on the digital identity. It should be the first foundational component you understand within your Cyber Security team. The biggest challenge that I see is that most organizations don’t fully recognize the role of identity and its impact to every facet of their business.
“My advice would be to make a commitment to invest into an identity strategy, and establish a forward-looking approach. It needs to address the mounting technical debt that legacy systems and applications carry with them. It needs to include implementation of a modern identity solution that simplifies, innovates and enables their business. And finally, the strategy needs to take a ‘risk aware approach’ to balance the customer experience while increasing security.”
Ebbonie Kirk – Account Executive, SecurID, an RSA Business
“Now that organizations have so many users working from home, they are facing new challenges in both access rights and authentication security.
“SecurID’s advice: Take a step back now that the dust has settled a bit from 2020 and truly assess where your weaknesses lie both in granting work from home access and what data and systems your key users still need for their roles.“
Wes Wright, CTO, Imprivata
“In healthcare, the biggest challenge is finding the resource for implementation and management of the program. Pre-COVID, healthcare IT staff had more work than they could handle. Now, with the addition of the COVID requirements, HIT staff just can’t find the time to implement. My best piece of advice around this is, first, don’t think of identity management as a project –it’s a journey that continues. If you have to name it something, call it a “program.” Second, it’s not an HIT program, you must garner the support and championing of the program from a diverse set of executives (HR, CMO, COO, CIO, CISO, etc.). This way, when you have to forego other projects (the main problem as noted above), then you have the support of other executives, whose projects are probably going to be delayed. As in almost every problem in life, it’s all about communication and collaboration.”
Joseph Carson, Chief Security Scientist and Advisory CISO, Thycotic
“The biggest challenge faced by many customers that are prioritizing and beginning their journey to identity and access management is literally where to start with so many options such as single sign-on, multi-factor authentication, success metrics, provisioning, deprovisioning along with access and entitlements.
“My advice for companies that are looking for the best practices on where to start a successful journey is to start with the most sensitive accounts in the organization such as privileged access and 3rd party access that, if compromised, can lead to very damaging security incidents. Get in control of the accounts that matter the most and then continue to rollout those security controls to other accounts in the organization. To help companies get on the right path Thycotic has created the Privileged Access Management checklist that will help organizations navigate the complexities, map out a path to access and help ask the right questions.”
Firas Azmeh, General Manager, Personal Digital Safety & Carrier Partnerships at Lookout
“Technology has advanced our world in countless ways, including how we navigate and manage our everyday lives. With just a few clicks from our devices, we bank, shop, conduct business, and exchange photos and messages with family and friends. This rapid adoption of technology comes with inherent risk to user privacy and digital security. In recent years, massive corporate data breaches have exposed billions of sensitive customer records. Once a person’s data is compromised, they can be at risk of phishing attacks and identity theft for years. While news headlines and media coverage of major data breaches have contributed to broader consumer awareness, most people still struggle to understand the full array of digital risks that can jeopardize their personal information or the best steps to take to safeguard their identity.
“We recommend that consumers adopt best practices to increase their security hygiene and use solutions that offer remediation after Identity Theft occurs, and provide proactive protection against those threats that can lead to ID theft in the first place. Identity protection should ensure that a customer’s privacy and personal information are protected at every level – from the device they use to the apps they download, the data they access and share online, and the networks to which they connect. And if a problem ever emerges, customers have full insurance coverage and expert assistance to best safeguard their identity & finances from theft.”
Dan DeMichele, VP of Product, LastPass by LogMeIn
“Since remote and hybrid work has become the new norm, the threat surface has exponentially expanded, and organizations’ IT departments are facing new security challenges. The biggest challenge our customers face is that regardless of their size, they’re increasingly targeted by hackers looking to get their hands-on personal data and intellectual property. While many small and medium-sized businesses may not have the resources to implement robust security programs, their IT teams are nonetheless tasked with securing all entry points, including cloud apps, unsecure Wi-Fi networks and unknown or personal devices. In addition to managing the expanding security landscape while dealing with limited time, staff and resources.
“In order to maintain a high level of security, IT managers have to focus on securing the identity of the user, as it is the new security perimeter. To do this, IT managers should implement solutions like enterprise password management, single-sign-on, and multifactor authentication solutions that will provide visibility into user behaviors across apps and devices, keeping remote employees and company networks secure. Perimeter security is bolstered when these technologies work together under one umbrella. With these solutions in place, IT can quickly deploy tools, enable authentication methods, and set security policies while providing end users easy access to the tools they need to get work done. Both administrators and end users are enabled to seamlessly carry out their day-to-day work and responsibilities.”
Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security
“The shift to the cloud has fundamentally changed the way we approach security. The security paradigm has changed and it’s critical for companies to update their strategies accordingly. An organization not only needs to inventory its person and non-person identities, as well as what they can and are doing, but needs to continuously monitor them. The once a quarter reviews are dead. Along with this, it is critical for a company to know at all times where their data is, who has access to it and what an identity does with the data. No longer is it about getting to least privilege and least access, it is about continuously staying there and getting notified whenever something changes. Companies that fail to mature their security with this paradigm shift will be left picking up the pieces after a breach”
Yash Prakash, Chief Strategy Officer, Saviynt
“Identity-related data is growing at a rapid rate. It started with traditional employees, vendors, contractors, customers and partners, but has quickly grown to include silicon entities like IoT devices, bots, service accounts, RPA, workloads and more. These new machine identities need access to data stored across on-premise, SaaS and multi-cloud environments. This, coupled with the shift towards remote work, has exacerbated security and compliance concerns for our customers, regardless of industry.
“I give all our customers the same advice – which is centralize. Multiple point solutions to try and protect identity data will create more headaches and challenges than they are worth. Not only do these solutions need to work, they also need to meet strict compliance standards and mandates. A central solution is critical, not just to address identity and access risk across all assets, but to help with speeding digital transformation, which is a key need for our customers.”
James Carder, LogRhythm, CSO and VP LogRhythm Labs
“I think the biggest identity management/identity security challenge today still revolves around people and the technology they use. We still have challenges with understanding roles and responsibilities and how that relates to access and rights. We also have issues with the devices they use, if they are trusted device identities or not. We have significant challenges managing identities when they are no longer in our control (e.g. think about your PII leaving your company and an inability to validate that identifiable information is protected and safe). Even if we do have a great understanding of these pieces, we’ve misconfigured something (a human) and ultimately fail in delivering on the intent of your identity centric control in the first place.”
Tom Malta, Navy Federal Credit Union, Head of Identity and Access Management
“As a practitioner in the space for the last 20+ years, I am amazed at how often I come across basic IAM hygiene things companies need to be doing, but they still struggle with ! Even in mature IAM programs, some of the basics may be missing…Two of the most common would be 1 – off-boarding personnel in a timely manner, and 2 – inactivating unused/orphan credentials when no longer needed –
- How many times has that contractor left and you failed to disable his/her access until months later ?
- How many times have you come across privileged service accounts that you cannot identify an owner for?
“Many firms have mature programs that offer full automation for on boarding, but when it comes to disabling and removing access – many will say it is often a complex manual task because we don’t have a single place to leverage that tells us everything that Jimmy or Suzie had before they left.
“If you cannot identify every identity + access pair in your enterprise (who has access to what), then it will likely lead to many inactive / unused credentials over time because ownership will not be obvious and those “orphans” are indeed the primary targets for the bad guys as well…”
Narendra Patlolla, Gallagher, Head of Cyber Architecture
“One of the key challenges I see with implementing a successful IAM program is managing the expectations with the key stakeholders (both business and IT). By managing expectations effectively and keeping the stakeholders informed will help minimize the friction for a predictable program delivery.
“As organizations continue to expand and adopt cloud offerings. The need for IAM requirements (people, process and technology) should change as well. While some of these changes may be a net new to most organizations, as Tom and James mentioned below, they should continue to focus on basic IAM hygiene (revoking access on a timely manner, implementing role based access, minimize or eliminate non SSO external apps, guard privileged credentials and last but not least manage authorization appropriately) and incorporate these into cloud services for full coverage.”
Carlos Garcia, Sr Principal Architect, Enterprise Clinical Technology – Genomics, Optum
“I think the biggest challenges remain the fundamentals. So many organizations are still trying to implement provisioning and attestation beyond the core major identity systems like their AD and HR systems. I think great technologies like SAML, when used within an enterprise are great for integrating applications especially after acquisitions, but often become band-aides that mask the underlying issues of dispersed identity silos. The hard work is getting all these systems centralized or at least well managed through best practices around governance and especially deprovisioning. This is an endless challenge with large enterprises that do many small acquisitions a year. Many times the challenge becomes the cost of integrating acquired entities if your systems are too inflexible.
“In addition, as multi-cloud adoption grows, managing all those identities and especially the governance around what authorization they have is a big challenge. The business wants to move faster than you have time to create new policies, so thinking ahead of the business challenges coming is important.”
