Today, April 12, is Identity Management Day 2022. The Identity Defined Security Alliance (IDSA) and the National Cyber Security Alliance (NCSA) jointly promote the importance of effective identity management on this day and throughout the year. Last year’s focus was identity theft.
Our Online Identities
Our business and personal worlds rely heavily on digital tools, software apps, websites, and online platforms. Access to all of these online resources requires unique logon credentials.
Keeping our logon credentials secure and private has never been more crucial. Our digital credentials are vital in protecting our online identities during every transaction we conduct online. Whether we are working, browsing, socializing, banking, researching, shopping, or selling, any one of our online activities can put us and our employers at serious risk. Those risks include hacked accounts, hijacking of sensitive data, and identity theft. None of these experiences is welcome.
Identity Management Defined
According to the online information technology glossary provided by Gartner, Identity and Access Management (IAM) is defined as “the discipline that enables the right individuals to access the right resources at the right times for the right reasons.”
The intent of identity management and access management protocols is to ensure appropriate and secure access to needed resources across multiple technologies and platforms. Without robust identity and access management practices, our digital security may be weak or non-existent.
The Perils of Poor Identity Management
As with all security weaknesses, there are risks associated with poor digital identity security. Many hacks and data breaches are the results of weak identity management procedures. According to DigiCert, almost three-quarters of users (73%) make the mistake of using the same password for multiple sites.
Even more disturbing, one-third of all users (33%) have only one password for all of their access needs. In their desire to keep things simple and make it easier to remember their passwords, these online innocents are making it easier for hackers, too.
5 Common User Mistakes
Below are five common employee oversights that create poor identity management and lead to unnecessary risk for the organization.
- Using weak passwords rather than strong passwords or passphrases, despite most login windows offering clear guidance for what constitutes a strong password.
- Using the same password for multiple accounts.
- Using only a single password for all access. (One-third of users make this mistake!)
- Failing to implement two-factor or multi-factor authentication when this extra security measure is offered by a website or application.
- Not changing passwords regularly.
Role of IT in Identity Management
There are several actions organizations can take to address these and other risky employee behaviors. For example, creating and vigorously enforcing a robust password policy is a fundamental requirement for any organization, large or small.
Other best practices for effective identity management include, but are not limited to:
- Deactivating login credentials immediately when employees leave or are terminated.
- Retiring and deactivating passwords that have been previously compromised.
- Installing safeguards that prohibit employee access to risky websites.
- Requiring multi-factor authentication for access to your organization’s websites, platforms, and critical applications.
- Implementing role-based access privileges, so that each individual is only given access to the resources required by their role in the organization.
- Removing or updating access privileges promptly when individual roles change.
Policy Enforcement Helps Prevent Hacking
It’s one thing to develop a policy or procedure to manage access. However, without consistent enforcement, the policy or procedure may as well not exist. When IT professionals are pulled in too many different directions, are spread too thin, or are not well-trained, enforcement of security policies and procedures may suffer.
Consider that 81% of IT security professionals reported that the number of identities within their organizations has doubled over the past decade, according to the Identity Defined Security Alliance. Identity management must be an active, ongoing endeavor, and failing to take it seriously, for whatever reason, exposes the organization to unnecessary risk.
One of those risks is increased vulnerability to hacking. More than two-fifths (81%) of hacking-related breaches use weak, stolen, or otherwise compromised access credentials, according to a Verizon Data Breach Investigations Report. This astounding number isn’t the consequence of targeted, individual phishing expeditions. It is due to passwords stolen in high volumes from companies with masses of customers who routinely access their services online.
Who can forget the headliner hack of Yahoo in 2012, when 450,000 user passwords were stolen? Ten years later, the stakes were even higher. A record 533 million user passwords were leaked in a stunning hack of Facebook in 2021. Similar incidents over the past decade have compromised huge volumes of user passwords.
How Organizations Can Reduce Risk
Identity Management Day reminds all organizations of our responsibility for the protection of digital identities within our scope—from employees, contractors, and third parties to customers, machines and applications, and other stakeholders.
Following are a few best practices for identity management in your organization, courtesy of the Identity Management website.
Categorize All Identities and Assign Ownership
Classify all identities within your organization into one of four categories: 1) employees, 2) contingent workers, contractors or third-parties, 3) machine identities such as chat bots, robotic process automation or RPA, app-to-app accounts, built-in IaaS accounts, and 4) customers.
Then, assign responsibility for the creation, removal, maintenance, and security of those identities and hold that individual or team accountable. According to Forrester, a global leader in market research, there are now some 2.25 million robots in the global workforce, resulting in a significant increase in machine-based identities that require active management.
Establish Unique IDs for Every Identity
Ensure the uniqueness of every human and machine identity in your directory. Identifiers should be established and used regardless of the relationship to the organization. For example, a contractor who converts to a permanent employee, or a boomerang employee, should maintain the same identifier throughout their lifecycle with your organization. Having a unique identifier for each identity allows you to track identity activity, simplifies identity management, and facilitates audit and regulatory compliance.
Identify an Authoritative Source for Each Identity
Be sure to have an authoritative source for each identity in order to make informed decisions regarding user access, including what type of access to provision and when to enable/disable that access. This is akin to having an advocate vouch for the identity of an individual as part of a certification or licensing process, or a trusted individual sponsoring a new club member, for example.
Implement Privileged Access Management
To further protect critical company assets, implement privileged access management. This requires higher assurance during an authentication procedure based on 1) the current access profile of a user, 2) the sensitivity of the resource/data asset, and 3) the elevated permissions being requested. Provide additional security by applying multi-factor authentication for privileged access, and continuously verify the need for privileged access. This is important because hackers often use a weak identity to gain access, then move laterally within a network or system to gain elevated permissions.
Automate Provisioning and Deprovisioning
Granting and revoking access to company resources is fundamental to business operations and enterprise security and a requirement in a dynamic organization. By automating the provisioning and deprovisioning of access through individual lifecycle events (such as joining the company, changing departments or roles, and leaving the company), you will reduce the window of opportunity for hackers. Keep your active directory active only.
Establish a Governance Process
Assign a cross-functional team to oversee the establishment and adherence to all security processes and policies, including identity management, and to govern the program. The team also provides an avenue for introducing improvements to your identity management program, and for estimating the impact of program changes before they are implemented. Identity management and identity access are key components of your overall cybersecurity program and should be treated accordingly.
Summary
Our business and personal worlds rely heavily on digital tools, software apps, websites, and online platforms. Access to all of these online resources requires logon credentials that must be kept secure and private.
Our digital credentials are vital in protecting our online identities during every transaction we conduct online. And yet survey after survey of online users and company employees reveals ongoing security risks resulting from poor identity management.
Identity and access management continues to be a challenge for all organizations, regardless of size. Two contributing factors are poor user behavior and lack of enforcement of policies and procedures. If identity management is a challenge for you, seeking professional security assistance may be the right answer at the right time for the right reasons.