Research has pointed out that nearly 80% of organizations have faced some sort of security breach due to identity-related issues, even here nearly every single participant of the survey (99%) believed that the incident could have been prevented had there been a proper security measure in place. The latest Verizon’s DBIR also points out that 81% of security incidents hark back to weak/compromised passwords. To shed light on the precariousness of weak passwords and identity-related security, Identity Management Day is observed to raise awareness on securing digital identities and establish best practices.
To know the key areas organizations and individuals must focus on to prevent an untoward cybersecurity incident, CISO MAG has gathered opinions from several industry experts who talk about the relevance of Identity Management Day, best practices in identity management, and more. Read on:
1Importance of Protecting Our Digital Identities
“Identity Management Day emphasizes the importance of protecting our digital identities (which is increasingly critical as the acceleration of digital transformation efforts opens new doors for threat actors). With many internet users holding dozens of online accounts across various services, it has become more difficult for them to memorize numerous, complex passwords. Unfortunately, password reuse has become common malpractice that increases the chances of account hijacking when one set of a user’s credentials are leaked. More than 80% of hacking-related breaches are tied to lost or stolen credentials and it is now self-evident that passwords alone are not enough when it comes to authenticating users.
As the security landscape evolves, consumers and businesses must work together to ensure the privacy of corporate and personal data. To properly verify the identities of their employees and customers, companies must enhance their security protocols by establishing continuous, context-based security throughout the entire login experience. Solutions like multi-factor authentication (MFA) and single sign-on (SSO) don’t require users to remember countless passwords, while also mitigating the risk of account compromise. On a consumer level, users can safeguard their digital identity by educating themselves on the risks of password reuse, following cybersecurity best practices, and staying informed on rising threats. Because we now live in a time when our daily lives revolve around the internet and our various accounts therein, identity management awareness has never been more critical.”
– Anurag Kahol, CTO and Cofounder, Bitglass
2Pandemic has created a breeding ground for scams
“According to the FTC, cases of identity theft nearly doubled from 2019 to 2020, reaching an astonishing 1.3 million cases in the U.S. While this is undoubtedly a drastic increase, malicious actors are still leaning on many of the same tactics to impersonate innocent consumers and cause personal or financial harm. As hackers only require a few tidbits of information to build an online profile, consumers can take several measures to properly defend themselves and not fall into common pitfalls.
First, any time you download a new app, create an online account or configure a new electronic device, data is collected and potentially shared. One of your first orders of business should be to look up the privacy settings of whatever platform you’re using to understand how you can further protect your personal information and leverage additional security measures like two-factor authentication and data encryption. You should also be mindful of applications that incorporate location services and how they’re collecting, utilizing and/or sharing this data. Additionally, make sure you’re using various, unique passwords for meaningful accounts as it’s incredibly easy for hackers to access more information by recycling stolen credentials. Lastly, avoid any suspicious messages (emails, texts, voicemails, etc.) and websites that don’t seem legitimate as this is often an attempt at phishing or malware.
While the pandemic has created a breeding ground for scams, fraud and identity theft, it also led to a surge in cyberattacks. Organizations play a vital role in safeguarding consumer data and Identity Management Day is an important reminder that it’s also their responsibility to ensure sensitive information doesn’t fall into the wrong hands. Enterprises must be fully transparent with consumers about what information they need, how they utilize it and what they’re doing to protect it. Any business or agency that is operating within any digital capacity needs to treat customer data as if it were their private information. Establishing a culture that puts the customer and security first will better prevent data leaks and breaches that lead to identity theft.”
– James Carder, CSO, LogRhythm
3Everyone, In Some Form, Is Vulnerable to Attack
“So much Personally Identifiable Information (PII) has been exposed in breaches over recent years that it is quite easy for hackers to use our identities against us. Everyone, in some form, is vulnerable to attack. In particular, the rich amount of compromised passwords and the rise in cloud-based applications has left companies more vulnerable to compromise than ever before.
The security landscape has completely shifted since the pandemic and businesses need to be able to support a long-term hybrid workforce going forward. New research from Centrify showed that an overwhelming percentage (90%) of cyberattacks on cloud environments in the last 12 months involved compromised privileged credentials.
Should a cybercriminal attain an employee’s credentials, they are able to log into their email, and then use that information to access more company services and applications – all with the company and victim being none the wiser. If the credentials entered are valid, the same alarms are not raised as to when an authorized user attempts entry from the outside.
This means identity access management (IAM) solutions will need to be front and center during strategy discussions to ensure that the right employees have access to the correct resources with an appropriate level of privileges. Otherwise, you run the risk of cybercriminals exploiting these weaknesses and your business ultimately becomes an embarrassing headline in the news, such as the recent breach at Verkada where credentials were compromised.
Organizations need to look at where identity management and data security meet. First and foremost, developing a working relationship between data security and IAM teams is key. Furthermore, deploying data-aware cybersecurity solutions will significantly minimize the risks because even if an adversary has “legitimate” access to data through stolen credentials, they are prevented from copying, moving, or deleting it. Also, the roll-out of multi-factor authentication (MFA) is another component to fighting the growing tide of compromised credentials.”
4Nex-Gen Identity and Access Management solutions that could save a lot of time and effort
“Nowadays, the Corporate network has expanded beyond the traditional organization boundary to the public and private cloud infrastructure. With this comes, the requirement to provide access to individual network entities (users and devices) to a variety of cloud and on-premises applications. Users may include customers, partners, and employees; devices include computers, smartphones, routers, servers, controllers, and sensors.
It becomes cumbersome to manage everything manually while maintaining a high compliance level. Therefore, it is required to manage all the user identities and access across corporate assets as one user could have multiple identities and accesses across multiple resources. This in turn creates a high-security risk as most of the data leaks happens due to misuse of user identities present in the system. In 2017, Identity theft accounted for 69% of all data breaches. Moreover, malicious outsiders were the leading source of data breaches, resulting in 1,269 incidents in 2017 and despite 45% of American companies paying their hackers during a ransomware attack, only 26% of those businesses had their files unlocked.
Thus, the goal of identity management is to grant access to the enterprise assets that users and devices have rights to in respective contexts. That includes onboarding users and systems, permission authorizations, and the off-boarding of users and devices promptly.
So, what we need is a mechanism that can create, modify, track user activities and manage identities across all the corporate resources along with system admins manually checking and auditing everything regularly to avoid any possible security risk and to ensure compliance with corporate policies and government regulations. Many of these manual activities can be automated with advanced AI ML capabilities present in Nex-Gen Identity and Access Management solutions that could save a lot of time and effort for the people managing the system. I think in this way we can securely govern and manage identities in an ever-growing corporate environment with users requiring more and more accessibility across all resources with this work from home COVID scenario.”
– Kunal Wason, Technical Product Manager- Security, TechnoBind
5IAM Is Now Needed More Urgently Than Ever
“Identity Management, also referred to as Identity and Access Management (IAM), is about managing and accessing identity and privileges of customers, partners, and employees in accessing applications. The need for the right identity management is to provide those needed with the right level of access and resources. By using IAM not only can organizations authenticate and control access of the individuals which plays a very important role in securing the data and the identity of the users. With remote working and in case of organizations located across the globe, there is a need for secure access through central systems. With IAM, there is no safer way to ensure that only the right people access the right applications.
IAM is now needed more urgently than ever considering the changing dynamics in the office-work dynamics post-pandemic. Currently, experts believe Unified Access Platform, AI-powered IAM and adaptive authentication, Customer Identity and Access Management (CIAM) and SaaS-delivered Access Management are predicted to be the latest trends in the IAM sector.
For the first time, The National Cybersecurity Alliance and the Identity Defined Security Alliance (IDSA) started the Identity Management Day, with its inaugural on April 13, 2021. This has been started to ensure organizations and individuals create awareness about the importance of identity management. This is a great initiative that will bring the focus of the C-Suite on the need for the right IAM solution. With more focus and research on IAM, organizations can focus on fighting data breaches and cyber identity thefts leading to catastrophic damages in such situations.”
– S Sriram, Chief Strategy Officer, iValue InfoSolutions
6“Identity First” cybersecurity strategy can address evolving threats
“On the first Identity Management Day, I would like to recognize the Identity Defined Security Alliance and National Cyber Security Alliance for leading this awareness. As the market continues to shift toward leveraging Cloud Infrastructure, SaaS solutions, IOT explosion, etc., it introduces new challenges, and traditional cybersecurity approaches are not adequate to address these new threats. This provides a great platform to acknowledge the benefits organizations can realize by shifting toward an “Identity First” cybersecurity strategy to address the next generation of evolving threats.”
– Andy Walker, Identity and Access Management Leader, Cyber Protection and Identity, Optiv Inc.
7Passwordless Is the Way Ahead
“We are tracking three key trends in identity management. The first is the adoption of passwordless authentication. By this we mean eliminating passwords as one of the authentication factors, enabling companies to stop ransomware attacks based on brute-forcing RDP and eradicate the entire class of credential-based attack TTPs used in account takeover attacks. Second, many organizations are looking to replace traditional multi-factor authentication (MFA), which often uses passwords or other ‘shared secrets,’ with solutions that implement only secure factors and reduce friction for end-users – for example, by not requiring employees or customers to pick up a second device or fish a one-time password out of their SMS or email. The last, and maybe most important trend, is the confluence of cybersecurity and identity management. One important manifestation is to evaluate the security posture of the endpoint device at the time of login and make a risk-based decision on whether to allow access to cloud apps and resources.”
– Tom (TJ) Jermoluk, CEO/Co-Founder, Beyond Identity
8Identity Management has been departing from traditional password-based outlook
“Identity Management Day is a great occasion to remind companies of the importance to have thorough identity management practices, processes, and technologies, since the sad truth is that companies most frequently give a thought to it as a follow-up to an incident.
Judging from Group-IB’s experience, the need for identity management and security proves to be a challenge for companies, with many organizations failing at it. The goal of identity management is to ensure that only authenticated users are granted access to specific applications, systems, or IT environments. This means that every employee should be given access only to the services that they will need to perform their tasks and support the existing business processes. Such an approach is also known as the principle of least privilege.
In the past several years, identity management has been departing from the traditional password-based outlook, with additional factors being added to the authentication process. Companies like Google, for example, have been deploying hardware tokens based on FIDO2 to evade phishing. Another trend contributing to the greater credibility of the authentication process is the use of AI and machine learning to track user behavior with the aim of adding extra context to the identity verification process to detect abnormalities in the user behavior. The latter didn’t come unnoticed by Group-IB and was implemented in its Fraud Hunting Platform that utilizes machine-learning algorithms to create a unique digital fingerprint for identities and devices. This enables the system to distinguish between legitimate actions and malicious activity even if the criminals have physical access to a user’s device as the system correlates and matches user behavior with their devices. This technology was dubbed «Global ID» by Group-IB.”
– Shawn Tay, Senior Threat Intelligence Analyst, Group-IB
9It Is Every Organization’s Responsibility to Better Equip Their Workforce
“Cyberthreats, especially identity theft, have significantly increased since the pandemic began. With remote working becoming the norm and resulting in greater dependence on digital devices, tools, and platforms, cybercriminals are increasingly using unsecured network connections and unsafe apps and portals to steal financial data and personally identifiable information of unsuspecting users. Indian users are experiencing loss of personal data more than ever before. According to NortonLifeLock Cyber Safety Insights Report in 2019, 70% of respondents were worried about their identity being stolen, and that 39% of Indian respondents had experienced identity theft. The study had also revealed that 63% of respondents were unaware of the steps that had to be taken in the case of identity theft and more than three-quarters (79%) wished they had more information about what to do next.
Now, when it is clear that remote working is here to stay, it is every organization’s responsibility to better equip their workforce to deal with such threats. It is advisable to always use the company’s tech toolbox, as it likely includes firewall and antivirus protection and security features such as VPN and two-factor authentication. I recommend that individuals should keep their Virtual Private Network (VPN) turned on, as it provides a secure link between employees and businesses by encrypting data. A VPN helps keep information secure from cybercriminals and prying eyes. While working remotely, it is important to understand that online safety is a shared responsibility that begins at the individual level.
Against the backdrop of accelerated digital transformation and the evolving cybersecurity landscape, the occasion of Identity Management Day serves as an important reminder of the need for organizations and individuals to reassess and strengthen their security measures to ensure fewer or no data breaches.”
– Ritesh Chopra, Director Sales and Field Marketing, India & SAARC Countries, NortonLifeLock