Cyber Experts Weigh-in on First Ever Identity Management Day - Part 4

Read our interview with IDSA Executive Director Julie Smith on Identity Management Day here.


The National Cybersecurity Alliance and the Identity Defined Security Alliance (IDSA), present the first 'Identity Management Day,' an annual awareness event that will take place on the second Tuesday in April each year. We heard from numerous cyber experts on identity management's importance, its challenges, and how it has become an integral piece of creating a fortified cybersecurity posture and frictionless customer experience.


Jerome Becquart, COO, Axiad


“As the number of remote users and devices on company networks increases, many customers are searching for a passwordless solution to protect them against the threats of today and tomorrow. However, there’s currently no one credential that can authenticate all business use cases. Our customers are finding themselves adopting multiple identity credentials to meet all use cases, such as YubiKeys, smart cards, TPM, mobile authenticators, and more. This can strain their IT resources and is complex for their end users to manage and keep track of.

We advise customers to stop managing their credentials in silos. They can instead use one credential management platform to manage all their identity credentials. This streamlines deployment and lifecycle management for IT teams and simplifies the user experience. By taking a holistic approach to identity management, businesses can accelerate their journey to passwordless and ensure identity security for all their users and devices.”


Greg Keller, CTO, JumpCloud


“In a phrase: Remote work. The biggest challenge facing our customers is properly securing their employees as they shift - many permanently - to home office and remote work. Given this model, the concept of a traditional 'domain' has essentially imploded, leaving IT and security professionals scrambling to ensure their employees' devices are secure, that they are the only devices allowed access to corporate resources, and that users accessing those same resources really are who they say they are. At a minimum, IT must ensure their MFA game is strong and establish an identity management system that has no prerequisites to being on-premises any longer. Those days are gone.”


Joseph Carson, Chief Security Scientist and Advisory CISO, Thycotic


“The biggest challenge faced by many customers that are prioritizing and beginning their journey to identity and access management is literally where to start with so many options such as single sign-on, multi-factor authentication, success metrics, provisioning, deprovisioning along with access and entitlements.


My advice for companies that are looking for the best practices on where to start a successful journey is to start with the most sensitive accounts in the organization such as privileged access and 3rd party access that, if compromised, can lead to very damaging security incidents. Get in control of the accounts that matter the most and then continue to rollout those security controls to other accounts in the organization. To help companies get on the right path Thycotic has created the Privileged Access Management checklist that will help organizations navigate the complexities, map out a path to access and help ask the right questions.”


Firas Azmeh, General Manager, Personal Digital Safety & Carrier Partnerships at Lookout

“Technology has advanced our world in countless ways, including how we navigate and manage our everyday lives. With just a few clicks from our devices, we bank, shop, conduct business, and exchange photos and messages with family and friends. This rapid adoption of technology comes with inherent risk to user privacy and digital security. In recent years, massive corporate data breaches have exposed billions of sensitive customer records. Once a person's data is compromised, they can be at risk of phishing attacks and identity theft for years. While news headlines and media coverage of major data breaches have contributed to broader consumer awareness, most people still struggle to understand the full array of digital risks that can jeopardize their personal information or the best steps to take to safeguard their identity.


We recommend that consumers adopt best practices to increase their security hygiene and use solutions that offer remediation after Identity Theft occurs, and provide proactive protection against those threats that can lead to ID theft in the first place. Identity protection should ensure that a customer’s privacy and personal information are protected at every level – from the device they use to the apps they download, the data they access and share online, and the networks to which they connect. And if a problem ever emerges, customers have full insurance coverage and expert assistance to best safeguard their identity & finances from theft.”

Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security


“The shift to the cloud has fundamentally changed the way we approach security. The security paradigm has changed and it’s critical for companies to update their strategies accordingly. An organization not only needs to inventory its person and non-person identities, as well as what they can and are doing, but needs to continuously monitor them. The once a quarter reviews are dead. Along with this, it is critical for a company to know at all times where their data is, who has access to it and what an identity does with the data. No longer is it about getting to least privilege and least access, it is about continuously staying there and getting notified whenever something changes. Companies that fail to mature their security with this paradigm shift will be left picking up the pieces after a breach”


Art Gilliland, CEO, Centrify

“In the last year, 90% of cyberattacks on cloud environments leveraged compromised privileged credentials. This alarming finding illustrates how cyber-attackers are easily accessing critical systems and sensitive data through improperly managed credentials -- and leveraging identity sprawl across a threatscape expanded by digital transformation.

The reality is that these adversaries no longer ‘hack’ in – they log in, using stolen identities and weak or default credentials. Identity Management Day not only reinforces the need for good cyber-hygiene but also to use technology solutions available to vault, authenticate, manage, and secure privileged identities and access.


Modern privileged access management (PAM) solutions based on Zero Trust principles can minimize shared accounts and allow human and machine identities to log in as themselves. These tools should automate privileged access controls, reduce administrative risk, and strengthen compliance postures to protect the keys to the kingdom.”


Ralph Pisani, president, Exabeam

“Exabeam continually cautions its customers and partners on the pervasiveness of credential-based attacks. Login credentials have significant value, and the threat of theft persists from adversaries. The challenge is that usernames and passwords remain critical in our daily lives, from helping us complete work to carrying out personal matters like online shopping, banking or connecting with friends over social media.

Billions of previously stolen credentials live on the dark web, and we’ve just accepted that they fuel the underground economy and enable more credential stuffing attacks. We know that the hackers are bold and unconcerned with being detected on the network because they use sophisticated methods that mimic typical user activity. If their access is gained using valid credentials, it makes them even more difficult for administrators to catch.

We strongly support efforts, like Identity Management Day, that raise public awareness and can help to combat this issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional identities and credentials to prevent credential-based attacks from continuing. Organizations across industries can invest in machine learning-based behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”


Nick Santora, CISA, CISSP, Curricula CEO

“The biggest challenge I see is the 'set it and forget it' mentality. Although we all want to be able to set something up once and forget about it forever, identity management is not the case. Someone is coming in and inputting this data at some point. A regularly scheduled internal ‘pulse check’ is good to see if what we expect is being done, is actually being done. Sometimes you would be surprised at what a quick review can uncover with out-of-date or incorrect information lying around."


Yash Prakash, COO, Saviynt


“Identity-related data is growing at a rapid rate. It started with traditional employees, vendors, contractors, customers and partners, but has quickly grown to include silicon entities like IoT devices, bots, service accounts, RPA, workloads and more. These new machine identities need access to data stored across on-premise, SaaS and multi-cloud environments. This, coupled with the shift towards remote work, has exacerbated security and compliance concerns for our customers, regardless of industry.


I give all our customers the same advice – which is centralize. Multiple point solutions to try and protect identity data will create more headaches and challenges than they are worth. Not only do these solutions need to work, they also need to meet strict compliance standards and mandates. A central solution is critical, not just to address identity and access risk across all assets, but to help with speeding digital transformation, which is a key need for our customers."


###