Cyber Experts Weigh-in on the First Ever Identity Management Day - Part 3

Read our interview with IDSA Executive Director Julie Smith on Identity Management Day here.


The National Cybersecurity Alliance and the Identity Defined Security Alliance (IDSA), present the first 'Identity Management Day,' an annual awareness event that will take place on the second Tuesday in April each year. We heard from numerous cyber experts on identity management's importance and how it has become an integral piece of creating a fortified cybersecurity posture.


Jasen Meece, CEO of Cloudentity:


“Identity-related data breaches are very common these days, yet preventable if the right precautions are taken at both the individual and enterprise level. Not only on Identity Management Day, but every day, it’s critical that business leaders, IT decision-makers and the general public are aware of the importance of responsibly managing and securing digital identities. Digital identity protects sensitive data and greatly impacts how we work, interact with each other, access technology and complete transactions. Therefore, Identity Access and Management (IAM) and cybersecurity need to be treated holistically. Organizations must implement security best practices to keep employee and customer identities safe, and this includes securing applications starting at the API level.

API Protection is key for managing identities (be they human or machine), dictating how an application can consume sensitive data. We’ve seen dozens of breaches from poorly-written APIs, where object or function level authorization issues cause programmatic data leakage that attackers can take advantage of. An example of this gone wrong is the Walgreens app error last year when a vulnerability the Walgreen app’s API caused a data breach where customers could view the private medical messages of other customers. If organizations don't take control of identity management integrated with API security, we will see even more large-scale data breaches.”


Doug Davis, Senior Product Manager, Semperis:


"With the growing popularity of cloud, enterprises have been gravitating toward a hybrid identity management model that promises the best of both worlds—a little bit in the cloud, and a little bit on-premises. For the vast majority, this means leveraging Azure Active Directory (AAD) alongside Active Directory (AD). Organizations making this change must consider three critical adjustments: the need for new authentication models, the loss of the traditional perimeter, and drastic changes to the permissions model.

"Changes in permissions are by far the biggest security risk when it comes to implementing hybrid identity management. Not only are there a huge number of services available when organizations move to a hybrid identity environment, but you also have roles in Azure AD that may be unfamiliar compare to the set of well-defined administrative groups in Active Directory. Organizations must establish strong governance of what apps are going to be turned on, who is able to make those changes, and what access rights they will get. While managing identity in a hybrid environment might seem as simple as joining a Windows device to AAD, failing to account for changes to the risk landscape opens the door to issues that can cause headaches in the future."

Tim Bandos, CISO, Digital Guardian:

“So much personally identifiable information (PII) has been exposed in breaches over recent years that it is quite easy for hackers to use our identities against us. Everyone, in some form, is vulnerable to attack. In particular, the rich amount of compromised passwords and rise in cloud-based applications has left companies more vulnerable to compromise than ever before.

The security landscape has completely shifted since the pandemic and businesses need to be able to support a long-term hybrid workforce going forward. New research from Centrify showed that “an overwhelming percentage (90%) of cyberattacks on cloud environments in the last 12 months involved compromised privileged credentials.”

Should a cybercriminal obtain an employee’s credentials, they are able to log into their email, and then use that information to access more company services and applications – all with the company and victim being none the wiser. If the credentials entered are valid, the same alarms are not raised as when an authorized user attempts entry from the outside.

This means IAM solutions will need to be front and center during strategy discussions to ensure that the right employees have access to the correct resources with an appropriate level of privileges. Otherwise, you run the risk of cybercriminals exploiting these weaknesses and your business ultimately becomes an embarrassing headline in the news, such as the recent breach at Verkada where credentials were compromised.

Organizations need to look at where identity management and data security meet. First and foremost, developing a working relationship between data security and IAM teams is key. Furthermore, deploying data-aware cybersecurity solutions will significantly minimize the risks, because even if an adversary has “legitimate” access to data through stolen credentials, they are prevented from copying, moving or deleting it. Also, the roll-out of multi-factor authentication (MFA) is another component to fighting the growing tide of compromised credentials.”


Jerome Becquart, COO of Axiad:

1. Think about every identity within your organization

The first mistake a lot of organizations make when planning their identity management strategy is not considering every identity on their network. Sure, a lot think about their users and what types of credentials they’ll need for their various systems. But what about the numerous machines on a company’s network, like mobile devices, servers, applications, and IoT devices? Machines are dramatically increasing, and require a solution that will identify these identities, authenticate them, and then secure their interactions across the network. IT leaders need to consider PKI-based solutions for managing their machine identities, so their IT teams can issue certificates to their machines, track what is on their network, and encrypt the communication between the devices. This will prevent falsified entities from entering the network and putting data at risk.

2. Consider how to verify emails and documents crossing your network

In the face of phishing threats, many companies focus their investments in anti-malware software or new technology to prevent threats from getting through. Unfortunately, some of these emails will inevitably slip through the cracks. That’s why IT leaders should take an identity-centric approach to help their employees secure their emails and protect themselves against scams. Enterprises should implement email and document signing with certificates to accomplish this. By digitally signing emails, email recipients can quickly confirm the identity of the sender and ensure that the email is legitimate. The same goes for documents – if you can digitally sign a contract or purchase request with a certificate, your business can operate with a higher level of trust. This also reduces the wet-ink hassle of printing and scanning documents while working remotely.

3. Enable simplified identity credential management for IT and end users

Amid the transition to the hybrid workforce, both your IT team and your employees are likely stretched thin. Credential management should be automated for your IT team, and simple for your employees to manage. Your business can do this by offering a unified experience for all your various credentials. Develop a place where both IT teams and employees can issue, manage, and troubleshoot their various credentials whether they’re hardware tokens, smartcards, TPM, mobile authenticators, etc. End users no longer need to juggle different software and don’t need to ask IT for help, allowing everyone to focus on moving your business forward.

4. Know, trust, and verify every user before issuing credentials

When considering every identity you need to manage and secure, many enterprises struggle to first verify the identity of their employees, end customers, or partners before issuing them their credential. With the increase of digital interactions, your business needs to find a streamlined solution to reduce identity fraud, follow regulations, and ultimately ensure complete trust for every entity. Identity proofing technology is essential for businesses that need to ensure that customers or users are who they say they are, and can accelerate verification with ID document and biometric capture.

5. Maintain a high standard for identity assurance

Your business can invest in multiple identity credentials to defend every use case and identity on your network, but it all goes to waste if users don’t follow best practices or find workarounds in your system. If you’re faced with a dispersed workforce, it can be even harder to ensure all your employees are adhering to your security policies and are using their required authentication tools. Look for ways to shape user behavior, ensure best security practices are followed, and prevent workarounds that can lead to security vulnerabilities.”


###