Breaking into organizations by compromising credentials is one of the prime ways threat actors can achieve their goals.
A new industry organization called the Identity Defined Security Alliance says that 79 per cent of organizations have experienced an identity-related security breach in the last two years. As many as 99 per cent of leaders surveyed believe their identity-related breaches were preventable.
This is why the alliance created Identity Management Day, which was marked for the first time on April 13, to make business leaders, IT decision-makers and the general public more aware of the importance of managing and securing digital identities.
“The vast majority of data breaches making headlines are the result of poor identity management. Twitter, Marriott, Nintendo…the list goes on,” said executive director Julie Smith. “These breaches often leverage weak identity management, such as weak or previously compromised passwords, not leveraging multi-factor authentication and single sign-on or leaving standing privileges open.”
End users aren’t the only problem. In a recent study, the alliance said organizations are responsible for significant delays in granting and revoking access to business systems, which impacts operations and adds risk.
According to the study, most companies surveyed (72 per cent) took one week or longer for a typical worker to gain access to required systems. It took half of the organizations surveyed three days or longer to revoke system access after a worker leaves, creating regulatory compliance issues and the risk of data theft. The majority of respondents (83 per cent) admitted remote work and other COVID-19 related factors have made managing access to corporate systems more difficult.
Corporate best practices to strengthen identity and access management include:
- Establishing an Identity and Access Management Governance Committee to confirm IAM policies are followed.
- Ensure the uniqueness of every human and non-human identity in your directory. “This is the DNA of your IAM program for every service and function you will support (provisioning, certs, privileged access, physical access, etc.),” says the alliance. “A uniquely identifiable catalogue of entities is important and a must.”
- Once user roles and entitlements are defined, high-profile users and secure resources should need multi-factor authentication. The level of assurance of authentication should match the value of the asset being protected.
- Implement SSO authentication regardless of cloud deployment model.
- Proactively maintain current and accurate authoritative data for identities located in accessible source repositories. Proper maintenance of this authoritative data requires defined lifecycle management processes for both employees and non-employees, regular validation and update of identity information, and accurate data storage within a repository.
- Implement a directory group structure that fits the scope of your IAM program.
- Minimize Active Directory’s attack surface. Lockdown administrative access to the Active Directory service by implementing administrative tiering and secure administrative workstations, applying recommended policies and settings, and regularly scanning for misconfigurations that potentially expose your forest to abuse or attack.
- Implement a scorched-earth recovery strategy in the event of a large-scale compromise. Widespread encryption of your network, including Active Directory, requires a highly -automated recovery strategy that includes offline backups for all infrastructure components and the ability to restore those backups without re-introducing any malware that might be on them.
For the full list of best practices see the linked page above. For more about the alliance and advice subscribe to its online forum here.
As part of the event, the City of Boston was named identity management organization of the year for its two-year multi-million-dollar overhaul of its IAM program. Access Boston helps protect city resources through effective identity lifecycle management, access control and account auditing. As a result, staff access to city applications and data from anywhere was enhanced with self-service functionality for password resets and access requests and has reduced administrative overhead.
As the security landscape evolves, consumers and businesses must work together to ensure the privacy of corporate and personal data, Anurag Kahol, CTO and co-founder of Bitglass, said in a statement.
To properly verify their employees and customers’ identities, companies must enhance their security protocols by establishing continuous, context-based security throughout the entire login experience. Solutions like multi-factor authentication (MFA) and single sign-on (SSO) don’t require users to remember countless passwords while also mitigating the risk of account compromise.
Identity-related data breaches are very common these days, yet preventable if the right precautions are taken at both the individual and enterprise level, said Jasen Meece, CEO of Cloudentity.
“Not only on Identity Management Day but every day, it’s critical that business leaders, IT decision-makers and the general public are aware of the importance of responsibly managing and securing digital identities. Digital identity protects sensitive data and greatly impacts how we work, interact with each other, access technology and complete transactions. Therefore, Identity Access and Management (IAM) and cybersecurity need to be treated holistically. Organizations must implement security best practices to keep employee and customer identities safe, and this includes securing applications starting at the API level.
“API Protection is key for managing identities (be they human or machine), dictating how an application can consume sensitive data. We’ve seen dozens of breaches from poorly-written APIs, where object or function level authorization issues cause programmatic data leakage that attackers can take advantage of. An example of this gone wrong is the Walgreens app error last year when a vulnerability the Walgreen app’s API caused a data breach where customers could view the private medical messages of other customers. If organizations don’t take control of identity management integrated with API security, we will see even more large-scale data breaches.”
While the pandemic has created a breeding ground for scams, fraud and identity theft, it also led to a surge in cyberattacks, said LogRhythm CSO, James Carder.
He says organizations play a vital role in safeguarding consumer data and Identity Management Day is an important reminder that it’s also their responsibility to ensure sensitive information doesn’t fall into the wrong hands. Enterprises must be fully transparent with consumers about what information they need, how they utilize it and what they’re doing to protect it.
“Any business or agency that is operating within any digital capacity needs to treat customer data as if it were their own private information,” he said. “Establishing a culture that puts the customer and security first will better prevent data leaks and breaches that lead to identity theft.”
IAM solutions need to be front and center during strategy discussions to ensure that the right employees have access to the correct resources with an appropriate level of privileges, said Tim Bandos, CISO at Digital Guardian. Otherwise, you run the risk of cybercriminals exploiting these weaknesses and your business ultimately becomes an embarrassing headline in the news, such as the recent breach at Verkada where credentials were compromised.