Site icon IT World Canada

First Identity Management Day reminds firms of best practices

identity management logo

Image from Shutterstock.com

Breaking into organizations by compromising credentials is one of the prime ways threat actors can achieve their goals.

A new industry organization called the Identity Defined Security Alliance says that 79 per cent of organizations have experienced an identity-related security breach in the last two years. As many as 99 per cent of leaders surveyed believe their identity-related breaches were preventable.

This is why the alliance created Identity Management Day, which was marked for the first time on April 13, to make business leaders, IT decision-makers and the general public more aware of the importance of managing and securing digital identities.

“The vast majority of data breaches making headlines are the result of poor identity management. Twitter, Marriott, Nintendo…the list goes on,” said executive director Julie Smith. “These breaches often leverage weak identity management, such as weak or previously compromised passwords, not leveraging multi-factor authentication and single sign-on or leaving standing privileges open.”

End users aren’t the only problem. In a recent study, the alliance said organizations are responsible for significant delays in granting and revoking access to business systems, which impacts operations and adds risk.

According to the study, most companies surveyed (72 per cent) took one week or longer for a typical worker to gain access to required systems. It took half of the organizations surveyed three days or longer to revoke system access after a worker leaves, creating regulatory compliance issues and the risk of data theft. The majority of respondents (83 per cent) admitted remote work and other COVID-19 related factors have made managing access to corporate systems more difficult.

Corporate best practices to strengthen identity and access management include:

For the full list of best practices see the linked page above. For more about the alliance and advice subscribe to its online forum here.

As part of the event, the City of Boston was named identity management organization of the year for its two-year multi-million-dollar overhaul of its IAM program. Access Boston helps protect city resources through effective identity lifecycle management, access control and account auditing. As a result, staff access to city applications and data from anywhere was enhanced with self-service functionality for password resets and access requests and has reduced administrative overhead.

As the security landscape evolves, consumers and businesses must work together to ensure the privacy of corporate and personal data, Anurag Kahol, CTO and co-founder of Bitglass, said in a statement.

To properly verify their employees and customers’ identities, companies must enhance their security protocols by establishing continuous, context-based security throughout the entire login experience. Solutions like multi-factor authentication (MFA) and single sign-on (SSO) don’t require users to remember countless passwords while also mitigating the risk of account compromise.

Identity-related data breaches are very common these days, yet preventable if the right precautions are taken at both the individual and enterprise level, said Jasen Meece, CEO of Cloudentity.

“Not only on Identity Management Day but every day, it’s critical that business leaders, IT decision-makers and the general public are aware of the importance of responsibly managing and securing digital identities. Digital identity protects sensitive data and greatly impacts how we work, interact with each other, access technology and complete transactions. Therefore, Identity Access and Management (IAM) and cybersecurity need to be treated holistically. Organizations must implement security best practices to keep employee and customer identities safe, and this includes securing applications starting at the API level.

“API Protection is key for managing identities (be they human or machine), dictating how an application can consume sensitive data. We’ve seen dozens of breaches from poorly-written APIs, where object or function level authorization issues cause programmatic data leakage that attackers can take advantage of. An example of this gone wrong is the Walgreens app error last year when a vulnerability the Walgreen app’s API caused a data breach where customers could view the private medical messages of other customers. If organizations don’t take control of identity management integrated with API security, we will see even more large-scale data breaches.”

While the pandemic has created a breeding ground for scams, fraud and identity theft, it also led to a surge in cyberattacks, said LogRhythm CSO, James Carder.

He says organizations play a vital role in safeguarding consumer data and Identity Management Day is an important reminder that it’s also their responsibility to ensure sensitive information doesn’t fall into the wrong hands. Enterprises must be fully transparent with consumers about what information they need, how they utilize it and what they’re doing to protect it.

“Any business or agency that is operating within any digital capacity needs to treat customer data as if it were their own private information,” he said. “Establishing a culture that puts the customer and security first will better prevent data leaks and breaches that lead to identity theft.”

IAM solutions need to be front and center during strategy discussions to ensure that the right employees have access to the correct resources with an appropriate level of privileges, said Tim Bandos, CISO at Digital Guardian. Otherwise, you run the risk of cybercriminals exploiting these weaknesses and your business ultimately becomes an embarrassing headline in the news, such as the recent breach at Verkada where credentials were compromised.

Exit mobile version