Last week the parent company of a mobile money transfer utility called CashApp began notifying over 8 million customers and employees that their names and brokerage data was stolen by a former employee.
When they left the company that person’s access to at least some of the company’s systems wasn’t canceled. As a result they were able to download a number of reports.
Perhaps this is no surprise. According to a survey in a report by CyberArk Software, released today (registration required), employees estimate they access an average of 30 applications or accounts that aren’t managed by federated identities.
While the CashApp stolen data didn’t include passwords, Social Security numbers or payment card information that could be immediately monetized, the incident was at least embarrassing.
It’s the latest example of why identity management of employees, partners and customers has to be a vital part of the defence strategy of every IT leader.
Yet it’s not managed tightly enough. For example, only 48 per cent of respondents in the CyberArk survey said their organization has identity security controls for their business-critical applications.
This is one reason why IT vendors have declared April 12th Identity Management Day. Now in its second year, they hope IT leaders — and consumers — will take time to consider if their identity and access management practices meet not only today’s challenges but those of the near future.
Related content: Identity management best practices
Identity and access management (IAM) is key to a zero trust framework, which infosec pros say is a must-have for organizations today. Hybrid IAM solutions are must-haves for organizations running combined on-premise and cloud environments.
Identity management can be limited to ” joiner/mover/leaver” employees (from hiring to departure), in the words of Andras Cser, vice-president and principal analyst for Forrester Research’s security and risk management practice. But, he said in an interview, it should also include access management (IAM) — the limiting of access to data to only those who need it, otherwise known as restricting the number of privileged accounts.
Directly or indirectly, identity issues — meaning stolen or lost credentials — may be involved in over 80 per cent of data breaches, he said. “If you look at most breaches there is some kind of escalation or lateral movement by the attacker. The attacker gains access to a desktop or laptop and from then on their task is to harvest any kind of credential to move to other systems and penetrate deeper.
“There are other ways of doing it, but if you have the identity of [or credentials with access to] a sensitive database or server, or an administrator password, it’s a lot easier to penetrate than any other way.”
With the compromise of usernames and passwords featuring so prominently in many intrusions, why, Cser was asked, don’t IT leaders take it seriously enough?
“There’s a lot of complacency,” he replied, with firms “hoping that they’re not going to be a target. Still keeping passwords around is my pet peeve. Passwords for anything security-related has run its course. You should not rely on passwords at all. I know it’s easy and cheap, but passwords are a thing of the past.
Use multifactor authentication (MFA), or passwordless solutions such as biometrics for identity management, he urged. “Anything but passwords.”
MFA has to be properly adopted, he agreed, which means not using insecure methods for sending an extra authentication code, like SMS texts. Other measures, such as ensuring a threat actor can’t convince support teams to add a hacker-controlled phone or email for sending codes, also have to adopted.
Related content: 5 signs of IAM trouble
Second, he added, “people have these overarching identity strategies — which is good — but you have to implement things in really small chunks. It [identity management] is such a vast domain. People are anxious about getting results, but you have to do the homework — especially when it comes to managing the joiner/mover/leaver process.
“Another mistake people make is they think identity management tools are a replacement for business process design, which is absolutely not the case. If you have an old and obsolete identity infrastructure, a shiny new solution won’t solve your problems — in fact it will only make them worse.”
For example, he said, a complex employee or customer onboarding process has to be simplified before adding an IAM tool. “An IAM tool can do almost any kind of mapping to your business process, but if your business process is idiotic to begin with, and overly-complex, you’re just implementing an existing mess.”
The biggest problem is multiple entry points for creating customer user IDs, he said. A large bank, for example, might have different portals for creating user IDs from different business units. As a result there are ID silos.
“The last mistake is not treating identity and access management as a mission-critical infrastructure, the way network security is.”
Related content: The future of IAM
Asked what IT leaders should be doing, Cser said IAM governance is only part of the solution. IT also has to get rid of passwords; automate the IAM side of onboarding, internal transfers and departures; and if you must allow employees to use passwords, periodically force a reset for best security.
In its report, CyberArk said that CIOs/CISOs said they are implementing real-time monitoring and analysis to audit all privileged session activity; implementing least privilege security / zero trust principles on infrastructure that runs business-critical applications; and adding processes to isolate business-critical applications from internet-connected devices to restrict lateral movement.