The National Cybersecurity Alliance and the Identity Defined Security Alliance (IDSA), present the first ‘Identity Management Day,’ an annual awareness event which will take place on the second Tuesday in April each year. The inaugural Identity Management Day will be held on April 13, 2021.
What is Identity Management Day?
The mission of Identity Management Day is to educate business leaders and IT decision makers on the importance of identity management and key components including governance, identity-centric security best practices, processes, and technology, with a special focus on the dangers of not properly securing identities and access credentials. In addition, the National Cyber Security Alliance (NCSA) will provide guidance for consumers, to ensure that their online identities are protected through security awareness, best practices and readily-available technologies.
Research by the IDSA reveals that 79% of organizations have experienced an identity-related security breach in the last two years, and 99% believe their identity-related breaches were preventable. According to the 2020 Verizon Data Breach Investigations Report, as many as 81% of hacking-related breaches leverage weak, stolen, or otherwise compromised passwords.
As part of Identity Management Day, NCSA and the IDSA, will provide guidance for stakeholders at all levels, to ensure that identities of employees, machines, applications, and partners are protected through security awareness, best practices and readily-available technologies.
Identity Management Day aims to inform about the dangers of casually or improperly managing and securing digital identities by raising awareness, sharing best practices, and leveraging the support of vendors in the identity security space. There are many ways to participate as a consumer, practitioner or an organization.
In recognition of Identity Management Day, here's what the following security executives had to say:
James Carder, CSO, LogRhytm:
“According to the FTC, cases of identity theft nearly doubled from 2019 to 2020, reaching an astonishing 1.3 million cases in the U.S. While this is undoubtedly a drastic increase, malicious actors are still leaning on many of the same tactics to impersonate innocent consumers and cause personal or financial harm. As hackers only require a few tidbits of information to build an online profile, consumers can take several measures to properly defend themselves and not fall into common pitfalls.
First, any time you download a new app, create an online account or configure a new electronic device, data is collected and potentially shared. One of your first orders of business should be to look up the privacy settings of whatever platform you’re using to understand how you can further protect your personal information and leverage additional security measures like two-factor authentication and data encryption. You should also be mindful of applications that incorporate location services and how they’re collecting, utilizing and/or sharing this data. Additionally, make sure you’re using various, unique passwords for meaningful accounts as it’s incredibly easy for hackers to access more information by recycling stolen credentials. Lastly, avoid any suspicious messages (emails, texts, voicemails, etc.) and websites that don’t seem legitimate as this is often an attempt at phishing or malware.
While the pandemic has created a breeding ground for scams, fraud and identity theft, it also led to a surge in cyberattacks. Organizations play a vital role in safeguarding consumer data and Identity Management Day is an important reminder that it’s also their responsibility to ensure sensitive information doesn’t fall into the wrong hands. Enterprises must be fully transparent with consumers about what information they need, how they utilize it and what they’re doing to protect it. Any business or agency that is operating within any digital capacity needs to treat customer data as if it were their own private information. Establishing a culture that puts the customer and security first will better prevent data leaks and breaches that lead to identity theft.”
Rita Gurevich, Founder and CEO, Sphere:
“Educate and engage business leaders and IT decision makers on the intersection of identity management and security.
Identity management is a key component to keeping your IT infrastructure secure. Identity management contributes to the development and maintaining of a Least Privileged Access Model which many organizations are using as their default setting for users. The reality is that despite all the layers of security and efforts used to keep data secure a breach remains a very real possibility. Identity management and access control limit an organization’s cyber attack surface so that even if a breach occurs your sensitive data remains secure since access to that data was limited, minimizing the potential damage from a breach. Identity management also makes it easier and quicker to discover if a breach occurred and what data may be at risk.
Access control and identity management assists with productivity and with security two areas that in the past have been viewed as conflicting goals.”
Erkang Zheng, Founder and CEO at JupiterOne:
"Identity defined security is integral to what we do at JupiterOne. We believe that cybersecurity and infrastructure tooling shouldn't operate in silos. Specifically, identity is not a tool that is meant to stand alone. A strong security program connects identity directly to the infrastructure and security related cyber assets in the enterprise. Without identity connections and context, security remains weak."
Kevin Dunne, President at Pathlock:
“The last year has been one unlike any other for security professionals, and has accelerated the need for robust, identity-based solutions to securing critical data and applications. As applications have shifted to the public cloud to enable remote work, traditional network-based security approaches have diminished in favor of modern solutions that focus on controlling access and monitoring usage of access. Intelligent identity solutions are the next frontier, enabling Zero Trust through combining access with the ability to understand how it is used. Next generation solutions must be able to adapt access in real-time to detect and remediate the inevitable threats that occur in today's world.”
Setu Kulkarni, Vice President, Strategy at WhiteHat Security:
“The proverbial merging of the physical and virtual world is facilitated by your identity. In a way the gap between physical and digital is bridged by your identity(ies) – when you hit “Log In”, the physical you is now a digital user. And that’s how you leave the physical world and enter the virtual world, whether you are signing into your phone, your watch, your computer or your favorite web application. As simple as that sounds, there are a host of new challenges that are still unresolved with respect to this translation from the physical-you to the digital-user. These challenges include whether you-are-who-you-say-you-are (trust), how-much-do-you-need-to-know-about-me (over-exposure), who-all-knows-about-me (duplication).
The fact is we continue to face these challenges daily as we switch between the physical and digital world and that is proliferating the crisis of identity theft and compromise. Let’s say you walk into a bar – does the bartender need to know about where you live? Do they need to know your height or weight? Do they even need to know your age? The answer is no. All they need to know is whether you are older than 21. When you give the bartender your driver’s license, you gave them all that information. Shouldn’t the bartender be able to run a quick check on you to only know if you are older than 21?
The “bartender problem” sums up how our current identity systems are failing us. As we use our identity to access services (both physical and digital), the current systems fail us as they almost always force us to provide more information than they need. The ramifications of this may not be immediate, but they are drastic nonetheless – the recent Facebook incident where millions of phone numbers and email ids were made public is a good example of how our systems today are asking for too much data to establish a trusted relationship, how this behavior is leading to over-exposure of the individuals identity and how this information is being replicated in systems that may get breached.
So where do we need to head with identity & access management? For starters, we need a re-think of identity & access management to establish trusted relationships without over-exposure & duplication while giving the identity owner control over what they want to share. The solution likely is in the use of blockchain and certificates. In addition, we have to implement newer regulations, compliance controls and user-experience best practices within digital systems to account for the fact that there is a large knowledge-gap that will continue to exist for a couple more generations where the non-digital-native population will continue to provide information to digital systems when asked.
When we take a narrower look at web, mobile and API-based applications – identities (and various identity attributes) are how you or other connected digital systems get access to various resources within the application. As with the bartender, how much information does the application need to know and store to give you the access you want. This is not a simple problem that gets solved with a new Identity and Access Management architecture. It will require a significant change in contemporary application architectures that continue to ask and hoard user data that they should not in the first place.”
Alex Pezold, CEO, TokenEx:
“Identity Management Day is a great opportunity to talk about the privacy-protecting benefits of de-identification. De-identification, also known as pseudonymization, is the process of removing certain identifying elements from a set of sensitive data so that it no longer identifies the individual from whom it was collected. By removing these identifiers via tokenization or similar technologies, organizations can continue to use the data while reducing the likelihood that it could be re-identified to reveal the original data subject in the event of a breach or other exposure.”
Art Gilliland, CEO, Centrify;
“In the last year, 90% of cyberattacks on cloud environments leveraged compromised privileged credentials. This alarming finding illustrates how cyber-attackers are easily accessing critical systems and sensitive data through improperly managed credentials -- and leveraging identity sprawl across a threatscape expanded by digital transformation.
The reality is that these adversaries no longer ‘hack’ in – they log in, using stolen identities and weak or default credentials. Identity Management Day not only reinforces the need for good cyber-hygiene but also to use technology solutions available to vault, authenticate, manage, and secure privileged identities and access.
Modern privileged access management (PAM) solutions based on Zero Trust principles can minimize shared accounts and allow human and machine identities to log in as themselves. These tools should automate privileged access controls, reduce administrative risk, and strengthen compliance postures to protect the keys to the kingdom.”
Ralph Pisani, president, Exabeam
“Exabeam continually cautions its customers and partners on the pervasiveness of credential-based attacks. Login credentials have significant value, and the threat of theft persists from adversaries. The challenge is that usernames and passwords remain critical in our daily lives, from helping us complete work to carrying out personal matters like online shopping, banking or connecting with friends over social media.
Billions of previously stolen credentials live on the dark web, and we’ve just accepted that they fuel the underground economy and enable more credential stuffing attacks. We know that the hackers are bold and unconcerned with being detected on the network because they use sophisticated methods that mimic typical user activity. If their access is gained using valid credentials, it makes them even more difficult for administrators to catch.
We strongly support efforts, like Identity Management Day, that raise public awareness and can help to combat this issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional identities and credentials to prevent credential-based attacks from continuing. Organizations across industries can invest in machine learning-based behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
Nick Santora, CISA, CISSP, Curricula CEO:
“The biggest challenge I see is the 'set it and forget it' mentality. Although we all want to be able to set something up once and forget about it forever, identity management is not the case. Someone is coming in and inputting this data at some point. A regularly scheduled internal ‘pulse check’ is good to see if what we expect is being done, is actually being done. Sometimes you would be surprised at what a quick review can uncover with out-of-date or incorrect information lying around."
Don Thibeau, OpenID Foundation, Open Identity Exchange, Global Open Finance Center of Excellence:
“The biggest challenge related to identity management/identity security is, like plumbing, when installed correctly it is silent, secure and reliable, and when maintained well, vital to one’s health. The one piece of advice would I give; patience.”
Jerome Becquart, COO, Axiad:
“As the number of remote users and devices on company networks increases, many customers are searching for a passwordless solution to protect them against the threats of today and tomorrow. However, there’s currently no one credential that can authenticate all business use cases. Our customers are finding themselves adopting multiple identity credentials to meet all use cases, such as YubiKeys, smart cards, TPM, mobile authenticators, and more. This can strain their IT resources and is complex for their end users to manage and keep track of.
We advise customers to stop managing their credentials in silos. They can instead use one credential management platform to manage all their identity credentials. This streamlines deployment and lifecycle management for IT teams and simplifies the user experience. By taking a holistic approach to identity management, businesses can accelerate their journey to passwordless and ensure identity security for all their users and devices.”
Greg Keller, CTO, JumpCloud:
“In a phrase: Remote work. The biggest challenge facing our customers is properly securing their employees as they shift - many permanently - to home office and remote work. Given this model, the concept of a traditional 'domain' has essentially imploded, leaving IT and security professionals scrambling to ensure their employees' devices are secure, that they are the only devices allowed access to corporate resources, and that users accessing those same resources really are who they say they are. At a minimum, IT must ensure their MFA game is strong and establish an identity management system that has no prerequisites to being on-premises any longer. Those days are gone.”
Kristin Judge, President/CEO, Cybercrime Support Network
“Many consumers still think that multi layered authentication is a technical tool only designed for people who understand computers. With the advances in MFA over the past few years, that is no longer true. Strong authentication is for anyone!”
James E. Lee, COO, ITRC:
“Without a doubt the biggest threat we see to identities is the dramatic shift to credential theft and away from traditional personally identifiable data acquired in mass attacks. Threat actors are far more interested in collecting personal and business logins and passwords that can be used in credential stuffing, BEC, and supply chain attacks. Why attack 1000 consumers to gain $300,000 when you can attack one business and walk away 3x that or more?
The advice we give consumers and businesses is simple: good password & cyber hygiene. Long, memorable passwords (12+ characters); a unique password for each account; no sharing passwords at work & home; multi-factor authentication with an app, not SMS when possible; and, never click on a link in an unsolicited email, text, or social media DM – check the sender to see if it’s a legit address and contact the sender directly if in doubt.
Rebecca Archambault, Trusted Identities Leader, BCBS of Western New York:
“You cannot fully transform your digital presence, or your digital business, without focusing on the digital identity. It should be the first foundational component you understand within your Cyber Security team. The biggest challenge that I see is that most organizations don’t fully recognize the role of identity and its impact to every facet of their business.
My advice would be to make a commitment to invest into an identity strategy, and establish a forward-looking approach. It needs to address the mounting technical debt that legacy systems and applications carry with them. It needs to include implementation of a modern identity solution that simplifies, innovates and enables their business. And finally, the strategy needs to take a ‘risk aware approach’ to balance the customer experience while increasing security.”
Ebbonie Kirk – Account Executive, SecurID, an RSA Business:
“Now that organizations have so many users working from home, they are facing new challenges in both access rights and authentication security.
SecurID’s advice: Take a step back now that the dust has settled a bit from 2020 and truly assess where your weaknesses lie both in granting work from home access and what data and systems your key users still need for their roles.“
Wes Wright, CTO, Imprivata:
“In healthcare, the biggest challenge is finding the resource for implementation and management of the program. Pre-COVID, healthcare IT staff had more work than they could handle. Now, with the addition of the COVID requirements, HIT staff just can’t find the time to implement. My best piece of advice around this is, first, don’t think of identity management as a project –it’s a journey that continues. If you have to name it something, call it a “program.” Second, it’s not an HIT program, you must garner the support and championing of the program from a diverse set of executives (HR, CMO, COO, CIO, CISO, etc.). This way, when you have to forego other projects (the main problem as noted above), then you have the support of other executives, whose projects are probably going to be delayed. As in almost every problem in life, it’s all about communication and collaboration.”
Joseph Carson, Chief Security Scientist and Advisory CISO, Thycotic:
“The biggest challenge faced by many customers that are prioritizing and beginning their journey to identity and access management is literally where to start with so many options such as single sign-on, multi-factor authentication, success metrics, provisioning, deprovisioning along with access and entitlements.
My advice for companies that are looking for the best practices on where to start a successful journey is to start with the most sensitive accounts in the organization such as privileged access and 3rd party access that, if compromised, can lead to very damaging security incidents. Get in control of the accounts that matter the most and then continue to rollout those security controls to other accounts in the organization. To help companies get on the right path Thycotic has created the Privileged Access Management checklist that will help organizations navigate the complexities, map out a path to access and help ask the right questions.”
Firas Azmeh, General Manager, Personal Digital Safety & Carrier Partnerships at Lookout:
“Technology has advanced our world in countless ways, including how we navigate and manage our everyday lives. With just a few clicks from our devices, we bank, shop, conduct business, and exchange photos and messages with family and friends. This rapid adoption of technology comes with inherent risk to user privacy and digital security. In recent years, massive corporate data breaches have exposed billions of sensitive customer records. Once a person's data is compromised, they can be at risk of phishing attacks and identity theft for years. While news headlines and media coverage of major data breaches have contributed to broader consumer awareness, most people still struggle to understand the full array of digital risks that can jeopardize their personal information or the best steps to take to safeguard their identity.
We recommend that consumers adopt best practices to increase their security hygiene and use solutions that offer remediation after Identity Theft occurs, and provide proactive protection against those threats that can lead to ID theft in the first place. Identity protection should ensure that a customer’s privacy and personal information are protected at every level – from the device they use to the apps they download, the data they access and share online, and the networks to which they connect. And if a problem ever emerges, customers have full insurance coverage and expert assistance to best safeguard their identity & finances from theft.”
Dan DeMichele, VP of Product, LastPass by LogMeIn:
“Since remote and hybrid work has become the new norm, the threat surface has exponentially expanded, and organizations' IT departments are facing new security challenges. The biggest challenge our customers face is that regardless of their size, they’re increasingly targeted by hackers looking to get their hands-on personal data and intellectual property. While many small and medium-sized businesses may not have the resources to implement robust security programs, their IT teams are nonetheless tasked with securing all entry points, including cloud apps, unsecure Wi-Fi networks and unknown or personal devices. In addition to managing the expanding security landscape while dealing with limited time, staff and resources.
In order to maintain a high level of security, IT managers have to focus on securing the identity of the user, as it is the new security perimeter. To do this, IT managers should implement solutions like enterprise password management, single-sign-on, and multifactor authentication solutions that will provide visibility into user behaviors across apps and devices, keeping remote employees and company networks secure. Perimeter security is bolstered when these technologies work together under one umbrella. With these solutions in place, IT can quickly deploy tools, enable authentication methods, and set security policies while providing end users easy access to the tools they need to get work done. Both administrators and end users are enabled to seamlessly carry out their day-to-day work and responsibilities.”
Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security:
“The shift to the cloud has fundamentally changed the way we approach security. The security paradigm has changed and it’s critical for companies to update their strategies accordingly. An organization not only needs to inventory its person and non-person identities, as well as what they can and are doing, but needs to continuously monitor them. The once a quarter reviews are dead. Along with this, it is critical for a company to know at all times where their data is, who has access to it and what an identity does with the data. No longer is it about getting to least privilege and least access, it is about continuously staying there and getting notified whenever something changes. Companies that fail to mature their security with this paradigm shift will be left picking up the pieces after a breach”
Yash Prakash, COO, Saviynt:
“Identity-related data is growing at a rapid rate. It started with traditional employees, vendors, contractors, customers and partners, but has quickly grown to include silicon entities like IoT devices, bots, service accounts, RPA, workloads and more. These new machine identities need access to data stored across on-premise, SaaS and multi-cloud environments. This, coupled with the shift towards remote work, has exacerbated security and compliance concerns for our customers, regardless of industry.
I give all our customers the same advice – which is centralize. Multiple point solutions to try and protect identity data will create more headaches and challenges than they are worth. Not only do these solutions need to work, they also need to meet strict compliance standards and mandates. A central solution is critical, not just to address identity and access risk across all assets, but to help with speeding digital transformation, which is a key need for our customers.”
Tom Malta, Navy Federal Credit Union, Head of Identity and Access Management:
“As a practitioner in the space for the last 20+ years, I am amazed at how often I come across basic IAM hygiene things companies need to be doing, but they still struggle with ! Even in mature IAM programs, some of the basics may be missing…Two of the most common would be 1 – off-boarding personnel in a timely manner, and 2 - inactivating unused/orphan credentials when no longer needed –
- How many times has that contractor left and you failed to disable his/her access until months later?
- How many times have you come across privileged service accounts that you cannot identify an owner for ?
Many firms have mature programs that offer full automation for on boarding, but when it comes to disabling and removing access – many will say it is often a complex manual task because we don’t have a single place to leverage that tells us everything that Jimmy or Suzie had before they left.
If you cannot identify every identity + access pair in your enterprise (who has access to what), then it will likely lead to many inactive / unused credentials over time because ownership will not be obvious and those “orphans” are indeed the primary targets for the bad guys as well…”
Narendra Patlolla, Head of Cyber Architecture, Gallagher:
“One of the key challenges I see with implementing a successful IAM program is managing the expectations with the key stakeholders (both business and IT). By managing expectations effectively and keeping the stakeholders informed will help minimize the friction for a predictable program delivery.
As organizations continue to expand and adopt cloud offerings. The need for IAM requirements (people, process and technology) should change as well. While some of these changes may be a net new to most organizations, as Tom and James mentioned below, they should continue to focus on basic IAM hygiene (revoking access on a timely manner, implementing role based access, minimize or eliminate non SSO external apps, guard privileged credentials and last but not least manage authorization appropriately) and incorporate these into cloud services for full coverage.”
Carlos Garcia, Optum Sr Principal Architect, Enterprise Clinical Technology, Genomics:
“I think the biggest challenges remain the fundamentals. So many organizations are still trying to implement provisioning and attestation beyond the core major identity systems like their AD and HR systems. I think great technologies like SAML, when used within an enterprise are great for integrating applications especially after acquisitions, but often become band-aides that mask the underlying issues of dispersed identity silos. The hard work is getting all these systems centralized or at least well managed through best practices around governance and especially deprovisioning. This is an endless challenge with large enterprises that do many small acquisitions a year. Many times the challenge becomes the cost of integrating acquired entities if your systems are too inflexible.
In addition, as multi-cloud adoption grows, managing all those identities and especially the governance around what authorization they have is a big challenge. The business wants to move faster than you have time to create new policies, so thinking ahead of the business challenges coming is important.”
Ashish Gupta, Bugcrowd CEO & President:
“The inaugural Identity Management Day is a valuable occasion for the entire online global community to recognize the importance of securing digital identities. A record 36 billion records were exposed in 2020 that helped fuel a record number of identity theft cases. As cybercriminals continue to take advantage of a spike in digital operations, enterprises need to put a stronger emphasis on safeguarding customer’s sensitive personal information and consumers also need to be cognizant and mindful of sharing information with third parties. We can collectively strengthen consumer privacy by working together to utilize best security practices, better educating consumers and creating a fundamental focus on security as a whole.
Pressure from recent legislation and upcoming congressional proposals are forcing enterprises across industries to put a stronger emphasis on bolstering privacy measures. To improve data protection and prevent information leaks, organizations need to take a proactive approach to security to stop attacks before they occur. More organizations are embracing crowdsourced cybersecurity as an integral part of their cybersecurity posture that allows highly skilled external security researchers to actively monitor network vulnerabilities and ensure networks are effectively preventing unauthorized access. By adopting a layered “strength in numbers” security approach, organizations can prevent data theft that commonly leads to fraud, identity theft and other breaches. Likewise, consumers need to be careful about where, how and to what extent they share their sensitive information. It’s important to actively be on the lookout for phishing and impersonation scams and be extremely cautious of any suspicious organizations or individuals that are asking for intimate financial or personal information.”
Tim Bandos, CISO, Digital Guardian:
“So much personally identifiable information (PII) has been exposed in breaches over recent years that it is quite easy for hackers to use our identities against us. Everyone, in some form, is vulnerable to attack. In particular, the rich amount of compromised passwords and rise in cloud-based applications has left companies more vulnerable to compromise than ever before.
The security landscape has completely shifted since the pandemic and businesses need to be able to support a long-term hybrid workforce going forward. New research from Centrify showed that ‘an overwhelming percentage (90%) of cyberattacks on cloud environments in the last 12 months involved compromised privileged credentials.’
Should a cybercriminal obtain an employee’s credentials, they are able to log into their email, and then use that information to access more company services and applications – all with the company and victim being none the wiser. If the credentials entered are valid, the same alarms are not raised as when an authorized user attempts entry from the outside.
This means IAM solutions will need to be front and center during strategy discussions to ensure that the right employees have access to the correct resources with an appropriate level of privileges. Otherwise, you run the risk of cybercriminals exploiting these weaknesses and your business ultimately becomes an embarrassing headline in the news, such as the recent breach at Verkada where credentials were compromised.
Organizations need to look at where identity management and data security meet. First and foremost, developing a working relationship between data security and IAM teams is key. Furthermore, deploying data-aware cybersecurity solutions will significantly minimize the risks, because even if an adversary has ‘legitimate’ access to data through stolen credentials, they are prevented from copying, moving or deleting it. Also, the roll-out of multi-factor authentication (MFA) is another component to fighting the growing tide of compromised credentials.”
Tom (TJ) Jermoluk, Co-Founder and CEO, Beyond Identity:
“We are tracking three key trends in identity management. The first is the adoption of passwordless authentication. By this we mean actually eliminating passwords as one of the authentication factors, enabling companies to stop ransomware attacks based on brute-forcing RDP and eradicate the entire class of credential-based attack TTPs used in account takeover attacks. Second, many organizations are looking to replace traditional multi-factor authentication (MFA), which often uses passwords or other ‘shared secrets,’ with solutions that implement only secure factors and reduce friction for end users – for example, by not requiring employees or customers to pick up a second device or fish a one-time password out of their SMS or email. The last, and maybe most important trend, is the confluence of cybersecurity and identity management. One important manifestation is to evaluate the security posture of the endpoint device at the time of login and make a risk-based decision on whether to allow access to cloud apps and resources.”