If it's the second Tuesday in April it must be Identity Management Day
First held in 2021, Identity Management Day seeks to inform about the dangers of casually or improperly managing and securing digital identities by raising awareness and sharing best practices across the industry.
Today's second celebration of all things identity management -- you may have noticed the Identity Management Day eggs and bunnies in the shops (oh, they're for something else?) -- has sparked comment from many industry figures and we round up some of their thoughts below.
Rod Simmons, vice president of product management at Omada says, "Organizations today are faced with a rapidly proliferating workforce. This is not only in terms of remote work, but also in an explosion of third-parties, auditors, interns, and contracted workers who require access to a similarly growing IT landscape of applications, infrastructure and data. To wit, there is no one solution that organizations can turn to in order to solve their identity security issues. A connected ecosystem of solutions that are married with strong business processes and committed corporate buy-in is needed in order to properly secure identities."
Tyler Farrar, CISO at Exabeam highlights the need for constant monitoring, "Credential-driven attacks are largely exacerbated by a 'set it and forget it' approach to identity management, but organizations must build a security stack that is consistently monitoring for potential compromise. Organizations across industries can invest in data-driven behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time."
"So why is identity theft so common?" asks Andy Swift, technical director of offensive security at Six Degrees. "Well, the simple answer is stealing account credentials is big business. There is a massive industry out there of people stealing and selling credentials on the dark web. Once these attackers have stolen a victim's credentials, they want to leave without a trace in order to avoid arousing suspicion. I don't suggest you venture to the marketplaces through which stolen credentials are sold on the dark web, but if you did you'd find lists of credentials with different attributes -- whether they've been tested, whether they have access to financial data -- that dictate price. They even run Black Friday sales. I'm not kidding."
This theme is echoed by David Putnam, head of identity protection products at NortonLifeLock, "Identity theft has become a booming business with cybercriminals looking to take advantage of consumers' changing behaviors and increased digital footprint to launch coordinated attacks and convincing scams. To protect against this threat, consumers need to take charge of their digital lives and proactively invest in identity theft monitoring, alert and recovery services to help monitor threats to their identity and safeguard their personal information."
Chris Hickman, CSO of Keyfactor, says, "A common mistake companies make when securing and managing identities across an organizational landscape is when teams primarily focus on their human identities while neglecting their machine counterparts. With the increased use of cloud, containers, RPAs and DevOps, the need for Machine Identity management has become a critical component of a holistic identity management strategy. Each machine requires an identity that must be properly secured and managed and therefore Cryptographic keys and digital certificates are the most practical solution."
Philipp Pointner, chief of digital identity at Jumio says:
Identity Management Day highlights the importance of keeping our digital identities secure and promotes the use of identity-centric security best practices. As the cybersecurity landscape evolves, business leaders and IT decision makers must remain aware of the new ways that hackers are able to steal identity-related information. Credentials still remain one of the most coveted data types for hackers. Sixty percent of hacking-related data breaches are linked to stolen or lost credentials. Therefore it is crucial that organizations implement identity-centric best practices to keep employee and customer information safe and secure.
To ensure the security of customers and employee identity information, companies must strengthen their security protocols to prevent hackers from stealing credentials from all angles. For example, utilizing stronger identity verification capabilities like multi-factor authentication (MFA) with biometrics to confirm a user is who they are claiming to be protects credentials even further. By properly verifying users using biometrics and utilizing multiple enhanced security measures like MFA, organizations can contribute to a safer internet community and keep digital identity information out of harm's way.
Protecting corporate credentials is essential says Gregg Mearing, chief technology officer at Node4, "Credential stuffing is one of the most common forms of attack and corporate credentials are usually the target. In 2020 alone there were 193 billion credential stuffing attacks globally. This style of attack is popular because it is painfully easy for cybercriminals to execute. Attacks commonly start with a database of stolen credentials, usually with usernames, emails and passwords -- although phishing emails and suspicious websites are also used to steal corporate credentials. Attackers often gain successful access when an employee's password has been used for a different account that has since been compromised. Once they have gained entry into the organisation's system, the attacker can move laterally, completely unnoticed, to access sensitive data, remove files or plant malware."
"When it comes to cyber threats, all roads continue to lead to identity," says Joseph Carson, chief security scientist at Delinea. "Digital transformation, the move to cloud, and requirements for remote work have only made it easier for cyber criminals as organizations struggle to secure an expanded threatscape and get a handle on identity sprawl. Companies of all sizes need to focus on centralizing identities while also reinforcing best practices and training to ensure employees are doing everything possible to secure their credentials. Remember: it only takes one compromised identity to negatively impact the company's financial performance, customer loyalty, and brand reputation, potentially costing millions of dollars."
Smaller businesses need to take identity seriously too says Heath Spencer, CEO of TraitWare:
While Big Business dominates the headlines for cyber-attacks, the SMB often underestimates the need for proper Identity and Access Management. Often ill-prepared, the SMB is therefore a prime target for attack -- presenting low risk and high return for the cybercriminal.
All companies need to improve security now to avoid disaster -- with two must-haves: SSO and MFA. Multiple sets of employee credentials for access to various applications increase friction, cost, and risk. A setup that combines passwordless MFA with SSO vastly reduces risk by eliminating phishable credentials and shrinking the attack surface, while also reducing company costs and friction.
We'll give the last word to Raj Dodhiawala, president of Remediant, who highlights the need to reduce the attack surface, "Reducing the attack surface is the most important proactive IAM measure an organization can do to mitigate threats, as the majority of today's attackers accomplish their mission by leveraging privilege (or admin) account sprawl -- a very large and highly exploited attack surface. Simply put, today's hackers know what they're doing. Once an attacker is inside any infrastructure or system, for example, elevating privileges and moving laterally to find crown jewels is straightforward. From there, they can encrypt data, execute a ransomware attack and much more."