To celebrate the first Identity Management Day, teiss spoke to five security experts to get their advice on keeping cyber-safe
13th April 2021 was the first annual Identity Management Day. Presented by the National Cybersecurity Alliance and the Identity Defined Security Alliance, the day is dedicated to raising awareness around identity management: educating business leaders, IT decision makers, and consumers of its importance in the workplace and everyday life.
Identity and access management is a key area of concern for security professionals. Research shows that 79% of organisations have experienced an identity-related security breach in the last two years, with 99% believing that their identity-related breaches were preventable. Since we live in a time when our daily lives revolve around the internet and our various accounts in it, identity management awareness has never been more critical.
On Identity Management Day, teiss spoke with five cybersecurity experts to learn more about the problem of identity-security, and how companies and consumers alike can secure, manage and authenticate privileged identities and access.
Credentials and the cloud
In the last year, 90% of cyberattacks on cloud environments leveraged compromised privileged credentials. “Cyber-attackers are easily accessing critical systems and sensitive data through improperly managed credentials — and leveraging identity sprawl across a threatscape expanded by digital transformation,” Art Gilliland, CEO at Centrify explains. “The reality is that these adversaries no longer ‘hack’ in – they log in, using stolen identities and weak or default credentials.
“Identity Management Day not only reinforces the need for good cyber-hygiene but also to use technology solutions available to vault, authenticate, manage, and secure privileged identities and access.
“Modern privileged access management (PAM) solutions based on Zero Trust principles can minimise shared accounts and allow human and machine identities to log in as themselves. These tools should automate privileged access controls, reduce administrative risk, and strengthen compliance postures to protect the keys to the kingdom.”
After all, “if the credentials entered are valid, the same alarms are not raised as when an authorised user attempts entry from the outside,” adds Tim Bandos, CISO at Digital Guardian.
“This means IAM solutions will need to be front and centre during strategy discussions to ensure that the right employees have access to the correct resources with an appropriate level of privileges. Otherwise you run the risk of cybercriminals exploiting these weaknesses and your business ultimately becomes an embarrassing headline in the news; such as the recent breach at Verkada where credentials were compromised.
“Organisations need to look at where identity management and data security meet. First and foremost, developing a working relationship between data security and IAM teams is key. Furthermore, deploying data-aware cybersecurity solutions will significantly minimise the risks because even if an adversary has “legitimate” access to data through stolen credentials, they are prevented from copying, moving or deleting it.”
“Exabeam continually cautions its customers and partners on the pervasiveness of credential-based attacks,” said Ralph Pisani, president of Exabeam. “We strongly support efforts, like Identity Management Day, that raise public awareness and can help to combat this issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional identities and credentials to prevent credential-based attacks from continuing.
“Organisations across industries can invest in machine learning-based behavioural analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behaviour, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
The problem with passwords
With many internet users holding dozens of online accounts across various services, it has become more difficult for them to memorise numerous, complex passwords. “Unfortunately, password reuse has become a common malpractice that increases the chances of account hijacking when one set of a user’s credentials are leaked,” said Anurag Kahol, CTO and Cofounder of Bitglass. “More than 80% of hacking-related breaches are tied to lost or stolen credentials and it is now self-evident that passwords alone are not enough when it comes to authenticating users.
“To properly verify the identities of their employees and customers, companies must enhance their security protocols by establishing continuous, context-based security throughout the entire login experience. Solutions like multi-factor authentication (MFA) and single sign-on (SSO) don’t require users to remember countless passwords, while also mitigating the risk of account compromise. On a consumer level, users can safeguard their digital identity by educating themselves on the risks of password reuse, following cybersecurity best practices, and staying informed on rising threats.”
Multi-factor authentication (MFA) is a critical defence against credentials theft, requiring additional layers of verification before access is granted. “However, without the most fundamental defence of all – good cyber hygiene – credentials theft and a resulting data breach is only a matter of time,” concludes Gary Cheetham, CISO at Content Guru.
“It is essential that business leaders empower and encourage employees to maintain cyber hygiene – the basics of cyber security. Security leaders simply cannot overlook the importance of educating the rest of your employees to keep the organisation watertight. Regular training on cyber security and the hygiene aspects using engaging and accessible resources is the best way to cultivate a highly secure workforce.
“Content Guru’s Security team regularly phish test staff, by sending realistic but fake phishing emails to employees to monitor how they respond. This helps us gauge how effective our cybersecurity training is and make constant improvements. On Identity Management Day, my one piece of advice above all else is to encourage your team to question anything that seems at all suspicious, to go with their gut instinct and to always be ready to ask for help.”
Main image courtesy of iStockPhoto.com