Advice on identity management.

April 11th marks Identity Management Day. Today, we discuss trends in Identity Access Management (IAM), and look at some expert commentary and advice on IAM.

Key trends in Identity Access Management.

VentureBeat reported that one of four key trends discussed at the 2023 Gartner IAM Summit this year included the importance of adding identity threat detection and response solutions to protect against cyber threats and breaches. Other trends included the implementation of an identity-first approach to cybersecurity, the use of cloud infrastructure entitlement management (CIEM) tools in identity management approaches, and the implementation of a journey-time solution for a streamlined user experience.

Expert commentary on protecting from identity-based cyber threats and keeping systems secure.

Sameer Hajarnis, Chief Product Officer, OneSpan, warns about changes in technology and the importance of strong user authentication:

“Today everything is digital — work, shopping, even your wallet — and there’s one thing that secures you throughout your digital life: your identity. But digital identities are broadly defined, including everything from your username and password to your gender, address, and date of birth. Think about it: Every time you input your address into a website when shopping online, you’re sharing part of your digital identity. 

“We are constantly sharing these attributes that make up our digital identities, and this will only expand as we do more things digitally. But this also means that threat actors can more easily commit identity fraud and create synthetic identities. These synthetic identities have the ability to disrupt people's lives and the way we do business. Consider, for example, that AI tools can be used to generate authentic-looking fake passports or ID cards that can bypass authentication and verification platforms. 

“What this tells us is that we need to be thinking about what’s to come and stop being responsive to changes in technology. What we need is to be thinking about how we can protect a business and a consumer’s digital identity. This means implementing a system where digital identities are provisioned in a secure way and can only be unlocked with a strong user authentication in place. Not only does this protect digital identities from abuse and fraud, but it also limits the amount of identity attributes users need to share. Instead of sharing every piece of personal information, users would only be disclosing the minimum information required to get the job done. This is how we will protect and secure digital identities as we embrace web3.” 

James Lapalme, VP & GM of Identity at Entrust, highlights the need for new IAM solutions and strategies in this new age of digital transformation:

“The pandemic ushered in an accelerated wave of digital transformation and as the world went remote, the demand for high-assurance secure solutions skyrocketed. However, with increased digital interactions comes an even greater risk of cyber threats and fraud, which means many of the current security solutions for identity management are no longer effective. Passwords, which have served as the standard for protecting digital goods and services since their inception in the 1960s, are high customer friction, insecure and becoming obsolete at best. In fact, 51% of people reset their password at least once a month because they cannot remember it, and according to the U.S. Federal Trade Commission, 2.9M fraud reports were filed as of 2022 and identity theft was the number one category for consumer complaints. As the trend towards digital transactions continues to increase alongside security threats, there’s an urgent need for new identity management and protection strategies and technologies to enhance security.

“When it comes to multi-factor authentication (MFA), too many enterprises still use single-factor authentication and have an over-reliance on one-time passcodes. Yet, organizations should leverage high-assurance passwordless MFA solutions that include physical proximity factors and certificate-based authentication to protect against remote account takeover (ATO) attacks. For a more comprehensive approach to security, companies need to embrace and adopt a Zero Trust strategy. Adaptive risk-based authentication is central to a Zero Trust framework, providing continual contextual awareness of user and device behavior. This can include multi-factor authentication, single sign-on, passwordless login and more. While Zero Trust implementation is a journey, by taking an identity-centric approach to Zero Trust, companies can take a step in the right direction to maximize security while minimizing unnecessary friction – and begin to fill in the gaps they have in their networks that are making them less secure.”

Roman Arutyunov, Co-Founder and SVP of Products at Xage Security, discusses zero trust approaches to IAM:

“Major real-world attacks on critical infrastructure (think Colonial Pipeline) demand more than just visibility and threat detection. What’s needed today is a zero trust mindset for cyber hardening industrial systems in a way that secures identities and blocks attacks. Identity and access management (IAM) needs to be a priority for real-world operations. Technologies exist to offer protection without a complete infrastructure overhaul. Organizations can look to government for guidance as well, for example, CISA and the NSA recently joined forces to release the IAM best practices guide for administrators. Given how much of a critical necessity modern IAM practices are for real-world security in the face of escalating threats, let’s use this holiday to spark more discussion, awareness and adoption specifically in the critical infrastructure realm.”

Peter Barker, Chief Product Officer at ForgeRock, emphasizes a need for identity-first, passwordless authentication:

“The traditional username-password login model is fundamentally flawed. Last year alone, more than 2 billion usernames and passwords were breached, and 50% of records breached were caused by unauthorized access. Not only are passwords a major security risk, they also hinder productivity and efficiency, leading to lost ROI for organizations seeking profitability more than ever before.

“It’s time to embrace passwordless authentication, abolishing traditional passwords once and for all. While many claim passwordless is in the distant future, the reality is that the right identity partner can make it a reality, right now, for both employee and customer end users.

“Passwordless authentication replaces traditional passwords with more user-friendly, secure methods, ranging from biometrics, authenticator apps, and certificates. This Identity Management Day, let’s say goodbye to passwords, and embrace a world where we never have to login again.”

The ever-evolving digital identity.

Viktoria Ruubel, Managing Director of Digital Identity at Veriff, discusses the evolution of the “digital identity”:

“The concept of ‘digital identity’ has evolved tremendously over the past decade, and the explosion of digital platforms has led to today’s online users having countless digital identities. It wasn’t until recently, however, that users became both aware and concerned about the amount of personal data being collected and shared by third parties online. As privacy concerns for both users and businesses become top-of-mind and technologies advance, we’ll see the next generation of identity verification come to the forefront. This will come in the form of reusable digital identity, that enables individuals and businesses to securely re-use a trusted digital identity across multiple online platforms and applications, creating more trust and better experience, and leading to less time and money spent by businesses in the process.”

IAM in the cloud.

Glenn Mulvaney, VP Cloud Operations at Clumio, explains the importance of a holistic approach to identity hygiene in the cloud:

“Identity management in the cloud—where data lakes, app data, and business information is often sprawled across many storage systems—is a fine balance between human authentication and system authentication. Multi-factor authentication (MFA) and two-factor authentication (2FA) are great tools for human authentication, but can hinder non-interactive data exchange apps and microservices because they require user intervention. In order to facilitate automated data exchange while maintaining strong identity security, organizations should classify their data based on access patterns, and ensure that system-to-system data exchange leverages API identity tools, OAuth, and mutual TLS.

“CISOs need to think about identity hygiene holistically—which not only includes human identity management like limiting permissions to the principle of least privilege, MFA enforcement, and periodic credential rotation, but also app-oriented identity management, including robust key management across Personal Identifiable Information and sensitive data, API security, network isolation, and most importantly—backups of crucial data. While it is certainly damaging to let an intruder in, so long as there are secured, off-site system backups to restore data from, there is always a well-tested path to recovery. Companies can also keep their identity management efforts on track over time by identifying and looking for specific metrics and trends including self-reported spam / phishing rates from employees, employee engagement on security-related comms, and success rates on decoy tests. This is, of course, in addition to technology-focused metrics such as identity logs and unauthorized activity alerts, event monitoring, device and network behavior and so on. With the advent of generative AI tools, we all need to be very wary of identity mimicry that could at first glance be indistinguishable from legitimate communication.”

Mo Plassnig, Chief Product Officer & Chief Growth Officer at Immuta, highlights the importance of integration with current, overarching security implementations:

“In security everything starts with identity – knowing who the users are (which is authentication). But, it doesn’t end there. From there you must look at what those users can do (authorization) and then monitor what they did (accounting/auditing). Historically, implementing these three “A’s” of security – authentication, authorization, and accounting – has been a very difficult, time-consuming, and risky process.

 “As the amount of data in the cloud continues to explode, many organizations are not considering all three A’s. Recent data indicates that more than half (53%) of data professionals are getting over-provisioned access to data. While this is done with the goal of streamlining processes, encouraging collaboration, and easing administrative burden, it often leaves organizations open to unnecessary risk.

“While getting a modern identity management system in place is a starting point, it needs to be integrated with overall data security strategies that are designed for the modern cloud data stack. Breakdowns in security are happening at the point of data access so ensuring you have a solution in place to detect when there is an insider threat and change policies is critical.”

Implementing policies in IAM.

John DeSimone, President of Cybersecurity, Intelligence and Services at Raytheon Intelligence & Space, emphasizes a need for good policies in IAM:

“Core to successful identity management is ensuring that the right policies, governance, and technologies are in place to give people access to the systems they need. While these elements can be managed at the component level, the best way for organizations to handle identity management is through a Zero Trust roadmap that implements the most important areas of protecting identity management first. Failure to think through these elements and manage them strategically can lead to breaches and enable attackers to jump from server to server and infect large quantities of computers and end users.”