Are you taking these crucial steps to improve your identity security posture?
Cybersecurity has been called a journey. It’s also been called a work in progress. That’s because for every security measure you put in place, threat actors respond by finding work-arounds, backdoors, or other new and ingenious ways to breach your systems. And they come from everywhere. Malicious insiders, external bad actors, and more threaten your organization’s people, assets, and cloud-based infrastructure. Cybersecurity Awareness Month gives us an important opportunity to review our current IT practices and assess their effectiveness.
Due to the enormous changes in the way we work brought on by the pandemic, the threat landscape is broadening. There are more avenues to break into systems: people, places, devices, and apps. We are in a new world of ubiquitous computing. In the words of security analyst, Keren Elazari, “. . . we are conducting our digital business from any device, platform, tablet, phone, any computer that we have, anywhere in the world.”
The Threat Landscape is Always Evolving. How Will You Respond?
Identity is one of the favorite attack vectors for bad actors. In fact, according to a recent report from the Identity Defined Security Alliance (IDSA), 79% of the companies surveyed experienced an identity-related breach within the past two years. If attackers get control of the right identity, they can break into a network, move laterally once inside, facilitate fraud, and extract sensitive data. And they have many ways of capturing an identity – phishing, credential stuffing, and social engineering, to name a few. To ensure a high level of security today, protecting identities must be a top priority.
In the lightning-fast pace of today’s business, we tend to do what’s expedient rather than what’s safe. In fact, many CISOs tend to prioritize ease of access and user experience first, then regulatory compliance (so they don’t fail audits). Security, unfortunately (and often to the company’s detriment) comes in third. But it doesn’t have to.
Taking a Proactive Approach to Cybersecurity is Key
The concept of cyber hygiene can be helpful here. Cyber hygiene includes routine practices and precautions companies take to ensure sensitive data, including identity data, is safe and secure from theft and outside attacks. Cyber hygiene practices are inherently proactive: it’s been shown that proactive thinking is vastly more effective that the reactive approach that many of us take. According to the IDSA report, only “34% of companies with a “forward-thinking” security culture have had an identity-related breach in the past year – far fewer than the 59% of companies with a “reactive” security culture.” These access-related issues come down to control, to closely monitoring what happens when an identity-related event – those triggered by joiners, movers and leavers – happens. Are you continuously monitoring changes in access within your organization? How can you ensure that preventative access controls are enforced?
Here are five crucial steps to take:
- Take a lifecycle management approach to every identity – Orphaned accounts are a security threat. To prevent them, it’s critical that organizations can rationalize identities, aligning access consistently across their IT ecosystem. To do so, they’ll need to directly link accounts to identities in a single, centralized repository. This will also make it possible to automate provisioning and deprovisioning when identities are added, moved or removed, ensuring that credentials are not orphaned. This capability is also crucial to delivering access whenever it’s needed, while removing it when it’s not.
- Employ risk-based decision making – To address the issue of “excessive access,” use a risk-based approach. An identity platform that incorporates risk-based decision-making can bring in-depth knowledge of the existing access and identity context to the decision process regarding a user’s level of privilege. A risk-based approach keeps security top-of-mind. Not only can the right solution greatly increase security, it can also simplify the process of meeting compliance mandates, saving time and reducing labor costs.
- Limit the number of privileged accounts and the length of time a user has privilege – Use Just-in-Time (JIT) provisioning and adopt a policy of “no standing privilege.” This step reduces the number of privileged accounts, decreasing the attack surface. You can also adopt the principle of least privilege to avoid entitlement creep. Least privilege practices ensure users are only given the level of access needed to perform their jobs – so users are never given more access than they need. Finally, build a Zero Trust architecture to continually verify user access during a session, as opposed to traditional password-based “one and done” systems that require credentials only once to permit access.
- Automate access review processes – Reliance on manual access review can lead to proliferation of orphaned accounts and excess access. These review processes can be time-consuming and error prone: if there are too many users and accounts – and there can often be hundreds – managers will be tempted to simply “Select All” and “Approve All.” A risk-based system that automates this process and flags high-risk situations can be an important way to ensure that access reviews are properly conducted and security risks mitigated.
- Take an analytics-based approach to measure hygiene over time and ensure continuous compliance – An identity platform that includes advanced, data-rich analytics can provide the right metrics to quantify organizational risks and illustrate whether the identity program is helping monitor, manage, and reduce risk. Those risks could be unmanaged identities or applications, excessive permissions, applications with control or SOD failures, and more. These metrics can also drive the program forward by mapping progress toward maturity – and even demonstrate this progress to key stakeholders in the organization.
Many identity platforms promise – but don’t deliver – lower risk profiles, improved decision making, reduced compliance violations, and hardened security postures built around Zero Trust. It’s critical that your identity vendor provides the framework and capabilities to improve cyber hygiene. Taking these steps to build a more robust identity system will thwart security attacks and keep your organization secure. As you continue on your cybersecurity journey, I urge you to take proactive measures – and be careful out there.