Client Portal

Fortify Your Security: Avoiding Common Identity Management Missteps

Posted November 8, 2024 by Sayers 

author profile picture

Sayers

Our engineering experts leverage technology to relentlessly improve how we meet the evolving demands of both our clients and our partners while staying true to our values. We foster an environment of collaboration, innovation, and dedication to the success of our team members and clients.

Tags:

The core of identity security involves knowing which people and machines are in your network, how they’re interacting, and where to remediate to prevent breaches.

Today’s companies must tackle multiple elements of identity security to manage access to their systems and data, while staying resilient against evolving threats.

According to CrowdStrike’s Global Threat Report, identity-based attacks surged in 2023, with increasingly popular tactics such as MFA bypass and using stolen API keys to gain initial access. CrowdStrike found:

80% of cyberattacks now involve stolen or compromised credentials to execute subtle but destructive identity-based attacks.

Identity and access management (IAM) has become one of the top in-demand topics by security and risk management leaders. Here, Sayers offers a closer look at identity security and the pitfalls to avoid.

Five Foundations For Identity Management

Bad actors continue to evolve their attempts to steal identity and gain unauthorized access. In parallel, our view of the identity space has moved beyond three pillars to five main foundations for identity management:

Identity Foundations

Identity governance and administration (IGA) – This ongoing effort oversees how you provision and audit access throughout your organization using the other foundational identity elements. Provisioning and continuously auditing identity-based access helps limit the risk of data breaches by ensuring people have access only to what they need in their current roles. 

Identity and access management – IAM solutions focus on how you grant access for your workforce, customers, and machines to your organization’s systems, applications, and data. IAM reduces risk for the organization, balances user experience with security requirements, and reduces the impact of stolen credentials. 

Privileged access management – PAM addresses how you grant elevated, administrator access to resources of higher importance or risk. PAM reduces the risk of stolen administrator credentials, ensures all admin credentials are unique, and reduces dwell time when those credentials are stolen. 

Identity threat detection and response – This newer technology in the identity stack encompasses tools and best practices to defend identity systems from threat actors and credential misuse. ITDR tools focus more heavily on identifying risky accounts or configurations and recommending remediation.

Workforce password management – WPM gives you a place to store and vault passwords in the cloud or in some cases on-premise. The end user has the only passkey to unlock and use those passwords, while administrators have visibility to risks such as weak passwords, password reuse, and whether credentials have appeared in a recent breach. WPM gained greater scrutiny after password management service LastPass announced data breaches in 2022.

Security Drivers That Make The Case For Identity Management

You’ve heard the warning: It’s not IF your organization will be breached, but WHEN. 

CyberArk’s Identity Security Threat Landscape 2024 Report goes further about the need to prepare your organization to withstand multiple breaches, citing:

93% of companies have suffered identity breaches two times or more in the last year.

Several security drivers make the case for strengthening your organization’s identity management:

Cybersecurity insurance. As companies try to offset cybersecurity risks through an insurance company, the insurance groups are focusing more on whether organizations use identity controls. Those go beyond multi-factor authentication into the PAM area of securing privileged identities and access.  

Joe Schnell, Senior Cybersecurity Architect at Sayers, says:

“If your CEO gets an exception not to use MFA, then that starts to open up an organization to business e-mail compromise and other risks. Cybersecurity insurance companies are pushing more demands around identity, not just checking a box that you’re using MFA, for example, but also how you are using it.”

Zero trust. In many cases, manufacturers that want to get into the zero trust conversation focus heavily on the endpoints, the network, and the technical controls. But identity needs to be a major focus there as well.

Identity-first security. This focuses not just on assets, devices, and applications, but also on who has access to those and how to secure those identities.

Zero standing privilege. A cornerstone of some of the newer PAM solutions such as from Saviynt and Microsoft, zero standing privilege helps reduce the risk of insider threats. With ZSP, an administrator’s access to an application doesn’t exist until right when they need it. Such dynamically provisioned access allows the administrator to perform their work for a specific time before access is removed.

Ransomware resilience. This approach limits users’ access rights to control the damaging impact of ransomware. Even if a user’s credentials are compromised, the limited access rights confine the ransomware to areas where the credentials have access.

Overall security posture improvement. Proactively monitoring and managing identities and access rights to sensitive information helps improve your organization’s overall security posture.

Identity Management Pitfalls To Avoid

A mature identity management program needs a strong identity leader focused on this space to manage and set guidance and governance. Without such guidance, organizations stumble and can make any number of common mistakes:

If your access management approach is “MFA and call it a day,” it’s time to rethink how you protect yourself from malicious hackers. Multi-factor authentication secures better than single-factor, but not all MFA offerings are created equal. 

According to the Cybersecurity and Infrastructure Security Agency, the gold standard for multi-factor authentication is phishing-resistant MFA, based on the Fast IDentity Online (FIDO) web authentication standard. If a phishing ploy lures a user into logging into a fake website, the FIDO protocol blocks the attempt. FIDO2, the newer authentication standard, can be embedded into a device, use physical tokens, or incorporate alternatives such as PIN codes or biometric credentials.

Is your MFA configured correctly? Do you have leadership and governance around it to ensure it helps meet the security needs of your organization?

If your privileged access management approach is “We have LastPass,” which vaults credentials for your administrators to use, then you haven’t gone far enough. Privileged access is more than just store-and-share, especially when it comes to malicious insider attacks. Such attacks are among the costliest, with an average impact of $4.99 million, according to the 2024 IBM Cost of a Data Breach Report.

By using basic PAM practices such as least privilege, you can significantly reduce the risk of an insider threat. Least privilege grants temporary elevated access only to specific users when necessary for a designated task.

If your approach to identity governance and administration is “We have some really good scripts” to help automate the Joiners, Movers, and Leavers processyou essentially have home-built IGA-light capabilities. What happens when the person who manages and updates those scripts moves on?  

Trying to save money today with a light IGA offering can be short-sighted. According to Gartner research:

“Many organizations choose to add light IGA capabilities from cloud and platform vendors, rather than choosing an IGA suite with comprehensive IGA capabilities. This approach can result in compliance failures, since light IGA solutions lack critical governance features.”

As those organizations realize they’re missing some essential governance features, they start to bolt on additional light IGA tools that add complexity. Ultimately they’re faced with a rip-and-replace to meet their ongoing governance needs.

Regulations And Compliance Drive Accountability Among IAM Leaders

Organizations increasingly must meet compliance requirements due to regulations involving identity breaches. The following regulations or governing bodies have specific provisions around identity:

With 80% of breaches involving identity and compromised credentials, more organizations are promoting IAM leaders into executive roles with greater accountability and focus on compliance. 

Identity management is rising to the ranks of the C-Suite, where it can receive additional visibility, support, and budget. According to insights from the Gartner Risk and Security Summit:

25% of IAM leaders will be responsible for both cybersecurity and business results, operating from the C-Suite as chief identity officers (CIDOs) by 2025.

Questions? Contact us at Sayers today to discover extensive technology solutions, services, and expertise to cover all areas of your business including identity management and security.

    Addresses

  • Atlanta
    675 Mansell Road, Suite 115
    Roswell, GA 30076
  • Boston
    25 Walpole Park South, Suite 12, Walpole, MA 02081
  • Rosemont
    10275 W. Higgins Road, Suite 470 Rosemont, IL 60018

 

  • Bloomington
    1701 E Empire St Ste 360-280 Bloomington, IL 61704
  • Chicago
    233 S Wacker Dr. Suite 9550 Chicago, IL 60606
  • Tampa
    380 Park Place, Suite 130, Clearwater, FL 33759

Have a Question?

Subscribe Contact us