• About
  • Privacy Policy
  • Contact
Tech Newsday
  • Security
  • Future of Work
  • Mobility
  • Emerging Tech
  • Today’s News
No Result
View All Result
Tech Newsday
  • Security
  • Future of Work
  • Mobility
  • Emerging Tech
  • Today’s News
No Result
View All Result
Tech Newsday
No Result
View All Result
Home Security

Identity Management Day advice from an expert

Howard Solomon by Howard Solomon
April 13, 2022
in Security
0 0
0
Canadian healthcare provider’s unpatched Exchange server exploited twice by ransomware gangs
Last week the parent company of a mobile money transfer utility called CashApp began notifying over 8 million customers and employees that their names and brokerage data was stolen by a former employee. When they left the company that person’s access to at least some of the company’s systems wasn’t canceled. As a result they were able to download a number of reports. Perhaps this is no surprise. According to a survey in a report by CyberArk Software, released today (registration required), employees estimate they access an average of 30 applications or accounts that aren’t managed by federated identities. While the CashApp stolen data didn’t include passwords, Social Security numbers or payment card information that could be immediately monetized, the incident was at least embarrassing. It’s the latest example of why identity management of employees, partners and customers has to be a vital part of the defence strategy of every IT leader. Yet it’s not managed tightly enough. For example, only 48 per cent of respondents in the CyberArk survey said their organization has identity security controls for their business-critical applications. This is one reason why IT vendors have declared April 12th Identity Management Day. Now in its second year, they hope IT leaders — and consumers — will take time to consider if their identity and access management practices meet not only today’s challenges but those of the near future.

Related content: Identity management best practices

Identity and access management (IAM) is key to a zero trust framework, which infosec pros say is a must-have for organizations today. Hybrid IAM solutions are must-haves for organizations running combined on-premise and cloud environments. Identity management can be limited to ” joiner/mover/leaver” employees (from hiring to departure), in the words of Andras Cser, vice-president and principal analyst for Forrester Research’s security and risk management practice. But, he said in an interview, it should also include access management (IAM) — the limiting of access to data to only those who need it, otherwise known as restricting the number of privileged accounts. Directly or indirectly, identity issues — meaning stolen or lost credentials — may be involved in over 80 per cent of data breaches, he said. “If you look at most breaches there is some kind of escalation or lateral movement by the attacker. The attacker gains access to a desktop or laptop and from then on their task is to harvest any kind of credential to move to other systems and penetrate deeper. “There are other ways of doing it, but if you have the identity of [or credentials with access to] a sensitive database or server, or an administrator password, it’s a lot easier to penetrate than any other way.” With the compromise of usernames and passwords featuring so prominently in many intrusions, why, Cser was asked, don’t IT leaders take it seriously enough? “There’s a lot of complacency,” he replied, with firms “hoping that they’re not going to be a target. Still keeping passwords around is my pet peeve. Passwords for anything security-related has run its course. You should not rely on passwords at all. I know it’s easy and cheap, but passwords are a thing of the past. Use multifactor authentication (MFA), or passwordless solutions such as biometrics for identity management, he urged. “Anything but passwords.” MFA has to be properly adopted, he agreed, which means not using insecure methods for sending an extra authentication code, like SMS texts. Other measures, such as ensuring a threat actor can’t convince support teams to add a hacker-controlled phone or email for sending codes, also have to adopted.

Related content: 5 signs of IAM trouble

Second, he added, “people have these overarching identity strategies — which is good — but you have to implement things in really small chunks. It [identity management] is such a vast domain. People are anxious about getting results, but you have to do the homework — especially when it comes to managing the joiner/mover/leaver process. “Another mistake people make is they think identity management tools are a replacement for business process design, which is absolutely not the case. If you have an old and obsolete identity infrastructure, a shiny new solution won’t solve your problems — in fact it will only make them worse.” For example, he said, a complex employee or customer onboarding process has to be simplified before adding an IAM tool. “An IAM tool can do almost any kind of mapping to your business process, but if your business process is idiotic to begin with, and overly-complex, you’re just implementing an existing mess.” The biggest problem is multiple entry points for creating customer user IDs, he said. A large bank, for example, might have different portals for creating user IDs from different business units. As a result there are ID silos. “The last mistake is not treating identity and access management as a mission-critical infrastructure, the way network security is.”

Related content: The future of IAM

Asked what IT leaders should be doing, Cser said IAM governance is only part of the solution. IT also has to get rid of passwords; automate the IAM side of onboarding, internal transfers and departures; and if you must allow employees to use passwords, periodically force a reset for best security. In its report, CyberArk said that CIOs/CISOs said they are implementing real-time monitoring and analysis to audit all privileged session activity; implementing least privilege security / zero trust principles on infrastructure that runs business-critical applications; and adding processes to isolate business-critical applications from internet-connected devices to restrict lateral movement. The post Identity Management Day advice from an expert first appeared on IT World Canada.
Tags: DIidentity and access managementpostmediaPrivacy & Securitysecurity strategies

Subscribe

About Tech News Day

In just 10 minutes you will have all your leadership tech news needs covered. Our Editors browse the top tech news sites for you, get rid of the fluff and post summaries of the best. Our content is created by trained professionals and enhanced for IT leaders using leading edge artificial intelligence.

About

Tech Newsday

Tech News Day picks the new, most relevant tech stories.

Our selection is done by industry professionals – executives like you who pick the top stories for that day. Our writers summarize these to give you a quick summary and the key takeaways.

SUBSCRIBE

Categories

  • Artificial Intelligence
  • Auto Tech
  • Blockchain
  • Careers & Education
  • Channel Strategy
  • Cloud
  • Communications & Telecom
  • Companies
  • Data & Ananytics
  • Development
  • Digital Transformation
  • Distribution
  • Diversity & Inclusion
  • eCommerce
  • Emerging Tech
  • End User Hardware
  • Engineering
  • Financial
  • Fintech
  • Future of Work
  • Governance
  • Government & Public Sector
  • Human Resources
  • Infrastructure
  • IoT
  • Leadership
  • Legal
  • Legislation & Regulation
  • Managed Services & Outsourcing
  • Marketing
  • Martech
  • Medical
  • Mobility
  • Not for Profit
  • Open Source
  • Operations
  • People
  • Podcasts
  • Privacy
  • Security
  • Service
  • Smart Home
  • SMB
  • Social Networks
  • Software
  • Supply Chain
  • Sustainability
  • Today's News
  • Top Stories This Week
  • Women in Tech
  • Home
  • Today’s News
  • About
  • Privacy
  • Contact

2022 Tech News Day

No Result
View All Result
  • Security
  • Future of Work
  • Mobility
  • Emerging Tech
  • Today’s News

2022 Tech News Day

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
-
00:00
00:00

Queue

Update Required Flash plugin
-
00:00
00:00