How SMBs can create an identity management strategy

Share post:

Identity management is crucial for an effective cybersecurity defence, but isn’t as hard as some organizations believe, experts said at a webinar as part of Identity Management Day. In fact one speaker, Lawrence Cruciana, president of North Carolina-based managed security service provider Corporate Information Technologies, reduced creating an identity management plan down to a phrase for small businesses: “TWO STEPS.’ Each letter in the phrase stands for one of eight points, but Curciana hopes it will be easier to memorize:
  1. Take an inventory of the organization’s data assets;
2. Write down all the systems that require identity for access, and the systems (like Active Directory) responsible for identity; 3. Outline your regulatory or contractual requirements for identity. For example, a partner may require your firm to have multifactor authentication before connecting to its network; 4. Stakeholder (business unit) alignment with the identity management program must be gained. For example, these employees have to use multifactor authentication, these people need a hardware token/USB key for access; 5. Trust is ephemeral, meaning it can’t be granted permanently to users. “We can’t just say, ‘Bob has access to this system’ and never review it,” he said; 6. Existing IT systems have to be considered under the identity management program, not just new systems; 7. Prioritize the application of identity management based on systems that have the greatest value or impact to the business; 8. Strategic buy-in from senior executives is essential. “Very often we see identity is seen as something you implement, it’s a technical step,” he said. Identity management — especially in smaller organizations — needs to be elevated to the business process owners, the information system owner, and ultimately to the senior executive or board. Cruciana was speaking during one of several sessions sponsored by the Identity Defined Security Alliance and the U.S. National Security Alliance. Often for a small business the key application is email, he noted. “Having strong identity management and a robust multifactor authentication program applied to email can mitigate the broadest areas of risk we see in small organizations,” he said. Cruciana’s session was aimed at SMBs. Also during that session, Harry Perper of the Mitre Corp. noted the Center for Internet Security’s CIS cybersecurity controls include guidelines for implementing identity management. Multifactor authentication (MFA) may be the most important control an SMB can implement. “Mandate it everywhere possible,” he said. Sending authentication codes by SMS text isn’t the safest method, he added, but in some cases may be good enough. Using an authenticator app (such as from Google, Microsoft or Duo) is safer. Hardware tokens in the form of USB keys that generate authentication codes should be for employees who have privileged access to the most sensitive data and systems, he said. In a separate session, Tom Sheffield, senior director of cybersecurity at retail chain Target said any MFA system is better than none. In some cases, SMS-based authentication may be acceptable for guests on your network. It’s all about risk, he said. Discover your assets and map MFA against your risks. MFA should be rolled out in phases, he added, first going after the systems with the highest risk. Some organizations are hesitant about MFA, said Martin Kuppinger, principal analyst at KuppingerCole Analysts, a German-based cybersecurity advisory firm. They worry it impedes system usability. This is a matter of education, he said. “Our thinking must be not to balance security and convenience, but how do we combine security and convenience.” Manish Gupta, director of global cybersecurity services at Starbucks, talked about the coffee chain’s efforts to abandon passwords and demand facial or fingerprint recognition for employee logins, as well as behavior-based authentication. This starts with an application establishing a user’s baseline behavior — such as typing and mouse movement behavior — and then looking for anomalies. The technology depends on the strength of the analysis engine, he admitted. Going passwordless can be a struggle in some countries, he added, where regulations may restrict the use of biometrics or the use of smartphones to receive authentication codes. “The best thing we can do as identity leaders is be the voice of security,” said Sheffield. “We need to speak to our cybersecurity partners, our business partners, our technology partners of the importance of all the foundational [cybersecurity] capabilities, and be the advocate for them and get [people] to understand why these are necessary.” The post How SMBs can create an identity management strategy first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Cyber Security Today, Week in Review for week ending Friday, March 22, 2024

This episode features discussion on lessons learned from the ransomware attack on the British Library, advice for managing expectations of IT/security teams, why firms are leaving Google Firebase unprotecte

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways