Few, if anyone, would refute effective identity management is essential to effective security. It’s especially true today. Today, all organizations have new digital assets coming online regularly: new web applications, new cloud services, new IoT devices, and even new bots that are going live. Each of these resources requires a credential, and these credentials must be adequately managed by the enterprise.
If these credentials aren’t properly managed and maintained, there’s a good chance bad actors will commandeer them and used to steal data or disrupt your organization.
To minimize the chance of that happening, it’s essential that effective identity and access management practices be in place. Here are a number of good habits to make sure remain in place to better ensure effective identity management:
Make sure good password hygiene awareness is in place: While many of us know the basics, we need steady reminding. Regularly make sure that your staff understands what constitutes a strong password and how to create them best. Today, many apps and browsers will help users generate strong passwords. It’s also essential that they understand the dangers of password reuse. While using the same password for multiple applications and services is convenient, it’s too risky because attackers will often take a trove of stolen credentials and use those credentials to try to access other online services and applications illegally.
You can safely see if your email has been part of a breach and may be used in such attacks, here.
These types of credential attacks can be mitigated by changing passwords after a breach has been disclosed, and organizations can freeze account access following a certain number of failed login attempts.
Enforce good password security policies: While awareness helps, it’s usually not enough. Sure, your staff will want to do the right thing and manage their passwords securely. However, we all fall into our old habits. We’ll be in a hurry, and we’ll pick an easy to remember password. We’ll reuse the same passwords across multiple sites from time to time. So to ensure employees are doing their role when it comes to security, it’s essential that the enterprise enforce such policies through ongoing account audits for activity that is potentially suspicious. If there has been a data breach involving emails from your organization, notify those users to change their passwords. Closely monitor and enforce privileged accounts security and compliance policies. Audit passwords for their strength.
Consider multifactor authentication where it makes sense: While multifactor authentication is indeed not necessary for all accounts, especially those applications and resources that pose a low risk, it’s a good idea to protect high-risk services and apps with an additional form of authentication. Strong authentication can enhance security and better protect accounts that, if compromised, could cause significant damage to the organization. Strong authentication is essential for privileged and administrative accounts, for instance.
Biometrics are finally growing more popular. According to a survey conducted by the University of Texas at Austin 58 percent of respondents said that they feel very comfortable with fingerprint scanning biometrics. This is due to the widespread acceptance of fingerprint biometrics on smartphones.
Don’t consider identity management efforts “projects:” When talking with enterprises and other organizations, this is something I run into all of the time. Too often they’ll treat identity management deployments and process improvements as projects, or a one-off effort. But effective identity management requires continuous work to make sure it’s effective.
This is typically achieved through sustained executive sponsorship, and keeping the application and line-of-business stakeholders continuously aligned, so that the organization can more readily adapt as applications, technologies, and job roles evolve.
Identity management is a continuous process, much like security and risk management, regulatory compliance, and needs to be treated as continuous management of business processes.
It’s time to start effectively managing bot and device identities: Bots and IoT devices will continue to swarm onto enterprise environments. According to the global management consultancy Bain & Company, the IoT market will grow from $235 billion in 2017 to $520 billion in 2021.
According to Mike Kiser, Global Security Advocate, Office of the CTO, at SailPoint, analysts estimate that 73 percent of organizations would have some kind of Internet of Things, including bots, program in place by the end of this year. “The potential for bots to be used without appropriate identity governance is significant. Businesses should be asking the right questions of their organizations and be on the lookout for automation programs that might be creating bots ad hoc. Being ahead of the curve is key to ensuring identity governance standards are met in the rush of early adoptions,” Kiser wrote.
Also, in his post Welcoming Our New Bot Overlords Kiser wrote that intelligent bots, such as Alexa and Apple’s Siri, are not only a consumer phenomenon. These bots are rapidly encroaching into the enterprise space. From customer service chatbots to order fulfillment or booking travel for employees, “organizations are using bot technology to speed internal processes. As is the case with any new technology, bots are proliferating throughout the environment rapidly,” he wrote.
Make sure your organization has procedures in place to manage the access to bots and IoT devices when appropriate.
Always automate what can be automated: As the number of enterprise apps and services grow, along with increased regulatory pressures, there’s one thing for certain: managing identities isn’t getting simpler. There’s cloud, mobile, on premises, IoT, bots and more all coming online and communicating with more apps, more services, more devices, and more people.
The only way organizations can keep up is to be able to automate processes that should be automated. That includes such areas as checking credentials against policy, looking for suspicious behavior, the provisioning and de-provisioning of users, user password resets, and other activities where automation makes sense.
This complexity and increased speed of business today also means decisions must not only be made more rapidly but also more complicated. To keep up, when possible, organizations are going to need to rely more heavily on the aid of a new ally: machine learning. Though machine learning decisions can be made more rapidly or, when the risk is low, even automated away. I expect in the years ahead more, and more decisions regarding identity and access will be machine driven.
Let’s face it, cybersecurity and identity are both essential to enterprise success, but if an organization wants to be effective in its approach to security, it’s going to have to be effective in its identity management.