The breaches that have occurred in the last year should be a rally cry for implementing basic identity management principles and evidence that an identity-related breach can happen to an organization of any size and have significant repercussions.
As we approach the second annual Identity Management Day, hosted by the Identity Defined Security Alliance and National Cybersecurity Alliance, we are encouraging all organizations to protect ALL digital identities (employees, contractors, third parties, customers, consumers, machines) through the following best practices, which may be enabled and enforced through MFA and other IAM security tools:
Clarify Ownership of ALL identities
Make sure to clearly define the individual or entity responsible for the creation, removal, ongoing maintenance and security of an identity within your organization. Identity should include four categories 1) employees, 2) contingent workers, contractors, or 3rd party identities, 3) machine identities (bots, RPA, application to application accounts, built-in IaaS accounts) and 4) customers.
Why? Given the on-going convergence of workforce and customer identity solutions, it is imperative that an IAM deployment handle all types of identities. Each of these identities has its own needs that can only be met if you first classify them.
Establish Unique Identifiers
Ensure the uniqueness of every human AND non-human identity in your directory. Identifiers should be established and used regardless of the relationship to the organization, for example a contractor who converts to an employee or a boomerang employee should maintain the same identifier when they return to the organization.
Why? Having a unique identifier for each identity allows organizations to maintain a trail of activity for each identity. if the identifier is changed, it makes identity activity tracking hard, identity management complex, and can also adversely impact audit and regulatory compliance.
Authoritative Source of Trusted Identity Data
Authoritative sources for identities provide essential data to make informed decisions regarding user access, including what access to provision and when to enable/disable that access.
Why? Since identity is so critical to decisions about granting access to applications and data, it is only natural to make sure that the source of identity is trusted. A strong root of trust for identity is therefore paramount.
Discovery of Critical and Non-critical Assets and Identity Sources
In a digitally driven business world, today’s infrastructure, applications, directories and networks are spread across on-premise and in the cloud environments, with mobile and virtual elements. The first step in securing an organization’s assets is to know what they are and where they are located.
Why? You cannot protect what you are not aware of. This adage is equally relevant for our diverse and multi-channel world. The first step in protecting resources is therefore to discover them.
Privilege Access Management
To secure access to critical assets implement a privileged access management solution that allows for higher assurance during an authentication event based on the current access profile of a user, the sensitivity of the resource/data and the elevated permissions being requested. Provide additional protection by applying MFA to privileged access and continuously discovering privileged access.
Why? Attackers use a compromised identity to infiltrate protected systems and then move laterally gaining elevated permissions. This allows them to use a weak identity to gain access to resources that should be protected by a strong and privileged identity.
Automate Provisioning/De-provisioning
Granting and revoking access to resources and data is fundamental to business operations and enterprise security. Automate the provisioning and de-provisioning of access through lifecycle events (join, move, leave) and tied to an authoritative source
Why? Automation is critical since a manual provisioning/de-provisioning process will invariably leave a window of opportunity for attackers to compromise the system. Especially “move” and “leave” events should not allow access through old identity once the event occurs.
Focus on Identity-Centered Security Outcomes
Identify security outcomes that protect the digital identities (human and non-human) and secure their access to enterprise data and resources. Combine identity and access management capabilities, such as authentication, authorization, identity governance and administration with security capabilities, such as user-behavior and device profiling to make informed access decisions. Consider related technology domains, for example, Zero Trust Network Security, Data Access Governance, and Endpoint Protection, which all have nexuses back to Identity security.
Why? Identity is a key pillar of all security frameworks. All authorization access, whether it is to applications, resources or data, is based on the identity (human or non-human). Systems provide access to someone, or to some entity. As such identity should be at the center of all access decisions.
Establish Governance Processes and Program
Establish a cross-functional team that oversees establishment and adherence to all IAM processes and policies and provides a vehicle to introduce improvements, as well as to determine overall impact prior to making any IAM program changes.
Why? A cross-functional team is needed because of the complex nature of IAM deployment. Such deployments impact different groups of users in different ways. If such lifecycle changes are done by a single team, the interest of other teams may be misunderstood, or even overlooked.