With a high percentage of cyberattacks starting with bad actors gaining access to corporate networks after stealing someone’s identity credentials, we asked Richard Bird of Ping Identity and Tony Cole of Attivo Networks about the value of Identity and Access Management.
Richard Bird, Chief Customer Information Officer, Ping Identity
Why is it important for enterprises to deploy an effective Identity and Access Management solution?
Eighty-five percent of cybersecurity breaches that have taken place over the past year are a result of a human element according to the Verizon 2021 Data Breach Investigations Report.
This all starts with bad actors gaining privileged credentials by using someone else’s identity. Those credentials could have belonged to someone who once worked at the company. Once they got inside, they collected additional credentials and used them for nefarious purposes.
Bad actors leveraging compromised credentials are hard to find as they look like they belong. Once they are ‘inside’, they can easily take things they shouldn’t be able to take. In 2020, the US lost more than US$86 billion worth of unemployment benefits to fraudsters; bad actors who figured out how to get inside and then look and act like qualified unemployment recipients.
The management and execution of a well-rounded cybersecurity program where identity is placed in the center can help reduce breach frequency.
What are the potential pitfalls of not deploying an effective Identity and Access Management solution?
Virtually every breach in the last 20 years can be traced back to an exploited weakness in Identity and Access Management.
Bad actors capitalize on exposed privileged credentials to execute supply chain attacks and fraudulent account takeovers, to lock up assets and deliver ransomware payloads, to facilitate business email compromise and to damage, destroy or take over operational technology.
Failing to deploy an effective Identity and Access Management program and solution is currently driving losses across industry verticals that total in the billions every single year. Additional costs include loss of brand reputation and trust, customers, technology, employees and productivity.
How can CIOs ascertain if an Identity and Access Management solution will suit their business?
A CIO should categorically refuse to adopt any solution that simply focuses on access administration. Access administration is a technology supported business function that simply allows or removes access to assets and resources.
Identity control, or the invocation of access controls to confirm that someone is who they say they are (authentication), is doing what they are supposed to be doing (authorization) and has only what they are supposed to have in their given role (approval) is the solution space that CIOs should orient themselves toward.
By taking an identity-centric focus, by placing a human being in the center of our security architectures we can begin to truly secure not just identity, but every asset and resource that identity is connected to.
With an ever-expanding landscape of devices, data, applications, services and resources a CIO needs to evaluate whether an Identity and Access Management solution delivers on the single most important value-return for their investment; a reduction in risk to the organization.
How will an Identity and Access Management solution impact on the work of a company’s employees?
An Identity and Access Management solution aims to provide an exceptional user experience ensuring that employees can be more productive by enabling them to access the information they need, when they need it and from wherever they are in a simple, secure way. It enables organizations to provide a frictionless experience with the right balance of security together with the accessibility needs of a diverse workforce.
With easy-to-use sign-on, adaptive authentication and more, employees spend less time trying to access resources and more time getting work done.
When secure, controlled Identity-as-a-Service is offered to the organization, companies can actually go faster and achieve greater velocity in developing applications, integrating systems and delivering results.
How complex are Identity and Access Management solutions to deploy?
Identity needs to cover all your applications and services, including Active Directory. Selecting an Identity and Access Management solution built on open standard simplifies the integration with a broad range of enterprise applications to support complex IT environments, across SaaS, legacy, on-premises and custom applications.
Implementing Identity and Access Management solutions, in general, is not an overly complex deployment from a technology perspective. Most of the change is associated with business process transformation. The companies who achieve the quickest and best results in implementing an Identity and Access Management solution usually establish a holistic program across all business and technology units.
How can an Identity and Access Management solution boost compliance?
An identity-centric foundation helps organizations comply with stringent compliance whether it be meeting data privacy regulations, government regulations and industry standards while earning your users’ trust and enabling you to personalise your user’s experiences through the provision of data governance and consent management.
Tony Cole, Chief Technology Officer, Attivo Networks
Why is it important for enterprises to deploy an effective Identity and Access Management (IAM) solution?
When you look at the security challenges organizations face today, some people believe the best form of protection is multi-factor authentication. While MFA does have a role to play, it can’t protect against the fallout from phishing and spearfishing attacks.
Suppose an employee clicks on a link or opens an attachment containing malicious code. In that case, the attacker can gain access to that user’s device and then move further into the organization’s IT infrastructure. An adjacent area that is often overlooked is identity detection and response (IDR), which supports IAM and MFA by focusing on protecting the identity itself.
Put together, IAM can provide MFA to make it harder for attackers to get into an account initially. When that fails, IDR steps in so attackers can’t continue to escalate their privileges.
What are the potential pitfalls of not deploying an effective IAM solution?
It leaves an organization open to potentially very damaging attacks. Proper authentication and authorization are important initial toll gates for the enterprise to counter attacks. SSO and MFA can help tremendously.
It’s also important that the organization can find attack paths that pre-date the advent of an attack. Attack surface management is a concern because users may have access rights that far exceed what they need to get their jobs done.
This means that if those users are compromised, the attacker will have much greater access to resources than would otherwise be the case. If you don’t have a system in place that manages, monitors and looks for misconfigurations in your identity system, your security is effectively wide open.
How can CIOs determine whether an IAM solution will suit their business?
It’s easy to say that everyone should have an IAM solution in place, definitely MFA, but that is not entirely accurate since smaller businesses have a lot of nuances around their structure. IAM solutions should be deployed by organizations that have identities and credentials assigned to users.
These organizations need to have the ability to manage, monitor and understand exactly what is going on with those identities, associated credentials and the systems that manage them. This becomes particularly clear when you consider that most ransomware attacks use identity services to escalate privileges.
What impact will an IAM solution have on the work of company employees?
If smartly implemented, there should be almost no impact whatsoever on a company’s employees. Instead, it allows the company to define the entitlements and access privileges individuals should have more clearly. An IAM and adjacent IDR solution will allow a security team to review the entitlements of each employee, remove those that are not required and detect live attack activity.
Employees will see no difference in user experiences. However, the organization will significantly increase its security posture.
How complex are IAM solutions to deploy?
IAM platforms can be complex to deploy and often take extended periods of time to gain operational efficiency. Alternatively, IDR solutions can be straightforward to deploy and have been seen to run on a single server with no impact on the domain controller. It comes down to an organization’s choice of vendor.
How can an IAM solution boost compliance?
It depends on the organization and the compliance requirements they need to meet. However, if they deploy and maintain an IAM solution, the risk of compromise can be reduced and the overall security posture is boosted. This will then enable the organization to meet its potential regulatory requirements. It can also help meet the compliance requirements imposed by insurance companies offering policies that cover cyber-risks.