Modern identity and access management
How to lock down one of the weakest parts of your security
Effectively securing employees’ digital identities remains problematic for many organizations. And hackers know it.
According to Verizon’s 2020 Data Breach Investigation Report (2020 DBIR), over 80% of hacking-related data breaches involve the use of lost or stolen credentials. Per the same report, the bulk of breaches (67%) are from credential theft, social attacks (phishing and compromised business emails), and human error, with stolen or weak credentials being used in 37% of credential theft breaches.
There are countless reasons why employee credentials are so susceptible to hacking, as well as myriad business challenges associated with securing digital identities.
In this post, we’ll delve into these areas, look at the mistakes companies continue to make around protecting digital identities, and offer tips and best practices for successfully implementing access management solutions.
Why do hackers target identities?
Identities have become a go-to attack vector because they’re often one of the weakest links in an organization’s security. There are two reasons for this:
1. Explosion of identities
The scope of identities has grown.
Enterprises are now managing more identities in their IT directories than ever. The advancement in internet of things (IoT) devices is only compounding the problem, and more enterprise applications are consuming APIs (i.e., the API economy).
All of which has resulted in an abundance of weak points that organizations are struggling to manage.
2. Shift in the business and tech landscapes
The business landscape has shifted.
Cloud adoption is rising, and more and more employees are working from home because of the COVID-19 pandemic. This has put businesses in a precarious position, as their employees are now accessing vital systems and data from endpoints and networks that the company doesn’t manage.
Before, businesses could feel comforted knowing their employees were protected behind the company’s firewall. But things are changing.
Enterprises can only control what’s inside their network. Yet, with employees outside the physical firewalls, and the increase in remote endpoints and cloud adoption, businesses must worry about their employees accessing resources outside of their control. These network augmentations are becoming an issue.
As companies try to identify the resources and obligations that they don’t control in these scenarios, this creates loopholes that hackers can exploit.
Mistakes companies make when securing digital identities
As organizations look for ways to secure their employees’ digital identities, a number of common mistakes can hamper their efforts.
First, many try to consolidate all existing identities. However, the notion that you can perform one big identity rationalization project and merge all your different IT directories is a fool’s errand.
Second, they believe perimeter-based security is enough. This isn’t necessarily true. Take a virtual private network (VPN), for example. You put all your resources within a domain and employees can only access them by connecting to your network through a VPN. That’s great. But organizations then try to extend this solution to protect resources outside their network – like Office 365 – and that’s a problem.
There are limits to traditional perimeter-based security. Passing through border security doesn’t mean a user is completely secure. Also, inundating your network with huge amounts of traffic can overwhelm all the intrusion detection systems and even knock out your VPN, creating an even bigger problem for your employees.
Lastly, many companies stumble when adopting multi-factor authentication (MFA). MFA provides an additional layer of security and can limit potential damage if credentials are lost or stolen. Unfortunately, it is frequently deployed in a way that makes users feel harassed. Common approaches tend to be siloed – you have MFA for your VPN, MFA to protect your IP system, and so on. However, all this does is create different ways of authenticating and identifying users, which leads to inconsistencies, frustration, and makes it more difficult to manage.
A modern approach to access management
Checking identities at the perimeter is a good security practice, and MFA helps mitigate the human factor. But, as standalones, they’re simply not enough.
You must look at identity authentication and access management in a holistic way. That’s where a modern access management solution can help.
Modern access management solutions let you assess identities every time a user tries to access a resource. This allows for:
- Adaptive authentication. A dynamic way of assessing identities and managing risk in real time, making each access request unique.
- Flexibility. No longer basing security on perimeter – where the application resides and what perimeters exist around that application – so you don’t need to re-define security models each time you move a resource (e.g., migrating on-prem applications to the cloud or dismantling on-prem applications and adopting cloud applications)
Creating a full modern access management solution starts with embracing modern single sign-on (SSO). This is a smart cloud-based solution that covers cloud applications as well as on-premises applications. This enables you to track the entire user journey, assess requests in real-time, and make decisions based on updated information.
Along with modern SSO, you must implement policy-based access restrictions. This considers entitlement (what users can access) and real-time access control (when users are allowed to access applications), so you can have control over the applications your employees are permitted to use.
How to determine the best access management solution for you
Installing a modern access management solution doesn’t happen overnight. But there are questions you can ask to get the ball rolling.
How far along are you on your cloud journey, and what legacy infrastructure do you have in place? What are your sensitive resources and applications, and have your mapped them out yet? Furthermore, how are you defining your priorities?
While each business is different, you want an access management solution with a broad scope, one that covers cloud and on-premises applications. Make sure it’s smart and makes decisions based on contextual data. And lastly, whatever solution you choose, it should be flexible. You’re likely dealing with a wide range of operations and users, so your solution should be able to adapt to the complexity of your environment.
Digital identities remain a weak spot in enterprise security. But, by employing a modern access management solution, you give yourself the best chance to keep them secure from bad actors.
About the author
Francois Lasnier leads the Identity & Access Management offer within the Cloud Protection & Licensing (CPL) business line of Thales. Francois’ history with Thales spans several years, beginning in product development, then moving into marketing and business management across various verticals. Francois received his master’s degree in electrical engineering and computer science from Supelec in France and resides in Austin, Texas.