Over the past few years, identity has become the number one threat vector in cybersecurity. Between compromised passwords, insider threats, and use of stolen identity information, it has been hard to find a major breach over the past few years where identity was not at the center of the attack. Organizations serious about identity and access management (IAM) recognize that identity doesn’t start and end with passwords. A robust identity management strategy requires a holistic approach, and is essential to any strong cybersecurity strategy.
A holistic approach to identity and access management uses what we describe as “The Five A’s”. Executives assessing their identity management strategy should be asking some basic questions about each of these five areas:
Authentication: Do we know that users are who they claim to be and how easily, if at all, can authentication technologies be compromised?
Authorization: Are we ensuring that users, once authenticated, are tightly governed in what they can access and do?
Administration: Have we adopted a governance-based approach to identity that manages the processes and policies of our IAM system and automates integrations with other enterprise functions?
Analysis: Are we able to detect instances of improper or suspicious credential usage and use those detections to trigger additional controls?
Audit: Can we look back across the identity lifecycle to review events and confirm that our IAM system is being used properly?
Securing and managing identity is not only about technology; it’s about people and processes. Done right, identity moves from being a security risk to a strategic opportunity, allowing organizations to streamline processes and enable more user-friendly online experiences for employees, partners and customers. By viewing identity and access management holistically, you’ll be in a good position to drive change in your organization.
As an executive, you should consider the following points when implementing identity and data security strategies:
1) Make identity a priority. It has been the “red-headed” stepchild of security for far too long. As a result, it has become the vector of attack in most data breaches, with compromised passwords being the most commonly exploited tool. Today, you can no longer afford to ignore identity.
2) Prioritize strong authentication. Even so-called “strong” passwords offer mediocre security in the face of modern threats. When passwords alone are used as the “key” to access sensitive networks and data, the results are rarely positive. The augmentation or replacement of passwords with stronger authentication technologies offering multiple factors must be a top priority.
3) Understand that user experience is as important as security. The good news is that today’s newest and most innovative identity products do not require tradeoffs between either. There are options that work for consumers and customers alike.
4) Recognize that identity is intrinsically linked to data security. As mobile devices and cloud services become more prevalent across enterprises, the role of identity in securing important information readily accessible outside of your corporate network will only continue to grow in importance. Identity is the one control you can put in place to secure data both within and outside of your network security.
5) Don’t treat your customers like your employees. Securing identity should be easy for your customers – if it’s not, you will have trouble retaining their business. Firms that ask customers to reset their password every 90 days or request that they add “4 more characters” to a password are only creating friction points that diminish relationships with customers.
To read The Chertoff Group’s full whitepaper “Securing Identity Does Not Stop with Strong Authentication,” please click here. Learn more about IAM and other risk management strategies at The Chertoff Group Security Series event The Three T’s of the Digital Economy: Technology, Threat and Trust, “where Jeremy Grant will lead a panel discussion with industry executives on the role identity-centric solutions play in delivering enhanced efficiency and protection across enterprises. To register to attend, click here.