Headline breaches over the past year, including Colonial Pipeline and SolarWinds, should serve as a clarion call for the cybersecurity industry. While both incidents demonstrate the repercussions that a breach can have on the supply chain, they also demonstrate the importance of identity security. Weak passwords, orphaned accounts, and a lack of multi-factor authentication (MFA) all contributed to the large-scale disruption imposed on SolarWinds and Colonial Pipeline.

Identity-related attacks continue to be a favorite technique for attackers. According to the 2021 Verizon DBIR, 61 percent of breaches were the result of stolen credentials. Additionally, 79 percent of organizations have experienced an identity-related security breach in the past two years, according to the Identity Defined Security Alliance (IDSA).

The IDSA is a non-profit organization focused on educating security professionals about the importance of securing digital identities and providing resources to reduce the risk of an identity-related attack. The IDSA, along with the National Cybersecurity Alliance (NCA), is hosting the second annual Identity Management Day on April 12, 2022. The mission of the event is to educate business leaders, IT decision-makers, and the public about the importance of managing and securing digital identities.

While identity security is a large category and the market is vast, it is our belief that many of today’s breaches could have been mitigated had basic identity security best practices been put in place. In honor of Identity Management Day, here are eight practices that we think all organizations should have in place to secure their digital identities.

Clarify Ownership of ALL identities
Make sure to clearly define the individual or entity responsible for the creation, removal, ongoing maintenance, and security of an identity within your organization. Identity should include four categories: (1) employees, (2) contingent workers, contractors, or third-party identities, (3) machine identities (bots, RPA, application to application accounts, built-in IaaS accounts), and (4) customers.

Establish Unique Identifiers
Ensure the uniqueness of every human AND non-human identity in your directory. Identifiers should be established and used regardless of the relationship to the organization. For example, a contractor who converts to an employee or a boomerang employee should maintain the same identifier when they return to the organization.

Authoritative Source of Trusted Identity Data
Authoritative sources for identities provide essential data to make informed decisions regarding user access, including what access to provision and when to enable/disable that access.

Discovery of Critical and Non-Critical Assets and Identity Sources
In a digitally-driven business world, today’s infrastructure, applications, directories, and networks are spread across on-premise and in-the-cloud environments with mobile and virtual elements. The first step in securing an organization’s assets is to know what they are and where they are located.

Privilege Access Management
To secure access to critical assets, implement a privilege access management solution that allows for higher assurance during an authentication event based on the current access profile of a user, the sensitivity of the resource/data, and the elevated permissions being requested. Provide additional protection by applying MFA to privilege access and continuously discovering privilege access.

Automate Provisioning/De-Provisioning
Granting and revoking access to resources and data is fundamental to business operations and enterprise security. Automate the provisioning and de-provisioning of access through lifecycle events (join, move, leave) and tied to an authoritative source.

Focus on Identity-Centered Security Outcomes
Identify security outcomes that protect the digital identities (human and non-human) and secure their access to enterprise data and resources. Combine identity and access management capabilities, such as authentication, authorization, identity governance, and administration, with security capabilities, such as user behavior and device profiling to make informed access decisions. Consider related technology domains, for example, Zero Trust Network Security, Data Access Governance, and Endpoint Protection, which all have nexuses back to Identity Security.

Establish Governance Processes and Program
Establish a cross-functional team that oversees the establishment and adherence to all IAM processes and policies and provides a vehicle to introduce improvements, as well as determine the overall impact prior to making any IAM program changes.

To learn more, please join us on Identity Management Day, April 12, 2022. There are a number of ways to get involved:

• Register for the Identity Management Day Virtual Conference 2022: Learn from five panel sessions focused on identity management with speakers from Target, Starbucks, Southern Methodist University, and more.
• Become an Identity Management Champion: Join the growing list of Identity Management Champions who make identity management and security foundational to their mission.
• Explore Resources: Discover best practices for enterprises, SMBs, and consumers from across the industry on the Identity Management Day news and resources page.
• Donate to the Identity Management Day Next Generation Fund: Support the next generation of identity management leaders and provide financial assistance to students on their path to an identity smart cybersecurity career.