13 Identity Management Day Quotes from Industry Experts in 2023
For Identity Management Day, the editors at Solutions Review have compiled a list of comments from some of the top leading industry experts.
As part of Identity Management Day (April 12) we called for the industry’s best and brightest to share their Identity Management comments. The experts featured represent some of the top Cybersecurity solution providers with experience in these marketplaces, and each projection has been vetted for relevance and ability to add business value.
Widget not in any sidebars
13 Identity Management Day Quotes from Experts
Paul Martini, CEO of iboss
Ensuring that every user’s identity is properly managed, protected and secured is one of the most crucial tasks of any modern organization. Identity Management Day is an opportunity for all companies to consider how they are protecting users. By modernizing the legacy approach which validates identity only at time of login to a more modern Zero Trust approach which validates identity for each and every request to protected data and applications, organizations can greatly reduce the risk of breaches and data loss. This will ensure breached users and devices have access cut to sensitive resources as soon as the risk is identified instead of waiting for the next time the user is asked to login again.
Chris Hickman, CSO at Keyfactor
Google’s initiative to shorten certificate lifespans from 398 days to 90 days would complicate today’s identity management challenges further. It’s a significant jump and would require a higher degree of automation to manage frequent updates, or significantly more manual labor to keep up. Today, organizations already struggle to properly manage and secure certificates, with 77 percent of organizations reporting an outage in the past 24 months, and 53 percent acknowledging a lack of resources to do so. Shortening the lifespan could be compared to forcing individuals to renew their license/I.D., every three months.
The reality is that too many certificates are not properly managed, and this puts the spotlight on that issue. There are other organizations that issue short life certificates; in a world where the threat landscape is constantly changing, stolen certificates are an issue. The shorter the window of opportunity to use a stolen certificate, the greater reliance you can put on the authenticity of the device or workload presenting that digital credential.
This is an important conversation to have on Identity Management Day because every device needs an identity, which comes in the form of digital certificates. Certificates need to be properly managed for organizations to have confidence in the digital trust of their network. Outages are costly and can be detrimental. If security teams are already struggling to properly manage and secure machine identities with certificates with a 398-day lifespan, just imagine the chaos a 90-day lifespan could institute.
Sean Deuby, Principal Technologist, North America at Semperis
As attackers have focused on user identities and credentials—using tactics such as credential stuffing or phishing to gain access to networks—defenders have done the same, looking to implement identity and access management, Zero Trust architectures, and other protections. Now, ITDR is getting a lot of industry attention and CISO buzz. But any successful ITDR strategy must start with Microsoft Active Directory (AD).
Jasson Casey, CTO at Beyond Identity
Identity Management Day’s purpose is to highlight the dangers of casually or improperly managing and securing digital identities. In 2023, businesses must accept the reality we are now facing – passwords and weak 1st generation MFA are no longer viable solutions. Passwords – even those backed by ‘traditional’ MFA – are the single biggest vulnerability most organizations now have. Relying on fallible human nature, they require employees and customers to uphold security hygiene at the risk of severe organizational compromise.
Company credentials can be quickly obtained through phishing attacks or dark web dumps and MFA codes and passwords stored in password managers are easily interceptable. Indeed, security incidents analyzed in the Verizon Data Breach Report 2022 showed credentials were the most likely form of data to be compromised in both the US (66 percent) and EMEA (67 percent). And yet despite this, the UK Government continues to recommend password-based frameworks as best practice for cybersecurity.
While the security issues with passwords are widely known, both the government and the private sector need to get to grips with the distinction between good and bad MFA. Good MFA is vastly different from the first-generation MFA that uses one-time passwords and push notifications. Good MFA provides phishing resistance through the use of public/private key cryptography that binds the identity to a device and the user biometrics built into modern endpoints like phones and laptops. Modern, phishing-resistant MFA does not rely on passwords or utilize other weak factors like one-time codes, or push notifications as part of the authentication process.
These passwordless, phishing-resistant factors are an important foundation for Zero Trust architectures. This modern, phishing-resistant authentication ensures a much higher level of trust in the user identity, stops credential attacks and finally closed off the single largest vulnerability that all organizations have– passwords.
Rod Simmons, Vice President of Product Strategy at Omada
There’s no doubt that companies face greater cybersecurity risk than ever. Most people think of this risk as coming from malicious outsiders bent on breaching their network and stealing their data. That’s often the case, but risk also comes from within when proper security controls aren’t in place. This can be due to a culture problem.
To really strengthen defenses for the long term, you need a strong corporate culture around security. The objective is not to turn every employee into an IT expert, but to raise overall awareness of how their actions can help safeguard the organization. By instilling the notion that security is a shared responsibility across the entire company, rather than solely a concern for the IT department, all employees can better appreciate the role they play in protecting the organization’s interests.
Technology can’t fix culture. Only an organization’s leaders can do that, and they have to take a strong and proactive, top-down role in transforming a weak security culture. Change starts with fully understanding the importance of identity management to the organization overall. Enterprises need to make sure they have all the necessary capabilities in place to ensure success, because there are possible traps that need to be avoided, such as not including the appropriate stakeholders, the absence of best practices, being too ambitious out of the gate, and underestimating the significance of data quality.
Identity governance and administration (IGA) is key to this. You need to know who has access to what, and why, to create a sturdy foundation for a stronger culture of security.
Sameer Hajarnis, Chief Product Officer at OneSpan
Today everything is digital — work, shopping, even your wallet — and there’s one thing that secures you throughout your digital life: your identity. But digital identities are broadly defined, including everything from your username and password to your gender, address, and date of birth. Think about it: Every time you input your address into a website when shopping online, you’re sharing part of your digital identity.
We are constantly sharing these attributes that make up our digital identities, and this will only expand as we do more things digitally. But this also means that threat actors can more easily commit identity fraud and create synthetic identities. These synthetic identities have the ability to disrupt people’s lives and the way we do business. Consider, for example, that AI tools can be used to generate authentic-looking fake passports or ID cards that can bypass authentication and verification platforms.
What this tells us is that we need to be thinking about what’s to come and stop being responsive to changes in technology. What we need is to be thinking about how we can protect a business and a consumer’s digital identity. This means implementing a system where digital identities are provisioned in a secure way and can only be unlocked with a strong user authentication in place. Not only does this protect digital identities from abuse and fraud, but it also limits the amount of identity attributes users need to share. Instead of sharing every piece of personal information, users would only be disclosing the minimum information required to get the job done. This is how we will protect and secure digital identities as we embrace web3.
James Lapalme, VP & GM of Identity at Entrust
The pandemic ushered in an accelerated wave of digital transformation and as the world went remote, the demand for high-assurance secure solutions skyrocketed. However, with increased digital interactions comes an even greater risk of cyber threats and fraud, which means many of the current security solutions for identity management are no longer effective. Passwords, which have served as the standard for protecting digital goods and services since their inception in the 1960s, are high customer friction, insecure and becoming obsolete at best. In fact, 51% of people reset their password at least once a month because they cannot remember it, and according to the U.S. Federal Trade Commission, 2.9M fraud reports were filed as of 2022 and identity theft was the number one category for consumer complaints. As the trend towards digital transactions continues to increase alongside security threats, there’s an urgent need for new identity management and protection strategies and technologies to enhance security.
When it comes to multi-factor authentication (MFA), too many enterprises still use single-factor authentication and have an over-reliance on one-time passcodes. Yet, organizations should leverage high-assurance passwordless MFA solutions that include physical proximity factors and certificate-based authentication to protect against remote account takeover (ATO) attacks. For a more comprehensive approach to security, companies need to embrace and adopt a Zero Trust strategy. Adaptive risk-based authentication is central to a Zero Trust framework, providing continual contextual awareness of user and device behavior. This can include multi-factor authentication, single sign-on, passwordless login and more. While Zero Trust implementation is a journey, by taking an identity-centric approach to Zero Trust, companies can take a step in the right direction to maximize security while minimizing unnecessary friction – and begin to fill in the gaps they have in their networks that are making them less secure.
Mo Plassnig, Chief Product Officer & Chief Growth Officer at Immuta
In security everything starts with identity – knowing who the users are (which is authentication). But, it doesn’t end there. From there you must look at what those users can do (authorization) and then monitor what they did (accounting/auditing). Historically, implementing these three “A’s” of security – authentication, authorization, and accounting – has been a very difficult, time-consuming, and risky process.
As the amount of data in the cloud continues to explode, many organizations are not considering all three A’s. Recent data indicates that more than half (53 percent) of data professionals are getting over-provisioned access to data. While this is done with the goal of streamlining processes, encouraging collaboration, and easing administrative burden, it often leaves organizations open to unnecessary risk.
While getting a modern identity management system in place is a starting point, it needs to be integrated with overall data security strategies that are designed for the modern cloud data stack. Breakdowns in security are happening at the point of data access so ensuring you have a solution in place to detect when there is an insider threat and change policies is critical.
Peter Barker, Chief Product Officer at ForgeRock
The traditional username-password login model is fundamentally flawed. Last year alone, more than 2 billion usernames and passwords were breached, and 50 percent of records breached were caused by unauthorized access. Not only are passwords a major security risk, they also hinder productivity and efficiency, leading to lost ROI for organizations seeking profitability more than ever before.
It’s time to embrace passwordless authentication, abolishing traditional passwords once and for all. While many claim passwordless is in the distant future, the reality is that the right identity partner can make it a reality, right now, for both employee and customer end users.
Passwordless authentication replaces traditional passwords with more user-friendly, secure methods, ranging from biometrics, authenticator apps, and certificates. This Identity Management Day, let’s say goodbye to passwords, and embrace a world where we never have to login again.
Glenn Mulvaney, VP Cloud Operations at Clumio
Identity management in the cloud—where data lakes, app data, and business information is often sprawled across many storage systems—is a fine balance between human authentication and system authentication. Multi-factor authentication (MFA) and two-factor authentication (2FA) are great tools for human authentication, but can hinder non-interactive data exchange apps and microservices because they require user intervention. In order to facilitate automated data exchange while maintaining strong identity security, organizations should classify their data based on access patterns, and ensure that system-to-system data exchange leverages API identity tools, OAuth, and mutual TLS.
CISOs need to think about identity hygiene holistically—which not only includes human identity management like limiting permissions to the principle of least privilege, MFA enforcement, and periodic credential rotation, but also app-oriented identity management, including robust key management across Personal Identifiable Information and sensitive data, API security, network isolation, and most importantly—backups of crucial data. While it is certainly damaging to let an intruder in, so long as there are secured, off-site system backups to restore data from, there is always a well-tested path to recovery. Companies can also keep their identity management efforts on track over time by identifying and looking for specific metrics and trends including self-reported spam / phishing rates from employees, employee engagement on security-related comms, and success rates on decoy tests. This is, of course, in addition to technology-focused metrics such as identity logs and unauthorized activity alerts, event monitoring, device and network behavior and so on. With the advent of generative AI tools, we all need to be very wary of identity mimicry that could at first glance be indistinguishable from legitimate communication.
Viktoria Ruubel, Managing Director of Digital Identity at Veriff
The concept of ‘digital identity’ has evolved tremendously over the past decade, and the explosion of digital platforms has led to today’s online users having countless digital identities. It wasn’t until recently, however, that users became both aware and concerned about the amount of personal data being collected and shared by third parties online. As privacy concerns for both users and businesses become top-of-mind and technologies advance, we’ll see the next generation of identity verification come to the forefront. This will come in the form of reusable digital identity, that enables individuals and businesses to securely re-use a trusted digital identity across multiple online platforms and applications, creating more trust and better experience, and leading to less time and money spent by businesses in the process.
Roman Arutyunov, Co-Founder and SVP of Products at Xage Security
Major real-world attacks on critical infrastructure (think Colonial Pipeline) demand more than just visibility and threat detection. What’s needed today is a zero trust mindset for cyber hardening industrial systems in a way that secures identities and blocks attacks. Identity and access management (IAM) needs to be a priority for real-world operations. Technologies exist to offer protection without a complete infrastructure overhaul. Organizations can look to government for guidance as well, for example, CISA and the NSA recently joined forces to release the IAM best practices guide for administrators. Given how much of a critical necessity modern IAM practices are for real-world security in the face of escalating threats, let’s use this holiday to spark more discussion, awareness and adoption specifically in the critical infrastructure realm.
John DeSimone, President of Cybersecurity, Intelligence and Services at Raytheon Intelligence & Space
Core to successful identity management is ensuring that the right policies, governance, and technologies are in place to give people access to the systems they need. While these elements can be managed at the component level, the best way for organizations to handle identity management is through a Zero Trust roadmap that implements the most important areas of protecting identity management first. Failure to think through these elements and manage them strategically can lead to breaches and enable attackers to jump from server to server and infect large quantities of computers and end users.
Widget not in any sidebars