6 Questions to Improve Your Identity Management Strategy

6 Questions to Improve Your Identity Management Strategy

How can you generate an effective identity management strategy? Or how can you build on your current identity management strategy to improve your cybersecurity?

Identity management should constitute the most important part of your cybersecurity platform. Neglecting it can result in not only a data breach but a loss of customer trust and compliance issues.

But how can you determine whether your identity management strategy is effective? We offer 5 questions which should help guide your thinking.

1. Why Does Authentication Make an Identity Management Strategy?

Everything in your identity management strategy should begin with considering your authentication. Single factor authentication, the most common type among businesses, tends to rely on passwords. Unsurprisingly, passwords are notorious for being easy to crack or just guess with social media information. Even the most inexperienced hacker can bypass a password with a Dark Web-purchased product.

Moreover, users tend to repeat passwords, which increases the chances of hackers guessing them. Even worse, users often utilize credentials which fall under the label of “Worst Passwords” (“123456” continues to proliferate).

Therefore, your strategy must account for your authentication. Ideally, your business should enact multifactor authentication (MFA); every layer of authentication between the outside environment and your network decreases the likelihood of a data breach. Even two-factor authentication, which often appears flawed in comparison, proves much safer than relying on a single factor.

Your identity security authentication factors can include geolocation and time of request monitoring, behavioral biometrics, physical biometrics, and hard tokens. Some enterprises may worry about the user experience suffering as a result of this high-level authentication; however, simply deploying step-up authentication (which increases the factors required as the access level increases) can balance experience and security.

Identity authentication does not require a full sacrifice of the user experience or your business processes. Instead, you need to make identity management a core component of both.

2. Why Should Role-Based Access Control Be Part of Your Strategy?

Role-Based Access Control (RBAC) capabilities base user permission on their roles in your enterprise. Ideally, role-based access restricts the permissions to what users absolutely need to fulfill their duties and no more.

As a result, RBAC follows the Principle of Least Privilege, which should guide your overall identity management strategy. The Principle of Least Privilege states the few privileges each use possesses, even privileged users, the safer.

Additionally, role-based access control improves business processes through clarified workflows and facilitated onboarding and offboarding. It assists with digital compliance and automation efforts and can help improve network visibility. Also, it can help you recognize endpoint identities, which can help detect suspicious activities even when the login appears legitimate.

Incidentally, visibility should also influence your identity management strategy. The less visibility you have on your users and their activities, the less effective your overall policies. Next-generation identity and access management solutions can help improve your insights into their permissions and behaviors, especially with RBAC capabilities.

3. Who Monitors Your Privileged Users?

The state of privileged access management within enterprises look grisly from the outside:

  • According to PAM solution provider Centrify, 74% of enterprises suffered a breach resulting from a stolen or compromised privileged account.
  • 26% of U.S. enterprises have trouble defining privileged access.
  • 63% take over a day to remove the privileged access from a former employee’s account.

Worse, these statistics only scratch the surface of the problem. Thus, privileged access management must become a critical component identity management strategy.

As such, your enterprise should seek out a PAM solution provider which offers visibility (as discussed above) on privileged accounts. In addition, it should offer a password vault, password rotation, MFA, and session monitoring.

From a philosophical standpoint, you should impose the strictest restrictions on your most powerful privileges and accounts. Also, all privileged accounts must obey the Principle of Least Privilege (we stated as much above, but this is a critical point you need to absorb).

Above all, your strategy should never rely on manual controls. Manual controls lay out the welcome mat for external and internal threat actors; an Excel spreadsheet can’t possibly keep up as your enterprise scales.

4. Who Watches Your Third-Party Vendors and Contractors?

Third-party identities connect to, operate on, and interact with your IT environment. However, they are not actually native users to your environment.

Third-users human users such as vendors and partners—people who work with your enterprise but don’t necessarily work for your enterprise. Also, nonhuman actors such as applications or databases also fall under the umbrella of third-parties.

Famously, the Home Depot and Target breaches began with hackers exploiting inappropriate third-party privileges, costing both enterprises millions. Thusly, your identity management strategy needs to accommodate third-party identity security for optimal performance.

Much like regular user identities, third-party identity management requires improved visibility and the Principle of Least Privileges. Additionally, third-party users must be subject to multifactor authentication and federated IAM. If your identity security solution can’t process or protect third-parties, then it’s time to consider a replacement.

Above all, you need to ensure you trust your third-parties. You wouldn’t invite a suspicious stranger into your home, and you shouldn’t do the same with your network. Before making any business arrangement, your enterprise should verify the reliability of your partners, vendors, and contractors. Selecting the most affordable option can blind you to potential security issues in how they handle their employees’ identity lifecycle.

5. Why Do You Need Identity Governance?

Even non-privileged, everyday accounts can acquire privileges far beyond their job duties. If allowed to acquire permissions without regulation or evaluation, ordinary identities could become bloated with access creep; the accounts just keep growing in unneeded privileges until they attract the attention of hackers or insider threats.

Role management can help prevent access creep. Yet enterprises struggle with implementing and maintaining their role management. According to the SailPoint 2018 Identity Report, only 20% of enterprises have visibility over all of their users. Additionally, only 10% of enterprises monitor and govern user access to data stored in files.

Therefore, your identity management strategy needs to incorporate identity governance and administration. Identity governance monitors data flows and data traffic; it watches who accesses and uses what data, as well as when and how, to ensure appropriate usage. Moreover, it can revoke unneeded privileges and ensure temporary privileges expire after a set time period.

Finally, it can help managed identity lifecycles and centralized access requests. The latter shouldn’t be discounted. Without centralizing the access requests, your IT security team must handle each request manually, which can swiftly overwhelm.

To learn more, be sure to check out our 2019 Buyer’s Guide. In it, we compile data on the top vendors in the identity security field and provide a Bottom Line for each.

         

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner