We present expert Identity Management Day best practices.
We recently published an article celebrating Identity Management Day 2021, complete with key commentary from cybersecurity experts.
However, we received so many expert Identity Management Day best practices and other commentaries, we had to publish this sequel article. Check out these wise words on one of the most crucial aspects of modern InfoSec.
Expert Identity Management Day Best Practices
James Carder is CSO of LogRhythm.
“According to the FTC, cases of identity theft nearly doubled from 2019 to 2020, reaching an astonishing 1.3 million cases in the U.S. While this is undoubtedly a drastic increase, malicious actors are still leaning on many of the same tactics to impersonate innocent consumers and cause personal or financial harm. As hackers only require a few tidbits of information to build an online profile, consumers can take several measures to properly defend themselves and not fall into common pitfalls.”
“First, any time you download a new app, create an online account or configure a new electronic device, data is collected and potentially shared. One of your first orders of business should be to look up the privacy settings of whatever platform you’re using to understand how you can further protect your personal information and leverage additional security measures like two-factor authentication and data encryption. You should also be mindful of applications that incorporate location services and how they’re collecting, utilizing, and/or sharing this data. Additionally, make sure you’re using various, unique passwords for meaningful accounts as it’s incredibly easy for hackers to access more information by recycling stolen credentials. Lastly, avoid any suspicious messages (emails, texts, voicemails, etc.) and websites that don’t seem legitimate as this is often an attempt at phishing or malware.”
“While the pandemic has created a breeding ground for scams, fraud, and identity theft, it also led to a surge in cyber-attacks. Organizations play a vital role in safeguarding consumer data and Identity Management Day is an important reminder that it’s also their responsibility to ensure sensitive information doesn’t fall into the wrong hands. Enterprises must be fully transparent with consumers about what information they need, how they utilize it, and what they’re doing to protect it. Any business or agency that is operating within any digital capacity needs to treat customer data as if it were their own private information. Establishing a culture that puts the customer and security first will better prevent data leaks and breaches that lead to identity theft.”
Ashish Gupta is CEO & President of Bugcrowd.
“The inaugural Identity Management Day is a valuable occasion for the entire online global community to recognize the importance of securing digital identities. A record 36 billion records were exposed in 2020 that helped fuel a record number of identity theft cases. As cyber-criminals continue to take advantage of a spike in digital operations, enterprises need to put a stronger emphasis on safeguarding customer’s sensitive personal information and consumers also need to be cognizant and mindful of sharing information with third parties. We can collectively strengthen consumer privacy by working together to utilize best security practices, better-educating consumers and creating a fundamental focus on security as a whole.”
“Pressure from recent legislation and upcoming congressional proposals are forcing enterprises across industries to put a stronger emphasis on bolstering privacy measures. To improve data protection and prevent information leaks, organizations need to take a proactive approach to security to stop attacks before they occur. More organizations are embracing crowdsourced cybersecurity as an integral part of their cybersecurity posture that allows highly skilled external security researchers to actively monitor network vulnerabilities and ensure networks are effectively preventing unauthorized access. By adopting a layered “strength in numbers” security approach, organizations can prevent data theft that commonly leads to fraud, identity theft, and other breaches. Likewise, consumers need to be careful about where, how, and to what extent they share their sensitive information. It’s important to actively be on the lookout for phishing and impersonation scams and be extremely cautious of any suspicious organizations or individuals that are asking for intimate financial or personal information.”
Chanel Chambers is Senior Director of Product Marketing Management at Tanium.
“I suggest practitioners focus on three areas around identity management. First, access control and the principle of “least privilege” which gives users access only to the resources they absolutely need to do their jobs. We’ve seen cases where large, sophisticated enterprises didn’t realize that more than 20,000 of their users had administrative rights they shouldn’t have had.
Second, have a process in place to track lateral movement paths. We know most cyber-criminals get in via stolen credentials. Make sure you know who has access to what systems and data and the actual paths of lateral movement across your organizations. This also helps organizations prioritize patching.
Finally, zero trust tells us to trust no one and verify everything. This is a powerful approach for identity and access. If your IT infrastructure doesn’t assume trust, it will require that each user and each point of access be re-verified.”
Tom (TJ) Jermoluk
Tom (TJ) Jermoluk, Co-Founder and CEO, Beyond Identity.
“We are tracking three key trends in identity management. The first is the adoption of passwordless authentication. By this we mean actually eliminating passwords as one of the authentication factors, enabling companies to stop ransomware attacks based on brute-forcing RDP and eradicate the entire class of credential-based attack TTPs used in account takeover attacks. Second, many organizations are looking to replace traditional multi-factor authentication (MFA), which often uses passwords or other ‘shared secrets,’ with solutions that implement only secure factors and reduce friction for end-users – for example, by not requiring employees or customers to pick up a second device or fish a one-time password out of their SMS or email. The last, and maybe most important trend, is the confluence of cybersecurity and identity management. One important manifestation is to evaluate the security posture of the endpoint device at the time of login and make a risk-based decision on whether to allow access to cloud apps and resources.”