What are the top 5 identity management myths to which enterprises cling? How can they damage your enterprise, and what can you do instead to keep your identities secure?
Often, the greatest obstacle to true identity security comes from within the enterprise itself. Many enterprises limit their cybersecurity effectiveness by sticking to their legacy identity and access management (IAM) solutions. In these cases, the enterprise simply becomes used to the interfaces and fail to recognize the danger.
However, some identity management myths continue to find purchase with enterprise decision-makers. Usually, these myths persist because the decision-makers don’t realize how much has changed from the early days of cybersecurity. Rest assured, the digital threat landscape proves vastly different now—your identity and access management needs to fit reality.
Therefore, we present the top five most persistent identity management myths as well as why they don’t fit. With a little research, your enterprise can find ways to improve its overall cybersecurity.
The Top 5 Identity Management Myths Debunked!
Myth #1: We Already Know Our Users, So It’s Only About Protecting the Data
We hear this one quite a few times. Presumably, the logic goes like this: your enterprise knows its users, and can see what they do on your network. Therefore, you just need to keep hackers from getting access, and you should stay safe.
Unfortunately, this identity management myth proves wildly optimistic. More often than not, enterprises lack the visibility to fully evaluate all of their users. Indeed, they may not even possess an accurate picture of all the identities connecting to the network. Users, applications, and devices all possess their own identities, any of which could pose a risk when unmonitored.
As enterprises scale, maintaining visibility becomes increasingly difficult, doubly so if your enterprise lacks strong onboarding and offboarding. Moreover, as enterprise infrastructures become more advanced, so does keeping user access under control.
In fact, your enterprise may struggle with more visibility and access management issues than you realize. According to the SailPoint 2018 Identity Report:
- Only 20% of enterprises have visibility over all of their users.
- 7% have no visibility whatsoever.
- Only 10% of enterprises monitor and govern user access to data stored in files.
Plus, your enterprise may grant temporary privileges to users or applications without remembering to revoke them. Thus you may deal with access creep, which makes accounts dangerously bloated.
Finally, you may or may not need to contend with visibility issues on your privileged accounts. According to Thycotic:
- 62% of enterprises fail to provision for privileged access accounts.
- 70% of enterprises fail to discover all of the privileged access accounts in their networks
- 40% never look for all their privileged accounts.
To combat this issue, your enterprise should enact visibility-increasing capabilities via next-gen identity management. In particular, consider looking at identity governance, which can assist with role management and finding identities.
Myth #2: Multifactor Authentication Will Only Create More Friction
We’ve heard this one multiple times. Enterprises stick with passwords because they worry about deploying even one other authentication factor will create friction. Indeed, friction can create bad user-experiences which in turn can motivate users to create workarounds.
Yet, oftentimes enterprises greatly inflate the dangers multifactor authentication poses to their network friction. In fact, multifactor authentication can help your enterprise balance the user experience and identity security.
For example, multifactor authentication can include geofencing and time of login request monitoring—neither of which prove intrusive. However, monitoring these factors can help to create more certainty during the login process. When paired with hard tokens and single sign-on, multifactor authentication evaluates without disrupting the
In the end, the user logs in with a password and/or biometric factor and possibly a hard token, and never notices the extensive security running under the surface. Combined with single sign-on, the user enjoys both a smooth login and heightened identity security.
This identity management myth often pairs with other identity management myths concerning passwords. Enterprises continually assume passwords constitute a secure authentication protocol when all evidence speaks to the contrary. In reality, passwords can just as likely cause a data breach as to prevent one. Of course, poor password practices—repeating passwords, sharing passwords, writing down passwords, using weak or guessable passwords—don’t help.
So your enterprise should mandate multifactor authentication…and also train your employees on good password practices. Knowledge can become powerful when given in a constructive and engaging manner.
Myth #3: We Don’t Need to Worry About Our Privileged Access Management
Alarmingly, enterprises tend to express not fear but supreme confidence concerning their privileged access management. More dangerously, this confidence doesn’t seem connected to reality.
Recent studies by Centrify and TechVangelism found a majority of enterprises don’t deploy major PAM capabilities, yet 93% express the belief they can handle threats to their privileged access.
This myth proves not only insidious—it undercuts efforts to revitalize your privileged access—but it proves confusing. According to a separate study by Centrify, over 70% of all breaches begin with compromised privileged credentials. The fewer controls you enact on your superusers, the less secure your enterprise.
Moreover, privileged credentials in the wrong hands can take months to detect without behavioral or session monitoring. The longer a threat dwells on your network, the more damage it can do.
Your enterprise needs to take a serious look at your privileged access management. First, determine whether you can identify all of the privileged users on your network (as we spoke of above). Second, you should deploy next-generation access management capabilities like MFA, password vaulting, and session monitoring. Finally, continually evaluate whether your privileged access stands up to the task of your enterprise.
Myth #4: We Don’t Need Identity Management, We Have Antivirus
We’d laugh at this identity management myth if the situation wasn’t so dire.
Antivirus has nothing to do with identity security. Actually, antivirus can’t even offer your enterprise the protection it needs to handle malware. Almost all legacy antivirus solutions don’t possess the capabilities to defend against the modern threat landscape. Only next-generation endpoint security can do that.
Regardless, endpoint security doesn’t help protect identities. Your enterprise needs a legitimate identity and access management solution, full stop.
Myth #5: Once They Log In, The User Should Be Just Fine
Just letting someone in because they knew the password can actually leave your enterprise vulnerable. You don’t know if a hacker just got the credentials or if the user just wants to get their work done.
Therefore, your enterprise needs to enact Zero Trust policies. Zero Trust refers to policies summarized by the statement “never trust, always verify.” Anything connecting to the network or to databases requires verification before it receives access. Your enterprise should treat everything connecting to it as untrusted until it can absolutely prove otherwise.
Additionally, your enterprise can use step-up authentication to help ensure a smooth experience while reducing identity friction. This only activates if the user requests access to more sensitive databases, thus only enacting more factors as the risk increases.
Debunk Identity Management Myths Today!
You can do so by checking out our 2019 Identity Management Buyer’s Guide for a fitting next-generation solution. We cover the top vendors and their key capabilities!
Latest posts by Ben Canner (see all)
- The Benefits of Identity Management for Healthcare Businesses - January 21, 2020
- How Can You Ensure Privileged Account Security? - January 17, 2020
- Ten Identity Governance and Administration Vendors to Watch in 2020 - January 14, 2020