Almost all modern smart technology regardless of industry or applicability has some form of an identity today. We are not talking about just your username (person), but your iPhone, to your Alexa, to your web enabled refrigerator; they all have an identity, and they are all potential targets for a cybersecurity attack. Without an identity you can't see it, you can’t enable it, and you can’t protect it. The processes and technology for managing identities and their lifecycle is called Identity and access management (IAM) and it’s essential if not critical to guarding against cybersecurity attacks.
Let’s look at the Equifax breach for instance. If Equifax had a formal privileged account access audit process and technology in place in addition to a robust review process of their privileged identities, they would have determined that the account used by the struts framework had elevated account privileges (access to databases and admin rights). This would have prompted for strict cybersecurity rules and monitoring of that sensitive account. With the lack of these privileged account management controls, It was a matter of “when” and not “if” a breach was going to occur.
The three main types of identities
- Protecting consumer identities - Consumer identities include usernames, email addresses, credentials, social security numbers, credit card numbers and personal identifiable information (PII) which usually includes their address and date of birth.
- Protecting workforce identities - Workforce identities include both the employees, vendors, partners, and contractor personal information as well as access associated with IT devices (i.e. laptops, phones, etc.), servers, file systems, and even doors and access to data center buildings.
- Protecting objects - This new wave of internet enabled devices, applications, and objects (i.e. Phones, NEST, Alexa) are being referred to as the Identity of things (IDoT) stressing again the importance of giving an identity to one of these things to protect.
As all three can at times be tightly integrated together they make both potential entry points and targets for a cybersecurity breach. Identities represent a mission critical resource for any organization, especially those that include all three identity types, like a retailer, bank, hospital or university. The growth of more internet enabled objects increases the risk of a breach if they are not properly protected in an organization or home, especially if they are connected to databases or data holding consumer or workforce identities.
What can an organization do to protect their identities?
In order to protect against cybersecurity breaches such as Equifax, organizations must significantly increase their cybersecurity discipline and best practices of managing all their identity types. Current infrastructure and IAM technology will need to be modernized in order to add support for IDoT objects as they grow and increase the awareness in an organization of the importance of IAM and IGA. In addition the processing time of editing roles and identities must also go down from days to minutes to be able to manage changes that can become potential breach entry points; such as changes due to lost credentials, lost devices, or unmanaged privileged accounts such as in the Equifax breach.
How can organizations get started?
- Perform a robust IAM Advisory assessment to identify where you are, where you want to be, and how to get there. The main focus here is performing the assessment against a robust and modern IAM Program Reference Framework. The main outcome is an agile and nimble IAM Program Roadmap that identifies the highest risk cybersecurity, IAM, and IGA, gaps and takes immediate action to remediate. Learn more about how to get started with an IAM assessment.
- Implement modern IAM Services such as IAM Microservices to not only remediate immediate cybersecurity gaps, but also modernize the architecture and infrastructure at the same time. This will aid in the establishment of modern, robust, and nimble IAM capabilities for both on-premise and hybrid cloud systems.
- Establish a repeatable and measurable feedback loop to increase the maturity, effectiveness, and efficiency of the IAM Program over time.
About Aldo Pietropaolo
Aldo Pietropaolo is a cybersecurity evangelist, identity security expert, and co-founder of Good Dog Labs, A Lighthouse Company. Good Dog Labs, modernizes identity and access management and governance for SMB’s and large enterprises using advisory and implementation services in addition to bringing new innovative products such as Perseus IAM (www.perseusiam.com) to market.