Identity Access & Security Best Practices Highlighted at Identity Management Day 2022

Identity Management Day (IDM) 2022 took place on April 12^th and made great strides building on top of last year’s inaugural event to raise awareness about the importance of securing digital identities.

Some highlights of IDM 2022:

• 800 attendees+
• 5 mainstage sessions led by experts and leading implementers of identity security practices
• A successful expo
• An active stream of advice and best practices sharing across social media

Over the past year, the topic of identity and access security has become center-stage for business leaders and IT executives. Leading strategists and security practitioners have flagged identity-centric security as a pivotal step to building a successful zero trust posture.

Read on to learn more about this year’s Identity Management Day, along with some of the supplemental best practices that were shared during the event.

What is Identity Management Day?

Identity Management Day, launched in 2021 by the National Cybersecurity Alliance (NCA) and the Identity Defined Security Alliance (IDSA), is a day of awareness. It was designed to disseminate information and tips to help everyone, from business leaders to IT decision-makers, understand the importance of identity management and gain access to the guidance, best practices, and readily available technologies that can help ensure all access points and digital identities are secured. In addition to outlining the dangers of not properly securing identities and access credentials, primary topics for the day include governance, identity-centric security best practices, processes, and technology.

From the Show Floor

Identity Management Day 2022 featured an active expo floor, with more than a dozen virtual booths set up to provide attendees with identity management support via downloadable documents and whitepapers, informative videos, live chats with security experts, and giveaways.

At the BeyondTrust booth, our attendees could choose from a selection of resources covering best practices for securing various identities—human, machine, employee, and vendor. Attendees could also engage one of our expert representatives all day through the live chat, and could view on-demand our Roundtable, featuring co-authors of Cloud Attack Vectors (the soon-to-be published 4^th book in the Attack Vector series), Morey Haber, Christopher Hills, and Brian Chappell, as they discussed strategies for securing cloud identities.

Our giveaway—the Privileged Account Discovery Application—was a hot item at our booth. BeyondTrust visitors were able to take advantage of the application to securely scan their networks to uncover any hidden privileged accounts and credentials. This powerful, free application proved a key resource for those looking to fast-track their identity security strategy planning.

For more opportunities to chat with our experts, click here to find out where you can visit the BeyondTrust booth next. And don’t forget to try the Privileged Account Discovery Application out for yourself!

Session Highlights from Identity Management Day 2022

This year’s event featured five expert panel discussions. Identity management and security leaders discussed the roadblocks for preventing identity-related breaches and how organizations and individuals can reduce the risk. Recordings of these sessions are available on-demand through the Identity Management Day Conference website.

1. Keynote Panel: Preventing Identity-Related Attacks Today

The opening keynote discussed the impact an identity-related breach can have on any size of organization. As the lines blur between our personal and professional lives, protecting our digital identities as a consumer, an employee, or a partner is essential to keeping us all secure. Key takeaways from this panel include the importance of identifying the threat of the minimum viable product to security infrastructures, and the importance of recognizing that the risk of human error doesn’t have to be put onto employees and users. It can instead be carried by the design and implementation of user-friendly security technologies.

Participants included: Sean Deuby, Director of Services at Semperis; Manish Gupta, Director of Global Cybersecurity Services at Starbucks; Martin Kuppinger, Founder and Principal Analyst at KuppingerCole; Clint Maples, Chief Information Security Officer at Robert Half; and Tom Sheffield, Sr. Director, Cybersecurity at Target.

2. Addressing Identity Challenges for SMBs

The second panel invited security experts to discuss the areas of exposure for SMBs, SLTTs, and MSPs, as well as how leaders can use CIS Controls to increase security and reduce the risk of a cyberattack. One of the key takeaways from this panel is that nobody is below the radar when it comes to the risks associated with inadequate identity security. Everyone is being attacked simultaneously by criminals who are using artificial intelligence and automation technologies to scour the globe for vulnerable companies and accounts. No organization is too small or too insignificant to be targeted.

Participants included: Lawrence Cruciana, President at Corporate Information Technologies; Phyllis Lee, Senior Director of Controls for Security Best Practices at Center for Internet Security; and Harry Perper, Principal Cybersecurity Technologist at The MITRE Corporation.

3. Identity at the Center of Zero Trust

What is Zero Trust? A product, an architecture, or a mindset? Is it rooted in network or identity principles? In this panel, experts in zero trust discussed the misconceptions about zero trust, the role identity plays, and the best practices. One key takeaway is that everything has an identity now—even bots—and everything has additional capabilities beyond what it was designed for, which means isolation and identity segmentation are critical for all aspects of a security infrastructure.

Participants included Chase Cunningham, Chief Security Officer at Ericom; George Finney, Chief Security Officer at Southern Methodist University; and Den Jones, Chief Security Officer at Banyan Security. The panel was moderated by John Gilroy, host of The Federal Tech Podcast and Managing Director at The Oakmont Group.

4. What's Missing in Identity?

What’s missing from identity-centric security performance and adoption? This panel discussed the complexity of identity and the implications and consequences of gaps in identity-centric security application design. The panelists discussed who should own identity in an organization, and one of the core problems keeping identity security from progressing: how not thinking about identity use cases in the application design stage prevents users from safely sharing identities. This prevents multi-identity use cases and forces a gatekeeping role onto identity management teams.

Participants included Jamie Lewis-Gross, VP Sales Engineering, Savyint; Eve Maler, VP Innovation & Emerging Technology, Forgerock; Helen Patton, Advisory CISO, Cisco; and moderator Richard Bird, Chief Product Officer, SecZetta.

5. The Future of Identity

This panel featured a candid discussion of the future of identity security, including the emerging technologies, standards, and market trends, to show how leading vendors and investment firms are focusing their efforts to shape identity's future. One key takeaway: digital credentials are going to change the world, but we should be thinking about the future of identity as an evolution instead of a revolution, and apply that mindset to the tools we can use now so we can evolve towards that future end state.

Participants included Andrew Hughes, Director of Identity Standards at Ping Identity; David Mahdi, CSO and CISO Advisor at Sectigo; Paul Mezzera, Vice President of Product and Strategy at Saviynt; Kristina Yasuda, Identity Standards Architect at Microsoft; and Paul Zolfaghari, Managing Director at Carrick Capital Partners.

Why is Identity and Access Management so Important?

Your organization’s identities—whether those are human, machine, employee, or vendor-based—and their associated accounts, are the main points of infiltration for attackers. And you have a lot of different types of identities spanning different types of environments, from on-prem to in the cloud.

According to a 2020 IDSA study, 79% of organizations have experienced an identity-related security breach in the last two years, and 99% of those organizations believe their identity-related breaches were preventable. Moreover, most breaches are not detected right away, or even at the point of breach. According to the 2020 IBM Security Cost of a Data Breach Report, the average length of time it takes organizations to identify a breach was 207 days, and the average time to contain that breach was 73 days, for a combined 280 days—that’s over 7 months! In that time, a threat actor can not only infiltrate, but also move laterally through your infrastructure.

All too often, what stands between you and a devastating breach is a phishing email (and those phishing attempts are becoming more sophisticated) or a weak password. For a point of reference, the 2020 Verizon Data Breach Investigations Report indicated that as many as 81% of hacking-related breaches leverage weak, stolen, or otherwise compromised passwords. You can’t stop threat actors from sending phishing emails, using social engineering tactics, or targeting the identities and access points of your organization, but you can implement a series of security processes and technologies that can help you delay, if not prevent, and more quickly detect a breach.

What are the Biggest Identity and Access Security Mistakes to Avoid?

Poor identity security practices have been linked to some of the biggest and most devastating cyberattacks in 2021. Here are a few common malpractices that could be putting your organization at risk:

1. Not having the proper account controls in place

Admin accounts are a huge target for threat actors because they provide the most access, and thus power, within the system. Attackers will try to hijack these privileged accounts and escalate privileges and/or move laterally. Once an attacker gains entry, they may even try to create their own admin account. Having the proper account controls, combined with just-in-time access, would prevent the attacker from being able to create that admin account.

2. Weak password management

Weak passwords, reused passwords, and embedded passwords are pervasive challenges to enterprise security. Week passwords present an easy point of entry for brute force attacks. Part of the problem is that there are so many passwords required to access all the elements of the job. Multifactor authentication and strong password management policies can make it easier for employees and vendors to follow strong password protocols, and that can go a long way toward strengthening the security of your entire network.

3. Orphaned accounts

One of the most famous sayings in cybersecurity is that it isn’t the accounts and identities you know about that are the problem; it’s the ones you don’t know about that pose the biggest risk. That means you need really strong policies to ensure that, after an employee leaves a company or moves to another role, or when a vendor or third party no longer needs access, their accounts have their access terminated. Orphan accounts, or accounts that are left open and forgotten about, create a massive security exposure, especially since no one would really know if the account had been compromised because no one is assigned to it—no one is looking at it. Fortunately, there are tools that can help organizations identify all of their access points so the IT leaders can take the necessary steps to close down any orphan accounts. Click here to use the free Privileged Access Discovery Application to uncover any hidden privileged accounts and credentials in your network.

4. Overprivileged (over-provisioned) identities

Employee, vendor, and machine identities are commonly granted far more access than they need. The cloud has only worsened the scale of the problems. One common issue is that employees or vendors who need temporary entitlements or privileges to certain accounts to complete a specific task will maintain those privileges after the access is needed. This creates a significant level of risk because now each of those users could be allowing a threat actor to have higher levels of ungated access to sensitive information and systems. Implementing policies and technologies that enable simplified privilege management and just-in-time access—access only to what is needed and only for the amount of time it is needed—can mitigate these risks.

What are the Types of Identities that We Need to Protect Most?

1. Human Identities

Human digital identities are the identities that allow human users to be assigned access or privileges within a network. Human identities can be further broken down into employee identities, partner identities, vendor identities, and client identities. These are some of the most targeted entry points for attackers, whether they are leveraging phishing and social engineering attempts to steal user credentials (according to the Verizon Data Breach Investigations Report, 61% of all breaches were a result of stolen credentials) or are using other means to access user credentials (according to Forbes, 15 Billion passwords are available on the Dark Web). You can learn more about password security strategies here.

2. Machine (non-human) Identities

A machine identity is a mechanism that allows any non-human entity, including robotic processing automation (RPA) workflows, applications, endpoints (devices, servers, desktops, IoT, etc.), websites, containers, service accounts, and more, to be authenticated within systems, over LAN/MAN/WAN, via Bluetooth, Wi-Fi, and the internet, etc. These identifications happen through firewalls; using multifactor authentication (MFA) certificates, keys, IP addresses, and location services; via secure HTTP protocol (HTTPS) and TLS 1.2 or 1.3 encryption. What makes machine identities particularly vulnerable is that they need to be stored within the machine for the machine to have access, and that means stealing a machine identity, if the correct cybersecurity protocols are not in place, can often be done undetected. Click here to learn more about securing machine identities.

3. Cloud identities

Cloud identities are digital identities hosted in the cloud to enable employees, vendors (via SaaS or a partner cloud), and partners to access privileged resources remotely. One challenge with cloud identities is that the security structures that applied to your on-prem accounts aren’t going to be effective at securing the cloud. Another challenge is that most organizations don’t just have one cloud, they have many—and the native tools used to manage identities within one cloud will likely not work in another cloud environment. The move to the cloud changes how entitlements, permissions, rights, identities, accounts, credentials, and exploits can be leveraged to breach a network. In other words, accelerated adoption of the cloud changes the path of least resistance for attackers, and that means organizations need to be able to adapt their security postures to meet the shifting threat landscape that cloud and multicloud environments introduce.

For more information on the changing threat dynamics and how to secure your cloud environment, preorder Cloud Attack Vectors.

10 Ways to Improve Protection around Your Identities and Access Points

The following best practices can help you secure all the identities and access points in your organization:

1. Deploy a “think before you click” mentality within your organization

Your employees are one of the most important lines of defense you can have against a breach. While you can leverage tools, technologies, policies, and controls to help safeguard your security, it is really important to train all your employees on the types of phishing activities that are out there so they can help to identify suspicious emails and activities and report these to their IT department, and so they have the education they need to recognize when a link in an email or text message should not be clicked. Social engineering and phishing continue to evolve, so it is important that this training is ongoing.

2. Implement a password manager across your network

Adequately protecting passwords—especially privileged passwords--- is one of the most important factors in preventing or mitigating a breach. First, each employee needs a lot of them, which means they must remember and input a lot of passwords during the day to get their work done. Second, they need to be more and more complex and unique to thoroughly prevent a hacker. Implementing policies to ensure password standards are being met (so many characters long, use of numbers and symbols, a passphrase instead of a password, etc.) can help, but it often makes password implementation less user friendly, which means more employees will be more likely to take shortcuts to prioritize their own efficiency. Third, it is difficult to police password implementation to make sure employees are creating strong passwords, are not reusing passwords, and are not sharing passwords. Designating a password manager that can generate and remember passwords, and a credentials manager that can enable your IT department to monitor, discover, and audit privileged accounts will go a long way towards maintaining the security of your network.

3. Use multi-factor authentication (MFA)

An effective way to step-up authentication security is to implement MFA. This will introduce authentication tools, such as biometrics or a unique one-time code that is sent to a separate device, to make the log in process easier for your employees while maintaining a high level of security through the continuous authentication of user and device identities.

4. Introduce a software update policy

Software updates are often deployed to fix known security flaws, which means outdated software can present a huge security gap—one that threat actors already know how to target. You can keep your security infrastructure up to date by configuring all the devices on your network to update automatically. Automating updates will help ensure employees are updating their software regularly, even if the devices they are using to connect to the network are located off-prem, as is becoming the norm in the work-from-anywhere world.

5. Educate to prevent inadvertent sharing

While there are exceptions (the rare employee who sells their credentials to the dark web), for the most part, breaches that happen as a result of internal mistakes are accidental. One way to avoid these types of breaches is to ensure your employees are proactively aware of who can see their information. This means educating employees about the risks associated with working with confidential information in public places where their screens can be viewed, walking away from their devices without locking them, and sharing specific types of information about themselves on social media.

6. Establish a comprehensive Intelligent Identity and Access Security Policy

One of the most important steps is to implement a comprehensive identity and access security policy that encompasses the top risks organizations face. This policy should govern how privileged access and accounts are provisioned/de-provisioned, address the inventory and classification of privileged identities and accounts, enforce least privilege and Just-In-Time (JIT) access, and enable the enforcement of other best practices for security and management.

7. Implement Privileged Access Management (PAM)

Privileged Access Management (PAM) is a set of cybersecurity strategies and technologies that allow organizations to control the elevated (privileged) access and permissions that need to be applied to identities, users, accounts, processes, and systems within an IT environment to allow an organization to operate efficiently. Enforcing PAM is considered to be one of the most important security projects for reducing cyber risk and achieving a high security ROI because it simplifies the privilege management process to ensure access rights and permissions are always visible; are continuously being audited, verified, and validated; and are easily manageable so no level of access can ever go undetected, so no user or device ever has more than the minimum level of privilege necessary to perform their role effectively, and so uncharacteristic suspicious activity can quickly be detected and responded to. This significantly reduces the ability for threats actors breach and then move laterally across an IT environment.

8. Implement Cloud Infrastructure Entitlements Management (CIEM)

Now that cloud and multicloud environments are so prevalent, it is more important than ever to deploy streamlined cloud identity security strategies that enable granular levels of visibility and control across your entire cloud infrastructure. Rather than relying on a patchwork of native toolsets from various cloud providers, CIEM allows you to discover and manage permissions and entitlements in the cloud in real time, monitor and alert for inappropriate behavior, as well as to enforce least privilege policies for any cloud infrastructure across multicloud environments.

9. Enforce Endpoint Security

Endpoint security protocols enable you to enforce the security and compliance of devices, such as mobile devices, laptops, desktops, servers, IoT, and POS, etc., before they are granted access to network resources. This gives your IT team more control at the device point to enable them to prevent user errors, implement security best practices on devices that are operated remotely, and prevent BYOD and shadow IT. This will safeguard the network from malicious external attacks as well as unintentional insider threats that could give an attacker an entrance point into your system, or even enable them to compromise additional endpoints via lateral movement.

10. Perform Regular Security Hardening Activities

Hardening your IT environment is an important step in strengthening your overall security. The goal of security hardening is to apply a series of practical approaches to reduce the vulnerability of applications, systems, infrastructure, firmware, etc. A few hardening best-practices include removing unnecessary software applications, and privileges; closing unneeded ports; ensuring endpoints have the latest firmware and patches. Performing these activities will eliminate potential, known attack vectors, condense the system’s attack surface, and thereby reduce system vulnerability and security risk. Hardening activities are not a one-time fix. These should continue to be performed throughout a device’s lifecycle to ensure the base configurations are secure.

Next Steps – Improving How You Secure All Your Enterprise Identities

Identity Management Day is one day of the year that is dedicated to celebrating the progress organizations have made, and to spreading awareness and resources that can help support individuals and organizations in their ongoing security initiatives; however, the fight to secure identity and access against an ever-evolving threat landscape needs to be as continuous and adaptive as the threats we are defending against. For more information and access to the resources that can help you convert your security infrastructure into a more identity-centric security environment, visit our resource page.