Identity Access & Security Best Practices Highlighted at Identity Management Day 2023

For the third year running, Identity Management Day (IDM) took to the virtual stage to spread awareness about the importance of securing digital identities. Co-hosted by the Identity Defined Security Alliance (IDSA) and the National Cybersecurity Alliance (NCA), the conference engaged identity and security leaders and practitioners across the world on the importance of identity management, identity-centric security best practices and technologies, and the risks related to improperly secured identities and access credentials.

Read on to learn more about this year’s Identity Management Day, along with some of the best practices shared during the event.

Some highlights of IDM 2023:

• 2,000+ attendees
• 6 mainstage sessions led by experts and leading implementers of identity security practices
• A successful expo with more than 12 virtual vendor showcases
• An active stream of advice and best practices shared across social media

What is Identity Management Day?

Identity Management Day was launched by IDSA and the NCA in 2021 as a day of awareness to bring focus to the importance of identity management and to help individuals and organizations learn the best guidance, practices, and readily available technologies that can help them defend their access points and digital identities.

Highlights from the identity security expo

Identity Management Day 2023 featured an active expo floor. More than a dozen virtual booths were set up to provide attendees with identity management support. Attendees were able to download relevant identity security documents and identity-first security whitepapers, watch informative videos on identity and access security strategies, enter live chats with identity experts, and even enter to win free giveaways.

The BeyondTrust booth offered free resources covering best practices for securing various digital identities—human, machine, employee, and vendor. Attendees could also engage one of our identity security experts all day through the live chat to discuss strategies for securing cloud identities.

Session highlights from Identity Management Day 2023

This year’s event featured an exciting keynote presentation, multiple sponsor presentations, along with five expert panel discussions on various aspects of identity and access security, including identity and access management risks and best practices, the importance of identity threat detection and response (ITDR), how to implement identity and access management, and how to prevent identity-related breaches and reduce the risk of cybersecurity incidents. Recordings of these sessions are available on-demand through the Identity Management Day Conference website.

Keynote Panel: Identifying What's Wrong with Identity

IDM 2023 opened with an important question: Why do we still have identity-related breaches?

The 2023 keynote dove into the extent of impact a digital identity has. If every aspect of your activity is based on your identity, and if everything you see and do online occurs because your identity and authentication determine your access authorizations, then your identity is tied to substantial organizational risk. This year’s keynote speakers identified the key components of an identity management and protection strategy—including how to maintain the fundamental security practices even as modern environments evolve. They also highlighted emerging technologies and trends in identity security and identity and access management, from AI to Zero Trust.

Participants included: Lisa Plaggemier, Executive Director at National Cybersecurity Alliance; Jeff Reich, Executive Director at Identity Defined Security Alliance; David Coallier, CEO and co-founder at Clearword; Josephina Fernandez, Sr. Director, Enterprise Security at Cisco; John Yeoh, Global Vice President of Research at Cloud Security Alliance.

1. Unlocking the Potential of Identity Management

Session description: The first panel of the day delved into the complexities of safeguarding privacy, prosperity, and liberty, while securing the digital identities of the future. Outlining how the international digital identity landscape looks today, the panelists explored how the systems that can be put in place to safeguard these concepts, while building a more secure and interconnected world could look in the U.S., and what the public reaction could be.

Participants included: David Treece, Vice President, Solutions Architecture at Yubico; Jeremy Grant, Managing Director, Technology Business Strategy at Venable, LLP; Lisa Plaggemier, Executive Director at National Cybersecurity Alliance.

2. Establishing Digital Identity Security Best Practices with IDPro

Session description: Effective identity management ensures security for systems and people, enhancing privacy, and enabling efficient digital experiences for businesses and individuals. In this session, IDPro asked its members to share their most effective Identity and Access Management (IAM) practices for protecting and securing digital identity, touching on building an IAM team, growing an IAM talent pipeline, and addressing the typical organizational challenges that come up when addressing identity challenges within an organization.

Participants included Lorrayne Auld, Principle Cybersecurity Engineer at MITRE Corporation; Vittorio Bertocci, Principal Architect at Okta; Bertrand Carlier, Senior Manager at Wavestone; Lori Robinson, VP Identity and Access Management at Salesforce; Heather Vescent, President and Executive Director at IDPro.

3. Stronger Authentication, Stronger Identities: The State of the Industry’s Path to Passwordless

Session description: There has long been consensus that the existence of passwords hinders the achievement of a better identity ecosystem. But if we truly kill of passwords, what will we replace them with? In this session, Andrew Shikiar from FIDO Alliance explored the importance of the authentication piece of the identity puzzle, the latest trends and standards for building simpler and stronger authentication, and strategies to help reduce the world's reliance on passwords on a global scale.

Participants included Andrew Shikiar, Executive Director and CMO at FIDO Alliance.

4. Open ID Shared Signals, CAEP and RISC: Real World Use Cases

Session description: Zero-trust architectures demand better control on sessions that live across distributed cloud services. Open Standards, such as OpenID Shared Signals and CAEP, are helping companies improve session control by passing asynchronous events between services. This session discussed real-world zero-trust use cases drawn from existing and planned implementations of the protocol standards, features of the existing standards (SSF, CAEP, and RISC), and how to adopt or implement.

Participants included Joshua Terry, Group Product Manager at Duo; Atul Tulshibagwale, CTO, SGNL and a Co-Chair OpenID Foundation’s Shared Signals Working Group at SGNL.

5. Identity As a Key Enabler of Zero Trust

Session description: Gone are the days when identity security could mean focusing solely on managing access within a safe perimeter. In today’s world, it’s on the front lines of every organization’s infrastructure. This session explored the steps CISA has been talking to develop a defensible security foundation through investments in identity management, how identity-centric security fits into our broader push for a more secure-by-design technology fabric, and why modern approaches to identity security are so critical to enabling Zero Trust.

Participants included: Grant Dasher, Senior Advisor, Office of the Technical Director for Cybersecurity at Cybersecurity and Infrastructure Security Agency (CISA).

Why is identity and access management important?

Today’s enterprises are facing a tidal surge of new identities. Those digital identities—whether they are human, machine, employee, or vendor-based—and their associated accounts, remain the main points of infiltration for attackers. With wave after wave of new identity-focused cyberattacks slamming into an increasingly theoretical perimeter, managing the sea of identities has never been more challenging—or carried such high stakes.

According to the latest research put forth by IDSA, in the last year, 84% of organizations have experienced an identity-related security breach. Of those organizations, 78% reported direct business impacts due to those breaches, and 96% stated that their identity-related breaches could have been prevented or mitigated with identity-centric security implementation.

IBM Security’s latest Cost of a Data Breach Report corroborates that stolen or compromised credentials were the most common cause of a data breach in 2022. Moreover, these identity-based attacks also took the longest time to identify. In 2022, the average time to identify and contain a breach was 277 days (approximately 9 months). Compromised credential breaches took an additional 50 days (an average of 327 days total) to identify. In that time, a threat actor can not only infiltrate, but also move laterally through your infrastructure.

Compromised credential breaches were also found to cost those organizations an average $150,000 USD more per breach than the average cost of a data breach in 2022, even after the global average cost of a data breach hit its highest record in the history of the IBM report ($4.35M USD, a 12.7% increase compared to 2020).

It is not without reason that identity and access security has become center-stage for business leaders and IT executives, or that it has been flagged by leading strategists and security practitioners as a pivotal step to building a successful zero trust posture.

All too often, what stands between you and a devastating breach is a phishing email (and those phishing attempts are becoming more sophisticated thanks to AI) or a weak password. You can’t stop threat actors from sending phishing emails, using social engineering tactics, or targeting the identities and access points of your organization, but you can implement a series of security processes and technologies that can help you delay, if not prevent, and more quickly detect a breach.

What are the biggest identity and access security mistakes to avoid?

Poor identity security practices have been linked to some of the biggest and most devastating cyberattacks in 2022. Here are a few common malpractices that could put your organization at risk:

1. Lack of proper account controls

Admin accounts are a huge target for threat actors because they provide the most access, and thus power, within the system. Attackers will try to hijack these privileged accounts and escalate privileges and/or move laterally. Once an attacker gains entry, they may even try to create their own admin account. Having the proper account controls, combined with just-in-time access, would prevent the attacker from being able to create that admin account.

2. Weak password management

Weak passwords, reused passwords, and embedded passwords are pervasive challenges to enterprise security. Week passwords present an easy point of entry for brute force attacks. Part of the problem is there are so many passwords required to access all the elements of the job. Multifactor authentication and strong password management policies can make it easier for employees and vendors to follow strong password protocols, and that can go a long way toward strengthening the security of your entire network.

3. Orphaned accounts

One of the most famous sayings in cybersecurity is that it isn’t the accounts and identities you know about that are the problem; it’s the ones you don’t know about that pose the biggest risk. That means you need really strong policies to ensure that, after an employee leaves a company or moves to another role, or when a vendor or third party no longer needs access, their accounts have their access terminated. Orphan accounts, or accounts left active and forgotten about, create a massive security exposure. No one would really know if the account had been compromised because no one is assigned to it—no one is looking at it. Fortunately, there are tools that can help organizations identify all of their access points so the IT leaders can take the necessary steps to close down any orphan accounts. Click here to use the free Privileged Access Discovery Application to uncover any hidden privileged accounts and credentials in your network.

4. Overprivileged (over-provisioned) identities

Employee, vendor, and machine identities are commonly granted far more access than they need. The cloud has only worsened the scale of the problem. One common issue is that employees or vendors who need temporary entitlements or privileges to certain accounts to complete a specific task will maintain those privileges, even when the access is no longer needed. This creates a significant level of risk because now each of those users could be allowing a threat actor to have higher levels of ungated access to sensitive information and systems. Implementing policies and technologies that enable simplified privilege management and just-in-time access—access only to what is needed and only for the amount of time it is needed—can mitigate these risks.

What are the types of identities that we need to protect most?

• Human Identities - Human digital identities are the identities that allow human users to be assigned access or privileges within a network. Human identities can be further broken down into employee identities, partner identities, vendor identities, and client identities. These are some of the most targeted entry points for attackers, whether they are leveraging phishing and social engineering attempts to steal user credentials (according to the Verizon Data Breach Investigations Report, 61% of all breaches were a result of stolen credentials) or are using other means to access user credentials (according to Forbes, 15 Billion passwords are available on the Dark Web). You can learn more about password security strategies here.
• Machine (non-human) Identities - A machine identity is a mechanism that allows any non-human entity, including robotic processing automation (RPA) workflows, applications, endpoints (devices, servers, desktops, IoT, etc.), websites, containers, service accounts, and more, to be authenticated within systems, over LAN/MAN/WAN, via Bluetooth, Wi-Fi, and the internet, etc. These identifications happen through firewalls; using multifactor authentication (MFA) certificates, keys, IP addresses, and location services; via secure HTTP protocol (HTTPS) and TLS 1.2 or 1.3 encryption. What makes machine identities particularly vulnerable is that they need to be stored within the machine for the machine to have access, and that means stealing a machine identity, if the correct cybersecurity protocols are not in place, can often be done undetected. Click here to learn more about securing machine identities.
• Cloud identities - Cloud identities are digital identities hosted in the cloud to enable employees, vendors (via SaaS or a partner cloud), and partners to access resources remotely. One challenge with cloud identities is that the security structures that applied to your on-prem accounts often aren’t going to be effective at securing the cloud. Another challenge is that most organizations don’t just have one cloud, they have many—and the native tools used to manage identities within one cloud will likely not work in another cloud environment. The move to the cloud changes how entitlements, permissions, rights, identities, accounts, credentials, and exploits can be leveraged to breach a network.

10 ways to improve protection around your identities and access points

The following best practices can help you secure all the identities and access points in your organization:

1. Deploy a “think before you click” mentality within your organization

Your employees are one of the most important lines of defense you can have against a breach. While you can leverage tools, technologies, policies, and controls to help safeguard your security, it is essential to train all your employees on the types of phishing activities.

An educated workforce that can identify suspicious emails and activities and report these to their IT department, and recognize when a link in an email or text message should not be clicked, goes a long way improving an organization’s baseline security. Social engineering attacks continue to evolve, so it’s important that cyber awareness training is ongoing.

2. Implement a password manager across your network

Adequately protecting passwords—especially privileged passwords—is one of the most important factors in preventing or mitigating a breach. First, despite the push to go passwordless, employees still need a lot of passwords. This means they must remember and input a lot of passwords during the day to get their work done.

To resist being cracked, passwords must be complex and unique. Implementing policies to ensure password standards are being met (so many characters long, use of numbers and symbols, a passphrase instead of a password, etc.) can help, but it often makes password implementation less user-friendly, which means more employees will be more likely to take shortcuts to prioritize their own efficiency.

Third, it is difficult to police password implementation to ensure employees are creating strong passwords, are not reusing passwords, and are not sharing passwords. Designating a password manager that can generate and remember passwords, and a privileged credential management solution that can enable your IT department to monitor, discover, and audit privileged accounts will go a long way towards maintaining the security of your network.

3. Use multi-factor authentication (MFA) or FIDO2

An effective way to decrease the challenges—and risk—of the number of passwords employees need to use is to step up authentication security in addition to password security practices. Multi-factor authentication (MFA) introduces authentication tools, such as biometrics or a unique one-time code that is sent to a separate device, to make the log in process easier for your employees while maintaining a high level of security through the continuous authentication of user and device identities.

MFA alone is not foolproof, though. MFA fatigue attacks have grown more prevalent, exploiting weaknesses in basic MFA. Thus, Fast Identity Online (FIDO2) is becoming an increasingly necessary security control. Unlike MFA, FIDO2 uses local authentication and asymmetric public key cryptography to introduce decentralized authentication, improve security, and resist MFA fatigue and other attacks.

4. Maintain an effective software update policy

Software updates are often deployed to fix known security flaws, which means outdated software can present a huge security gap—one that threat actors already know how to target. You can keep your security infrastructure up to date by configuring all the devices on your network to update automatically. Automating updates will help ensure employees are updating their software regularly, even if the devices they are using to connect to the network are located off-prem, as is becoming the norm in the work-from-anywhere world.

5. Educate to prevent inadvertent sharing

While there are exceptions (the rare employee who sells their credentials to the dark web), for the most part, breaches that arise from internal mistakes are accidental. One way to avoid these types of breaches is to ensure your employees are proactively aware of who can see their information. This means educating employees about the risks associated with working with confidential information in public places where their screens can be viewed, walking away from their devices without locking them, and sharing specific types of information about themselves on social media.

6. Establish a comprehensive Intelligent Identity and Access Security Policy

One of the most important steps is to implement a comprehensive identity and access security policy that encompasses the top risks organizations face. This policy should govern how privileged access and accounts are provisioned/de-provisioned, address the inventory and classification of privileged identities and accounts, enforce least privilege and Just-In-Time (JIT) access, and enable the enforcement of other best practices for security and management.

7. Implement Privileged Access Management (PAM)

Privileged Access Management (PAM) is a set of cybersecurity strategies and technologies that allow organizations to control the elevated (privileged) access and permissions that need to be applied to identities, users, accounts, processes, and systems within an IT environment to allow an organization to operate securely and efficiently.

Enforcing PAM is considered to be one of the most important security projects for reducing cyber risk and achieving a high security ROI. PAM simplifies the privilege management process to ensure access rights and permissions are always visible and are continuously being audited, verified, and validated. PAM ensures no level of access can ever go undetected, no user or device ever has more than the minimum level of privilege necessary to perform their role effectively, and no uncharacteristic or suspicious activity goes undetected. This significantly reduces the ability for threats actors breach and then move laterally across an IT environment.

Now that cloud and multicloud environments are so prevalent, effectively reducing an enterprise’s attack surface—whether on-premises or across the cloud—requires the integration of CIEM within a traditional PAM platform to ensure no instance of privileged access is overlooked. It is important to deploy streamlined cloud identity security strategies that enable granular levels of visibility and control across your entire cloud infrastructure. Rather than relying on a patchwork of native toolsets from various cloud providers, Cloud Infrastructure Entitlements Management (CIEM) allows you to discover and manage permissions and entitlements in the cloud in real time, monitor and alert for inappropriate behavior, as well as to enforce least privilege policies for any cloud infrastructure across multicloud environments.

8. Implement Identity Threat Detection and Response (ITDR)

Identity threat detection and response (ITDR) refers to the combination of security tools and processes required to adequately defend identity-based systems. IITDR works by implementing detection mechanisms, investigating suspicious posture changes and activities, and responding to attacks to restore the integrity of the identity infrastructure. By combining cyber threat intelligence, detection, investigation, and response in one security discipline, organizations are much better poised to defend their identity infrastructures.

9. Enforce Endpoint Security

Endpoint security protocols enable you to enforce the security and compliance of devices, such as mobile devices, laptops, desktops, servers, IoT, and POS, etc., before they are granted access to network resources. This gives your IT team more control at the device point to enable them to prevent user errors, implement security best practices on devices that are operated remotely, and prevent BYOD and shadow IT. This will safeguard the network from malicious external attacks as well as unintentional insider threats that could give an attacker an entrance point into your system, or even enable them to compromise additional endpoints via lateral movement.

10. Perform Regular Security Hardening Activities

Hardening your IT environment is an important step in strengthening your overall security. The goal of security hardening is to apply a series of practical approaches to reduce the vulnerability of applications, systems, infrastructure, firmware, etc. A few hardening best-practices include removing unnecessary software applications, and privileges; closing unneeded open ports; ensuring endpoints have the latest firmware and patches. Performing these activities will eliminate potential, known attack vectors, condense the system’s attack surface, and thereby reduce system vulnerability and security risk. Hardening activities are not a one-time fix. These should continue to be performed throughout a device’s lifecycle to ensure the base configurations are secure.

Next steps – improving how you secure all your enterprise identities

Identity Management Day is one day of the year that is dedicated to celebrating the progress organizations have made, and to spreading awareness and resources that can help support individuals and organizations in their ongoing security initiatives; however, the fight to secure identity and access against an ever-evolving threat landscape needs to be as continuous and adaptive as the threats we are defending against. Click here for more the resources that can help you convert your security infrastructure into a more identity-centric security environment.