Expert Tips for Securing Digital Identities

Today is Identity Management Day (IDM), a day for raising awareness about the importance of securing digital identities. Launched in 2021 by the National Cybersecurity Alliance (NCA) and the Identity Defined Security Alliance (IDSA), IDM is designed to disseminate information and tips to help everyone, from business leaders to IT decision-makers, understand the importance of identity management and gain access to the guidance, best practices, and readily available technologies that can help ensure all access points and digital identities are secured.

The topics of identity and access security and identity threat detection and response (ITDR) have become center-stage for business leaders and IT executives over the past few years. Leading strategists and security practitioners have flagged identity-centric security as a pivotal step to building a successful zero trust posture, and identity management has become a foundational security component proven in the defense against vulnerabilities.

We’ve asked a few of BeyondTrust’s leaders for their biggest tips and best pieces of advice for securing digital identities against the world of threats, vulnerabilities, and attack vectors that are pervading today’s hybrid, work-from-anywhere world. Let’s hear what they have to say.

Morey J. Haber, Chief Security Officer

1. Why is identity an important part of an organization and its security posture?

As we have seen traditional perimeter-based security models evolve to support a work-from-anywhere world, security of the asset itself has become less of a risk compared to the users and machines requesting authenticated access. Threat actors recognize the easiest way to infiltrate an organization is to compromise an identity and impersonate the account (machine or human) performing trusted operations. If the threat actor is stealthy, their malicious activity is undetectable compared to normal operations and they can move laterally across accounts, assets, data, and applications without being detected, nor potentially even using any malware. The theft of an identity can be accomplished via social engineering or previous data leakage and represents a modern attack vector that must be protected by organizations, including the privileges that each identity is entitled to, in order mitigate risk.

2. What would you worry the most about going wrong if identity security wasn't included in your overall security posture?

If identity security wasn’t included in our overall security posture, I would worry about:

• Who has access to sensitive information and what are they doing with it.
• If there was a compromise to business operations and/or the products we manufacture.
• The risk to our clients and reputation based on the inability to measure identity-based risks.

Based on these, my biggest identity-based worry is a “game over” event. This would be a breach over an extended period of time that was undetected and included massive data loss and wide-spread exposure. This scenario has happened to vendors like SolarWinds, LastPass, and FireEye and essentially changed their businesses (for the worse). As a CSO, this is my biggest worry based on identity attack vectors.

3. What are your top 3 tips for how to secure identities within your organization?

As the CSO for a cybersecurity vendor who is responsible for the cybersecurity of the organization, my top three tips to protect the identities within any organization include:

• Enforcing the concept of least privilege across all identities and their associated accounts.
• Ensuring best practices for Identity and Access Management (IAM) and Identity Governance and Administration (IGA) are well enforced, including concepts like Multi-Factor Authentication (MFA) and Joiner, Mover, and Leaver disciplines.
• Complete asset management for physical, virtual, and conceptual-based resources, including identities and their entitlements.

4. What is the number one piece of advice you feel not enough people know about when it comes to identity security?

If I could provide one piece of advice for protecting any organization from identity-related security threats, I would focus on privileges. This includes the management of privileges throughout an organization and ensuring the concepts of least privilege are applied to every identity and their associated accounts. These best practices help mitigate the risk from malware and account-based lateral movement, and increase the difficulty for a threat actor to obtain privileged access.

James Maude, Lead Cyber Security Researcher

1. Why is identity an important part of an organization and its security posture?

Everything we do in our businesses is based on identities. You can’t have a robust security posture without having control of identities. Identities are key to being able to control who (identity) can do what (software/data access) and where (devices/assets). Imagine if a bank didn’t check ID and just allowed anyone to withdraw from any account and you will see why identity is such an important part of a security posture. Just like in the world of banking, the identity attacks are getting more sophisticated and complex, so we need to go beyond the basics and put identity security at the front and center of our security posture.

2. What would you worry the most about going wrong if identity security wasn't included in your overall security posture?

In short, everything. Identity security and identity in general is the foundation upon which we control access, grant privileges and know who is doing what where. Without identity security as part of your posture, the risks of a total compromise by a threat actor or a malicious insider--or simply an unintended misconfiguration that exposes data publicly--are huge. In the past, identity security wasn’t quite as high on the agenda because we built walled-off corporate networks and controlled access through physical office locations, but now, with cloud, SaaS, and remote work, an identity could easily provide the keys to the kingdom, if it isn’t properly secured.

3. What are your top 3 tips for how to secure identities within your organization?

I am going to assume that you have the basics right here, and, if not, there is plenty of guidance online. From my research into identity attacks, I see some common themes that tend to lead to exploitation:

• Mind the gap – Attackers love to exploit disparate identity systems and trust relationships, so ensure you have good visibility of all identities and are able to monitor for changes. Think about the ways an attacker might move between roles in O365, Okta, and AWS to discover hidden attack paths that might be traversed unnoticed.
• Beware zombies – Dormant accounts, unused privileges, machine accounts all represent a goldmine to attackers as they are valid accounts that can be used undetected for lateral movement and privilege escalation. Try to reduce your attack surface as much as possible by removing or restricting the accounts, access, and privileges to only what is absolutely necessary.
• Moving target – Identity security is a moving target, you don’t just implement something, check the box, and it is done. We have seen many examples recently where organizations thought that, just by enabling MFA, they were secure, only to fall victim to MFA fatigue attacks or token hijacks that bypassed the controls they were reliant on. Keep re-evaluating your identity security posture because users, applications, and access are always changing.

4. What is the number one piece of advice you feel not enough people know about when it comes to identity security?

Cyberattacks are not magic. When faced with a barrage of cyber threats, it can often feel like compromise is an inevitability. In reality, a compromised identity is usually only as dangerous as the privilege assigned to it. Many attacks only succeed because they were able to compromise a highly privileged user that allowed them to gain widespread access and control of systems. Don’t lose sight of the identity attack surface by chasing down advanced detection and response capabilities when you could be proactively reducing the risk though the principle of least privilege.

5. Anything else you want to add?

“Your identity is your most valuable possession. Protect it.” – Elastigirl, The Incredibles.

Janine Seebeck, Chief Executive Officer

1. Why is identity an important part of an organization and its security posture?

When we talk about cyberthreats, there are two items that attackers need: your identity and access to it. As a CEO, I am constantly thinking about how we can stay vigilant and proactive in both areas to protect our company’s data. We can’t fulfill our mission to protect the world from cyberthreats or enable a work-from-anywhere world if we can’t first protect ourselves, and identity is rapidly becoming central to that conversation.

2. What would you worry the most about going wrong, if identity security wasn't included in your overall security posture?

If I was CEO of a company that didn’t include identity security in its overall security posture, I would be concerned about brand reputation. Without proper identity security, it’s not a question of if you will get breached, but one of timing and severity that comes back to whether you’ve taken the measures necessary to help defend against it. Remember that a breach against you is a breach against your customers. They deserve to know that you’re doing everything you can to keep their data safe as they rely on your products and services.

3. What are your top 3 tips for how to secure identities within your organization?

• Mindset/Awareness: It is important first to ensure employees across the business understand the impact of their actions – human error with your own identity is still one of the main drivers for breaches. Training people on how to be knowledgeable and approach problems with a security mindset is key to success.

• Knowledge Management: Having a strong asset management foundation is key. Knowing what and where all of your identities are is one of the biggest Achilles heels for companies. Not only do identities touch many parts of your organization, but many are often unmanaged, which opens you up to risk surfaces you cannot monitor.

• There is No “One and Done”: Given the increasing sophistication of new and emerging threats, companies can’t afford to just check a box when it comes to their security – and especially not where identity is concerned. How often do you reevaluate your security posture? What are you doing today to be both vigilant and proactive? The best offense is a good defense.

4. What is the number one piece of advice you feel not enough people know about when it comes to identity security?

More than anything, invest in this area of your business – from products to personnel. The identity security space is evolving rapidly: it’s okay to not know all the answers, to ask questions, and to make changes to support the ever-changing threat landscape, granted you’ve got the right team of experts backing you. Trust that your team will find the right solutions to help mitigate attack surfaces, and think about your privileged users as a high priority: more access means more risk.

5. Anything else you want to add?

Hire good people with a security mindset. Identity security is something that every employee should be thinking about as they do their jobs. It is something we prioritize at BeyondTrust so we can best serve our customers and address their evolving cybersecurity risks.

How can you recognize Identity Management Day this year?

The best way to promote and embrace Identity Management Day is by making sure your identity and all the identities tied to your organization are as secure as possible. Head to Identity Management Day 2023 to join this year's event, and click here to learn more about how BeyondTrust’s identity-centric security solutions can help you build towards a robust and identity-centric security posture.