Is Your Organization Having an Identity Crisis?
Print Issue: March 2020
Identity management today is a commoditized space with mature offerings from a plethora of vendors, yet organizations continue to struggle to leverage it adequately.
Among the most prevalent offerings on the market is the Identity Access Management (IAM) system, a complex technical solution with a high cost of entry in both capital and technical know-how. IAM system are designed to securely manage digital identities, how those identities access applications and systems in a network environment, and more.
To fully capitalize on an IAM, the organization should have well-defined policies, processes, highly segmented environment with architected environments, with granular security controls and a single source of identity. In other words, it’s key to know your environment, have well defined roles, responsibilities, groups, segregation of duties and administrative rights, and allow least privileges.
But this is all easier said than done. Eighty-nine percent of all organizations have fewer than 20 employees, according to the Small Business & Entrepreneurship Council. These organizations typically do not have the resources or environments that enable them to purchase high-dollar IAM solutions.
They also may lack the technical resources to fully implement sophisticated solutions because of the shortage of seasoned security professionals—making it more difficult to fulfill their security needs. In fact, the 2018 (ISC)² Cybersecurity Workforce Study found that there are 2.93 million security positions open.
Even more alarming is the tremendous shortage of seasoned security engineers—those with five to 10 years of experience. Organizations that lack a seasoned security team are more likely to make hasty decisions, leave misconfigurations in corporate environments and edge devices, and have inadequate security controls in place.
In recent years, there have been record-breaking reported breaches that have subsequently leaked identities. Additionally, organizations today are accidentally misconfiguring edge devices that leak their data without being breached.
End users may also lack adequate security training, leverage corporate credentials for personal third-party environments, and have poor data hygiene practices, all of which present a valid threat vector for malicious actors to leverage against an organization.
As threat actors or insider threats gain access to leaked data, it may be even more difficult for organizations to accurately identify their own employees because intruders may replicate a user’s entire environment.
All of this endangers the IAM system’s ability to accurately identify valid users from invalid users, making it more difficult for organizations to mitigate the threat. For instance, an organization may focus on failed credential alerts and overlook truly authenticated sessions that use leaked credentials from edge devices.
With all this compounding around the seemingly never-ending trail of leaked data—and the high cost of enterprise IAM—some might conclude that the cost of an IAM is too much for an organization. These firms can embrace other steps to monitor users’ data and manage identities, such as open-source tools, adding two-factor authentication, and monitoring the underground economy.
IAM is a highly valuable solution layering granular security controls. However, it must be sprinkled upon the business organization prepared to leverage it. Threat actors are excellent at evasion and lateral movement once access is gained. Considering the amount of readily available credentials and user data profiles in the underground economy, valid authentications should be further scrutinized. Organizations should place emphasis on better defining their computing environment, adding granular layered security controls that occur outside of IAM.
Christian Lees is the chief technology officer at Vigilante.