Identity breaches continue to be disclosed at a staggering rate, and if organizations don't already have identity management best practices in place, they are already behind the curve. Last year, IDSA’s Trends in Security Digital Identities showed that 84% of respondents had experienced an identity-related breach in the past year. 96% indicated that they could have prevented or minimized the breach by implementing identity-focused security outcomes, which is why it is critical for organizations to protect the digital identities of everyone they work with, including employees, contractors, third parties, customers, consumers and machines. They can do this by following the best practices outlined below, which have been developed by technology vendors and security providers who understand the importance of identity-centric security. Security leaders can enable and enforce many of these best practices through multi-factor authentication (MFA) and other identity and access management (IAM) tools.
1. Find the assets and identity sources
Today, infrastructure, applications, directories and networks are widely dispersed across on-premises and disparate cloud environments. If security leaders want to secure their organization’s assets, they need to know what the assets are and where they are located. There is simply no way to protect assets of which they are unaware.
2. Define identity ownership
It’s a truism that what gets measured gets managed, so define the individual or entity that is responsible for creating, removing, maintaining and securing any identity associated with the organization. Include these four broad categories of identities when deciding who owns the identities:
- Contingent workers, contractors or third-party identities
- Machine identities, which includes bots, application to application accounts, robotic process automation (RPA), and built-in IaaS accounts
- Customers or clients
Workforce and customer identity solutions are converging, so organizations should make sure the IAM deployment can handle these diverse types of identities. Each identity type has unique needs that can only be met after classifying the distinct types and their requirements.
3. Use unique identifiers
In the directory, make sure that every human and non-human identity is unique. Establish and use identifiers regardless of the relationship of the identity to the organization. For example, security leaders need to maintain the unique identifier if a contractor becomes a full time employee or an employee leaves and later returns to the organization.
Creating and maintaining a unique identifier for each identity allows an organization to maintain a trail of activity for each identity. If the identifier is changed, it becomes much harder to track identity activity. It also makes identity management more complex than necessary and can negatively impact audits and regulatory compliance.
4. Create a source of trusted identity data
Identity is critical to making decisions about when to grant access to applications and data, so security leaders need to have authoritative sources for identity data. This data helps make informed decisions about user access, such as what level of access is appropriate to provision and when they need to enable or disable that access. Leaders need to be able to trust the identity data consistently throughout the identity’s lifecycle. This includes employee data, third-party vendors, guests and IoT devices, among other identities. The authoritative identity data requires proactive collection and maintenance by trusted parties, continuous validation to ensure data is accurate and up to date and storage in a secure, accessible and searchable repository.
5. Automate provisioning and deprovisioning
Security leaders can manage identities better if they automate the provisioning and deprovisioning of access to resources and data by using lifecycle events, such as when an employee joins the company, moves to a different department, or leaves for an outside role. Granting and revoking access to resources and data is an essential part of business operations and enterprise security. Manual processes inevitably leave opportunities open for attackers to compromise the system, so automate it and tie it to the authoritative source.
6. Manage privileged access
A privileged access management solution helps security leaders secure access to critical assets. During an authentication event, they have greater assurance that they understand the request based on the access profile of the user, how sensitive the resource or data requested is and what level of elevated permissions is being requested. Security leaders can (and should) also increase protection by applying multi-factor authentication (MFA) to privileged access and continuously discovering privileged access. Attackers frequently leverage compromised identities to gain access to protected systems, moving laterally to gain elevated permissions. In this way, they can use a weak identity to gain access to resources that ought to be protected by otherwise strongly controlled privileged access accounts.
7. Establish a governance program and processes
Management of identity and access is essential, so make sure to establish a cross-functional team that oversees adherence to the organization’s IAM processes and policies. This team should also provide methods for introducing improvements to the program and evaluating the potential impact of any IAM program changes. Because IAM deployments impact distinct groups of users in different ways, security leaders need to include different stakeholders to ensure that their needs and the implications of the program are understood.
8. Focus on identity-centered security outcomes
Security leaders need to protect digital identities, whether human or non-human, and secure their access to enterprise data and resources. To do that effectively, they need to think in terms of security outcomes that are centered around identity. They can combine identity and access management capabilities, including authorization, authentication, identity governance and administration with key security capabilities. Organizations base all authorization access to applications, resources and data on the identity requesting access, therefore identity must be at the center of all access decisions.