Identity Management Day, April 13, 2021, aims to inform about the dangers of casually or improperly managing and securing digital identities by raising awareness, sharing best practices, and leveraging the support of vendors in the identity security space. There are many ways to participate as a consumer, practitioner or an organization.
Identity Management Day Resources for Organizations
CSIAC Cyber Awareness Videos
CSIAC Podcast and Corresponding Report
Privacy Impact Assessments (PIA) analyze how a unit collects, uses, shares, and maintains individually identifiable information. In this podcast and companion article titled “Privacy Impact Assessment: The Foundation for Managing Privacy Risk,” Mr. William Stallings delivers insightful and practical guidance on understanding and identifying the range of threats to privacy in information collection, storage, processing, access, dissemination and protecting privacy.
Identity Management Day Tips for Organizations
Note: These tips are from the Identity Defined Security Alliance.
The Identity Defined Security Alliance and Identity Management Day Champions encourage organizations to protect ALL digital identities (employees, contractors, third parties, customers, consumers, machines) through the following best practices, which may be enabled and enforced through MFA and other IAM security tools:
Clarify Ownership of ALL Identities
Make sure to clearly define the individual or entity responsible for the creation, removal, ongoing maintenance and security of an identity within your organization. Identity should include four categories 1) employees, 2) contingent workers, contractors, or third party identities, 3) machine identities (bots, RPA, application to application accounts, built-in IaaS accounts) and 4) customers.
Why? Given the on-going convergence of workforce and customer identity solutions, it is imperative that an IAM deployment handle all types of identities. Each of these identities has its own needs that can only be met if you first classify them.
Establish Unique Identifiers
Ensure the uniqueness of every human AND non-human identity in your directory. Identifiers should be established and used regardless of the relationship to the organization, for example a contractor who converts to an employee or a boomerang employee should maintain the same identifier when they return to the organization.
Why? Having a unique identifier for each identity allows organizations to maintain a trail of activity for each identity. if the identifier is changed, it makes identity activity tracking hard, identity management complex, and can also adversely impact audit and regulatory compliance.
Authoritative Source of Trusted Identity Data
Authoritative sources for identities provide essential data to make informed decisions regarding user access, including what access to provision and when to enable/disable that access.
Why? Since identity is so critical to decisions about granting access to applications and data, it is only natural to make sure that the source of identity is trusted. A strong root of trust for identity is therefore paramount.
Discovery of Critical and Non-critical Assets and Identity Sources
In a digitally driven business world, today’s infrastructure, applications, directories and networks are spread across on-premise and in the cloud environments, with mobile and virtual elements. The first step in securing an organization’s assets is to know what they are and where they are located.
Why? You cannot protect what you are not aware of. This adage is equally relevant for our diverse and multi-channel world. The first step in protecting resources is therefore to discover them.
Privilege Access Management
To secure access to critical assets implement a privileged access management solution that allows for higher assurance during an authentication event based on the current access profile of a user, the sensitivity of the resource/data and the elevated permissions being requested. Provide additional protection by applying MFA to privileged access and continuously discovering privileged access.
Why? Attackers use a compromised identity to infiltrate protected systems and then move laterally gaining elevated permissions. This allows them to use a weak identity to gain access to resources that should be protected by a strong and privileged identity.
Granting and revoking access to resources and data is fundamental to business operations and enterprise security. Automate the provisioning and de-provisioning of access through lifecycle events (join, move, leave) and tied to an authoritative source
Why? Automation is critical since a manual provisioning/de-provisioning process will invariably leave a window of opportunity for attackers to compromise the system. Especially “move” and “leave” events should not allow access through old identity once the event occurs.
Focus on Identity-Centered Security Outcomes
Identify security outcomes that protect the digital identities (human and non-human) and secure their access to enterprise data and resources. Combine identity and access management capabilities, such as authentication, authorization, identity governance and administration with security capabilities, such as user-behavior and device profiling to make informed access decisions. Consider related technology domains, for example, Zero Trust Network Security, Data Access Governance, and Endpoint Protection, which all have nexuses back to Identity security.
Why? Identity is a key pillar of all security frameworks. All authorization access, whether it is to applications, resources or data, is based on the identity (human or non-human). Systems provide access to someone, or to some entity. As such identity should be at the center of all access decisions.
Establish Governance Processes and Program
Establish a cross-functional team that oversees establishment and adherence to all IAM processes and policies and provides a vehicle to introduce improvements, as well as to determine overall impact prior to making any IAM program changes.
Why? A cross-functional team is needed because of the complex nature of IAM deployment. Such deployments impact different groups of users in different ways. If such lifecycle changes are done by a single team, the interest of other teams may be misunderstood, or even overlooked.
Learn more about Identity Management Day.
Join the CSIAC Community of Practice
To be among the first to know when cutting-edge cybersecurity resources from Cyber Security & Information Systems Information Analysis Center (CSIAC) are released, join the CSIAC community of practice! csiac.org/register
As a member, you’ll receive exclusive benefits that include the regular CSIAC Cybersecurity Digest sent to your inbox, the ability to participate in community forums with your peers, and access to copies of CSIAC journals and State-of-the-Art reports. You’ll get news about the latest CSIAC webinars, podcasts, and more delivered straight to your inbox.
Registration is easy and only takes a few moments. csiac.org/register