2021 brought unprecedented challenges for cybersecurity professionals. Major attacks completely shook the community’s foundation of knowledge and put a lot of things into question. Breaches, like SolarWinds and the Colonial Pipeline, revealed areas in enterprise infrastructure in need of strategic improvement, most notably around increased security for identity and access management (IAM).
In many of these troubling breaches, flaws in identity management systems (that were otherwise considered secure) were exploited by cyberattackers. In the case of SolarWinds, hackers were able to bypass multifactor authentication (MFA) by simply stealing a web cookie. This breach showed that organizations of all sizes across sectors must make securing login credentials and tokens a top priority for their security teams.
With that said, identity verification and managing access controls at enterprise scale is extraordinarily complex, with thousands of human, machine, and application identities to authenticate. A recent study revealed that 95% of organizations are facing struggles with secure identity management. Identity-related security issues impact organizations on a grand scale and potentially allow malicious actors to move laterally throughout a network at will. Typically, these threats arise due to outdated IAM solutions or a disjointed approach to identity verification, which leaves cracks and vulnerabilities in an organization’s attack surface.
Common identity pain points
Historically, organizations with identity verification needs have used multiple disparate solutions to verify user identity, examine identification and supporting documentation, ensure they are not on any watchlist, etc. However, this approach is costly, complicated, and creates additional security risks because it does not adequately spot cybercrime and holistically verify user identity. Below are just a few examples of the common pain points enterprises face in regard to IAM.
Identity sprawl and mounting complexity
The number of digital identities out there in the world continues to grow. Data shows that 84% of IT security professionals said the number of identities they manage has doubled, while others reported the number of identities to manage has increased by roughly 10 times or more. Each of these digital identities — whether human or machine — needs to be verified and secured. This creates a level of complexity that can make optimizing IAM feel quite daunting.
Flaws in trusted solutions
There are several IAM practices that have assumed worldwide trust and adoption, including MFA. While MFA is considered to be a good way to prevent account takeovers, it’s not entirely foolproof. Organizations still need added layers of trust to compensate for any gaps or vulnerabilities there may be. For instance, the Walgreens mobile app breach in 2020 was due to a simple internal error in the mobile app’s personal secure messaging feature that allowed customers to view other people’s private information, such as first and last names, shipping addresses, and prescription information. Significant problems like that can arise when identity infrastructure falls short. This is typically caused by companies using outdated technology classified as MFA, which can lead to a false sense of security and negative consequences down the road.
How to address identity security
To combat common challenges like identity sprawl and address the evolving role of digital identity, security leaders must rethink their IAM strategy and take a more comprehensive, holistic approach to online identity issues assurance. Below are two best practices that enterprise security teams must consider in order to keep up with today’s security threats.
Consolidation is key
Consolidating identity verification services whenever possible leads to more unification and fewer gaps in access management. In fact, Gartner predicts that by 2023, 75% of organizations will leverage a single vendor for identity verification capabilities and connections instead of using various other third-party solutions for identity proofing and affirmation — an increase from fewer than 15% in 2020. Leveraging a unified platform can more effectively assess the risk of an asset and the devices associated with it all through a single application programming interface (API) layer.
Holistic online identities
As the global population spends more of their lives online, the topic of digital identity has become a top priority for businesses, individuals and governments alike. Taking a holistic customer-centric approach to IAM helps organizations to protect digital identities more effectively. Rather than treating everyone as potential threats, the end user is at the center of the verification process. Taking this approach provides a better, more seamless user experience that verifies consumer or employee data coupled with enhanced authentication using a government-issued ID.
In addition, automation in the identity verification process using AI introduces improved anomaly detection while retaining the user-friendliness the industry so desperately needs. Automated tools and technologies, like biometrics, streamline identity verification at enterprise scale, ensures compliance with industry regulations, and efficiently detects malicious activity without compromising the user experience.
With the cybersecurity landscape at a significant turning point, security executives must learn from last year’s major, disruptive breaches to prevent further attacks from impacting their business. Today, identity verification and access management are essential components of a strong cybersecurity strategy that cannot and should not be overlooked.