Virtualization Technology News and Information
Celebrate Identity Management Day 2021 - Learn about the importance of managing and securing digital identities


Today is the inaugural Identity Management Day, a global event that aims to educate business leaders, IT decision makers, and the general public about the importance of managing and securing digital identities. Organized by the Identity Defined Security Alliance (IDSA), a nonprofit that provides free vendor-neutral education and resources to help organizations reduce the risk of a breaches, the occasion provides security guidance for stakeholders at all levels.

To celebrate Identity Management Day, VMblog has gathered some detailed insight on how organizations and individuals can strengthen identity management.


James Carder, CSO, LogRhythm

"According to the FTC, cases of identity theft nearly doubled from 2019 to 2020, reaching an astonishing 1.3 million cases in the U.S. While this is undoubtedly a drastic increase, malicious actors are still leaning on many of the same tactics to impersonate innocent consumers and cause personal or financial harm. As hackers only require a few tidbits of information to build an online profile, consumers can take several measures to properly defend themselves and not fall into common pitfalls.

First, any time you download a new app, create an online account or configure a new electronic device, data is collected and potentially shared. One of your first orders of business should be to look up the privacy settings of whatever platform you’re using to understand how you can further protect your personal information and leverage additional security measures like two-factor authentication and data encryption. You should also be mindful of applications that incorporate location services and how they’re collecting, utilizing and/or sharing this data. Additionally, make sure you’re using various, unique passwords for meaningful accounts as it’s incredibly easy for hackers to access more information by recycling stolen credentials. Lastly, avoid any suspicious messages (emails, texts, voicemails, etc.) and websites that don’t seem legitimate as this is often an attempt at phishing or malware.

While the pandemic has created a breeding ground for scams, fraud and identity theft, it also led to a surge in cyberattacks. Organizations play a vital role in safeguarding consumer data and Identity Management Day is an important reminder that it’s also their responsibility to ensure sensitive information doesn’t fall into the wrong hands. Enterprises must be fully transparent with consumers about what information they need, how they utilize it and what they’re doing to protect it. Any business or agency that is operating within any digital capacity needs to treat customer data as if it were their own private information. Establishing a culture that puts the customer and security first will better prevent data leaks and breaches that lead to identity theft."


Ashish Gupta, CEO & President, Bugcrowd

"The inaugural Identity Management Day is a valuable occasion for the entire online global community to recognize the importance of securing digital identities. A record 36 billion records were exposed in 2020 that helped fuel a record number of identity theft cases. As cybercriminals continue to take advantage of a spike in digital operations, enterprises need to put a stronger emphasis on safeguarding customer’s sensitive personal information and consumers also need to be cognizant and mindful of sharing information with third parties. We can collectively strengthen consumer privacy by working together to utilize best security practices, better educating consumers and creating a fundamental focus on security as a whole.

Pressure from recent legislation and upcoming congressional proposals are forcing enterprises across industries to put a stronger emphasis on bolstering privacy measures. To improve data protection and prevent information leaks, organizations need to take a proactive approach to security to stop attacks before they occur. More organizations are embracing crowdsourced cybersecurity as an integral part of their cybersecurity posture that allows highly skilled external security researchers to actively monitor network vulnerabilities and ensure networks are effectively preventing unauthorized access. By adopting a layered “strength in numbers” security approach, organizations can prevent data theft that commonly leads to fraud, identity theft and other breaches. Likewise, consumers need to be careful about where, how and to what extent they share their sensitive information. It’s important to actively be on the lookout for phishing and impersonation scams and be extremely cautious of any suspicious organizations or individuals that are asking for intimate financial or personal information."


Anurag Kahol, CTO and Co-founder, Bitglass

"Identity Management Day emphasizes the importance of protecting our digital identities (which is increasingly critical as the acceleration of digital transformation efforts opens new doors for threat actors). With many internet users holding dozens of online accounts across various services, it has become more difficult for them to memorize numerous, complex passwords. Unfortunately, password reuse has become a common malpractice that increases the chances of account hijacking when one set of a user’s credentials are leaked. More than 80% of hacking-related breaches are tied to lost or stolen credentials and it is now self-evident that passwords alone are not enough when it comes to authenticating users.

As the security landscape evolves, consumers and businesses must work together to ensure the privacy of corporate and personal data. To properly verify the identities of their employees and customers, companies must enhance their security protocols by establishing continuous, context-based security throughout the entire login experience. Solutions like multi-factor authentication (MFA) and single sign-on (SSO) don’t require users to remember countless passwords, while also mitigating the risk of account compromise. On a consumer level, users can safeguard their digital identity by educating themselves on the risks of password reuse, following cybersecurity best practices, and staying informed on rising threats. Because we now live in a time when our daily lives revolve around the internet and our various accounts therein, identity management awareness has never been more critical."


Jasen Meece, CEO of Cloudentity

"Identity-related data breaches are very common these days, yet preventable if the right precautions are taken at both the individual and enterprise level. Not only on Identity Management Day, but every day, it’s critical that business leaders, IT decision-makers and the general public are aware of the importance of responsibly managing and securing digital identities. Digital identity protects sensitive data and greatly impacts how we work, interact with each other, access technology and complete transactions. Therefore, Identity Access and Management (IAM) and cybersecurity need to be treated holistically. Organizations must implement security best practices to keep employee and customer identities safe, and this includes securing applications starting at the API level.

API Protection is key for managing identities (be they human or machine), dictating how an application can consume sensitive data. We’ve seen dozens of breaches from poorly-written APIs, where object or function level authorization issues cause programmatic data leakage that attackers can take advantage of. An example of this gone wrong is the Walgreens app error last year when a vulnerability the Walgreen app’s API caused a data breach where customers could view the private medical messages of other customers. If organizations don't take control of identity management integrated with API security, we will see even more large-scale data breaches."


Todd McKinnon, CEO and Co-Founder, Okta

"The COVID-19 pandemic has accelerated organizations’ move to the cloud, digital transformation initiatives, and zero-trust security adoption. Selecting an identity platform is one of the most critical technology investments an organization can make. With so much at stake for businesses today, it’s essential that we deliver trusted, secure and reliable customer-facing identity solutions."


Alex Pezold, CEO, TokenEx

"Identity Management Day is a great opportunity to talk about the privacy-protecting benefits of de-identification. De-identification, also known as pseudonymization, is the process of removing certain identifying elements from a set of sensitive data so that it no longer identifies the individual from whom it was collected. By removing these identifiers via tokenization or similar technologies, organizations can continue to use the data while reducing the likelihood that it could be re-identified to reveal the original data subject in the event of a breach or other exposure."


Art Gilliland, CEO, Centrify

"In the last year, 90% of cyberattacks on cloud environments leveraged compromised privileged credentials. This alarming finding illustrates how cyber-attackers are easily accessing critical systems and sensitive data through improperly managed credentials -- and leveraging identity sprawl across a threatscape expanded by digital transformation. 

The reality is that these adversaries no longer ‘hack' in - they log in, using stolen identities and weak or default credentials. Identity Management Day not only reinforces the need for good cyber-hygiene but also to use technology solutions available to vault, authenticate, manage, and secure privileged identities and access. 

Modern privileged access management (PAM) solutions based on Zero Trust principles can minimize shared accounts and allow human and machine identities to log in as themselves. These tools should automate privileged access controls, reduce administrative risk, and strengthen compliance postures to protect the keys to the kingdom."


Ralph Pisani, president, Exabeam

"Exabeam continually cautions its customers and partners on the pervasiveness of credential-based attacks. Login credentials have significant value, and the threat of theft persists from adversaries. The challenge is that usernames and passwords remain critical in our daily lives, from helping us complete work to carrying out personal matters like online shopping, banking or connecting with friends over social media. 

Billions of previously stolen credentials live on the dark web, and we've just accepted that they fuel the underground economy and enable more credential stuffing attacks. We know that the hackers are bold and unconcerned with being detected on the network because they use sophisticated methods that mimic typical user activity. If their access is gained using valid credentials, it makes them even more difficult for administrators to catch.

We strongly support efforts, like Identity Management Day, that raise public awareness and can help to combat this issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional identities and credentials to prevent credential-based attacks from continuing. Organizations across industries can invest in machine learning-based behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time."


Nick Santora, CISA, CISSP, Curricula CEO

"The biggest challenge I see is the 'set it and forget it' mentality. Although we all want to be able to set something up once and forget about it forever, identity management is not the case. Someone is coming in and inputting this data at some point. A regularly scheduled internal ‘pulse check' is good to see if what we expect is being done, is actually being done. Sometimes you would be surprised at what a quick review can uncover with out-of-date or incorrect information lying around."


Don Thibeau, OpenID Foundation, Open Identity Exchange, Global Open Finance Center of Excellence 

"The biggest challenge related to identity management/identity security is, like plumbing, when installed correctly it is silent, secure and reliable, and when maintained well, vital to one's health. The one piece of advice would I give; patience."


Jerome Becquart, COO, Axiad 

"As the number of remote users and devices on company networks increases, many customers are searching for a passwordless solution to protect them against the threats of today and tomorrow. However, there's currently no one credential that can authenticate all business use cases. Our customers are finding themselves adopting multiple identity credentials to meet all use cases, such as YubiKeys, smart cards, TPM, mobile authenticators, and more. This can strain their IT resources and is complex for their end users to manage and keep track of. 

We advise customers to stop managing their credentials in silos. They can instead use one credential management platform to manage all their identity credentials. This streamlines deployment and lifecycle management for IT teams and simplifies the user experience. By taking a holistic approach to identity management, businesses can accelerate their journey to passwordless and ensure identity security for all their users and devices."


Greg Keller, CTO, JumpCloud 

"In a phrase: Remote work. The biggest challenge facing our customers is properly securing their employees as they shift - many permanently - to home office and remote work. Given this model, the concept of a traditional 'domain' has essentially imploded, leaving IT and security professionals scrambling to ensure their employees' devices are secure, that they are the only devices allowed access to corporate resources, and that users accessing those same resources really are who they say they are. At a minimum, IT must ensure their MFA game is strong and establish an identity management system that has no prerequisites to being on-premises any longer. Those days are gone."


Kristin Judge, President/CEO, Cybercrime Support Network

"Many consumers still think that multi layered authentication is a technical tool only designed for people who understand computers. With the advances in MFA over the past few years, that is no longer true. Strong authentication is for anyone!"


James E. Lee, COO, ITRC

"Without a doubt the biggest threat we see to identities is the dramatic shift to credential theft and away from traditional personally identifiable data acquired in mass attacks. Threat actors are far more interested in collecting personal and business logins and passwords that can be used in credential stuffing, BEC, and supply chain attacks. Why attack 1000 consumers to gain $300,000 when you can attack one business and walk away 3x that or more?

The advice we give consumers and businesses is simple: good password & cyber hygiene. Long, memorable passwords (12+ characters); a unique password for each account; no sharing passwords at work & home; multi-factor authentication with an app, not SMS when possible; and, never click on a link in an unsolicited email, text, or social media DM - check the sender to see if it's a legit address and contact the sender directly if in doubt."


Rebecca Archambault, Trusted Identities Leader, Highmark Western and Northeastern New York

"You cannot fully transform your digital presence, or your digital business, without focusing on the digital identity. It should be the first foundational component you understand within your Cyber Security team. The biggest challenge that I see is that most organizations don’t fully recognize the role of identity and its impact to every facet of their business.  

My advice would be to make a  commitment to invest into an identity strategy, and establish a forward-looking approach. It needs to address the mounting technical debt that legacy systems and applications carry with them.  It needs to include implementation of a modern identity solution that simplifies, innovates and enables their business.  And finally, the strategy needs to take a 'risk aware approach' to balance the customer experience while increasing security." 


Ebbonie Kirk - Account Executive, SecurID, an RSA Business

"Now that organizations have so many users working from home, they are facing new challenges in both access rights and authentication security. 

SecurID's advice: Take a step back now that the dust has settled a bit from 2020 and truly assess where your weaknesses lie both in granting work from home access and what data and systems your key users still need for their roles."


Wes Wright, CTO, Imprivata

"In healthcare, the biggest challenge is finding the resource for implementation and management of the program. Pre-COVID, healthcare IT staff had more work than they could handle. Now, with the addition of the COVID requirements, HIT staff just can't find the time to implement. My best piece of advice around this is, first, don't think of identity management as a project -it's a journey that continues. If you have to name it something, call it a "program." Second, it's not an HIT program, you must garner the support and championing of the program from a diverse set of executives (HR, CMO, COO, CIO, CISO, etc.). This way, when you have to forego other projects (the main problem as noted above), then you have the support of other executives, whose projects are probably going to be delayed. As in almost every problem in life, it's all about communication and collaboration."


Joseph Carson, Chief Security Scientist and Advisory CISO, Thycotic

"The biggest challenge faced by many customers that are prioritizing and beginning their journey to identity and access management is literally where to start with so many options such as single sign-on, multi-factor authentication, success metrics, provisioning, deprovisioning along with access and entitlements.  

My advice for companies that are looking for the best practices on where to start a successful journey is to start with the most sensitive accounts in the organization such as privileged access and 3rd party access that, if compromised, can lead to very damaging security incidents.  Get in control of the accounts that matter the most and then continue to rollout those security controls to other accounts in the organization.  To help companies get on the right path Thycotic has created the Privileged Access Management checklist that will help organizations navigate the complexities, map out a path to access and help ask the right questions."


Firas Azmeh, General Manager, Personal Digital Safety & Carrier Partnerships at Lookout

"Technology has advanced our world in countless ways, including how we navigate and manage our everyday lives. With just a few clicks from our devices, we bank, shop, conduct business, and exchange photos and messages with family and friends. This rapid adoption of technology comes with inherent risk to user privacy and digital security. In recent years, massive corporate data breaches have exposed billions of sensitive customer records. Once a person's data is compromised, they can be at risk of phishing attacks and identity theft for years. While news headlines and media coverage of major data breaches have contributed to broader consumer awareness, most people still struggle to understand the full array of digital risks that can jeopardize their personal information or the best steps to take to safeguard their identity.

We recommend that consumers adopt best practices to increase their security hygiene and use solutions that offer remediation after Identity Theft occurs, and provide proactive protection against those threats that can lead to ID theft in the first place. Identity protection should ensure that a customer's privacy and personal information are protected at every level - from the device they use to the apps they download, the data they access and share online, and the networks to which they connect. And if a problem ever emerges, customers have full insurance coverage and expert assistance to best safeguard their identity & finances from theft."


Dan DeMichele, VP of Product, LastPass by LogMeIn

"Since remote and hybrid work has become the new norm, the threat surface has exponentially expanded, and organizations' IT departments are facing new security challenges. The biggest challenge our customers face is that regardless of their size, they're increasingly targeted by hackers looking to get their hands-on personal data and intellectual property. While many small and medium-sized businesses may not have the resources to implement robust security programs, their IT teams are nonetheless tasked with securing all entry points, including cloud apps, unsecure Wi-Fi networks and unknown or personal devices. In addition to managing the expanding security landscape while dealing with limited time, staff and resources. 

In order to maintain a high level of security, IT managers have to focus on securing the identity of the user, as it is the new security perimeter. To do this, IT managers should implement solutions like enterprise password management, single-sign-on, and multifactor authentication solutions that will provide visibility into user behaviors across apps and devices, keeping remote employees and company networks secure. Perimeter security is bolstered when these technologies work together under one umbrella. With these solutions in place, IT can quickly deploy tools, enable authentication methods, and set security policies while providing end users easy access to the tools they need to get work done. Both administrators and end users are enabled to seamlessly carry out their day-to-day work and responsibilities."


Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security 

"The shift to the cloud has fundamentally changed the way we approach security. The security paradigm has changed and it's critical for companies to update their strategies accordingly. An organization not only needs to inventory its person and non-person identities, as well as what they can and are doing, but needs to continuously monitor them. The once a quarter reviews are dead. Along with this, it is critical for a company to know at all times where their data is, who has access to it and what an identity does with the data. No longer is it about getting to least privilege and least access, it is about continuously staying there and getting notified whenever something changes. Companies that fail to mature their security with this paradigm shift will be left picking up the pieces after a breach"


Yash Prakash, COO, Saviynt 

"Identity-related data is growing at a rapid rate. It started with traditional employees, vendors, contractors, customers and partners, but has quickly grown to include silicon entities like IoT devices, bots, service accounts, RPA, workloads and more. These new machine identities need access to data stored across on-premise, SaaS and multi-cloud environments. This, coupled with the shift towards remote work, has exacerbated security and compliance concerns for our customers, regardless of industry.

I give all our customers the same advice - which is centralize. Multiple point solutions to try and protect identity data will create more headaches and challenges than they are worth. Not only do these solutions need to work, they also need to meet strict compliance standards and mandates. A central solution is critical, not just to address identity and access risk across all assets, but to help with speeding digital transformation, which is a key need for our customers."


Andee Harston, Curriculum Manager, Infosec

"Businesses should care about data security and data privacy because one data breach can cost your business millions of dollars and have a lasting impact on your reputation. A tarnished reputation translates to lost revenue. But you can help protect your customers data against malicious attacks by doing the following:

  1. Implement security automation whenever possible. We will never completely mitigate the human factor in security incidents, but you can choose security solutions that are fully automated and offer better protection than manual implementation.
  2. Offer your employees an effective security awareness program like Infosec IQ. Educate your staff on topics like phishing, ransomware, strong password protocol, physical security and more. Offering a cohesive security awareness training solution is one big step in helping to protect your customers data, while also helping employees understand the personal benefits of secure habits like protecting their own identities.
  3. Be proactive, rather than reactive. This means that you implement a solid backup strategy and incident response plan. It is wise to follow contingency planning and information system backup recommendations from a trusted framework like NIST. Test and review these plans often and be sure your employees know what to do and who to call if an incident occurs."
Burjiz Pithawala, Co-founder and Chief Product Officer at Elisity
"We have seen an exponential increase in the number of remote workers and adoption of cloud services that are outside the controls of a corporate infrastructure. In this new digital world, it’s now more important than ever to secure identities and assets. Identity Management Day serves as vital reminder for organizations to not only prioritize managing and securing digital identities but also the vast proliferation of devices, especially IOT and OT. With tens of thousands of users and millions of assets in a typical enterprise, the only way security teams can keep up is to leverage AI-powered behavioral intelligence to ensure the right security policies can adapt and follow wherever they go, inside and outside of the network perimeter."
Anshu Sharma, CEO of Skyflow

"Identity is at the center of our lives - be it buying, renting, banking or even getting healthcare. In fact, to reopen our economy we need to resolve identity-centric questions like who has been tested or vaccinated by whom and when and where. All of this requires we deal with identity, and data privacy. There's a false dichotomy between securing our identity & privacy, and using the data for these services and common good.

But it doesn't have to be - we can leverage breakthrough technologies like polymorphic encryption, and advances in differential privacy. All of that can be behind a simple API. Let's reopen the economy and build better experiences while respecting our identity data and it's privacy."
Chris Hickman, chief security officer at Keyfactor

"The definition of identity management has changed in recent years. Identity management used to focus on human identities within the organization, but today, cloud adoption, distributed IT and the proliferation of connected devices has broadened its definition - and rapidly increased the average number of 'identities' within the business.
The introduction and adoption of machine identities includes connected IoT and mobile devices, software-defined applications, cloud workloads, virtual machines, containers and the digital keys and certificates they rely on. The sheer volume of human and machine identities within the organization is creating a machine identity management problem. Modern identity management requires visibility to all digital keys and certificates. Having the ability to govern, automate and protect those identities is vital to future-proofed identity and access management and ultimately, more robust security."
Carlos Garcia, Sr Principal Architect, Enterprise Clinical Technology – Genomics, Optum

"I think the biggest challenges remain the fundamentals. So many organizations are still trying to implement provisioning and attestation beyond the core major identity systems like their AD and HR systems. I think great technologies like SAML, when used within an enterprise are great for integrating applications especially after acquisitions, but often become band-aides that mask the underlying issues of dispersed identity silos. The hard work is getting all these systems centralized or at least well managed through best practices around governance and especially deprovisioning. This is an endless challenge with large enterprises that do many small acquisitions a year.  Many times the challenge becomes the cost of integrating acquired entities if your systems are too inflexible.
In addition, as multi-cloud adoption grows, managing all those identities and especially the governance around what authorization they have is a big challenge. The business wants to move faster than you have time to create new policies, so thinking ahead of the business challenges coming is important."
Published Tuesday, April 13, 2021 7:30 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2021>