At VMblog, we want to take a moment today to celebrate "Identity Management Day," a day dedicated to raising awareness about the importance of managing digital identities securely. In today's world, where data breaches and cyber attacks are becoming increasingly common, it's more important than ever to take proactive measures to protect our digital identities.

The purpose of Identity Management Day is to educate individuals and organizations on the best practices for managing digital identities, including creating strong passwords, using two-factor authentication, and being vigilant against phishing scams.

In addition to raising awareness, Identity Management Day also serves as a reminder for organizations to review their identity management policies and ensure that they are up to date and effective in preventing data breaches.

At VMblog, we believe that identity management is a critical component of any organization's security strategy. We encourage our readers to take the time to educate themselves on best practices for managing digital identities and to implement strong identity management policies in their organizations.

So let's use Identity Management Day as an opportunity to recommit ourselves to protecting our digital identities and to encourage others to do the same. Together, we can make the internet a safer place for everyone.

To help celebrate the event, VMblog reached out to a list of industry experts to get their personal tips, thoughts and commentary on this important day and topic.  And we're sharing those insights on how organizations and individuals can better strengthen identity management all year-round.

--

Roman Arutyunov, Co-Founder and SVP of Products, Xage Security

"Major real-world attacks on critical infrastructure (think Colonial Pipeline) demand more than just visibility and threat detection. What's needed today is a zero trust mindset for cyber hardening industrial systems in a way that secures identities and blocks attacks. Identity and access management (IAM) needs to be a priority for real-world operations. Technologies exist to offer protection without a complete infrastructure overhaul. Organizations can look to government for guidance as well, for example, CISA and the NSA recently joined forces to release the IAM best practices guide for administrators. Given how much of a critical necessity modern IAM practices are for real-world security in the face of escalating threats, let's use this holiday to spark more discussion, awareness and adoption specifically in the critical infrastructure realm."

++

Sameer Hajarnis, Chief Product Officer, OneSpan

"Today everything is digital - work, shopping, even your wallet - and there's one thing that secures you throughout your digital life: your identity. But digital identities are broadly defined, including everything from your username and password to your gender, address, and date of birth. Think about it: Every time you input your address into a website when shopping online, you're sharing part of your digital identity. 

We are constantly sharing these attributes that make up our digital identities, and this will only expand as we do more things digitally. But this also means that threat actors can more easily commit identity fraud and create synthetic identities. These synthetic identities have the ability to disrupt people's lives and the way we do business. Consider, for example, that AI tools can be used to generate authentic-looking fake passports or ID cards that can bypass authentication and verification platforms. 

What this tells us is that we need to be thinking about what's to come and stop being responsive to changes in technology. What we need is to be thinking about how we can protect a business and a consumer's digital identity. This means implementing a system where digital identities are provisioned in a secure way and can only be unlocked with a strong user authentication in place. Not only does this protect digital identities from abuse and fraud, but it also limits the amount of identity attributes users need to share. Instead of sharing every piece of personal information, users would only be disclosing the minimum information required to get the job done. This is how we will protect and secure digital identities as we embrace web3." 

++

James Lapalme, VP & GM of Identity, Entrust

"The pandemic ushered in an accelerated wave of digital transformation and as the world went remote, the demand for high-assurance secure solutions skyrocketed. However, with increased digital interactions comes an even greater risk of cyber threats and fraud, which means many of the current security solutions for identity management are no longer effective. Passwords, which have served as the standard for protecting digital goods and services since their inception in the 1960s, are high customer friction, insecure and becoming obsolete at best. In fact, 51% of people reset their password at least once a month because they cannot remember it, and according to the U.S. Federal Trade Commission, 2.9M fraud reports were filed as of 2022 and identity theft was the number one category for consumer complaints. As the trend towards digital transactions continues to increase alongside security threats, there's an urgent need for new identity management and protection strategies and technologies to enhance security.

When it comes to multi-factor authentication (MFA), too many enterprises still use single-factor authentication and have an over-reliance on one-time passcodes. Yet, organizations should leverage high-assurance passwordless MFA solutions that include physical proximity factors and certificate-based authentication to protect against remote account takeover (ATO) attacks. For a more comprehensive approach to security, companies need to embrace and adopt a Zero Trust strategy. Adaptive risk-based authentication is central to a Zero Trust framework, providing continual contextual awareness of user and device behavior. This can include multi-factor authentication, single sign-on, passwordless login and more. While Zero Trust implementation is a journey, by taking an identity-centric approach to Zero Trust, companies can take a step in the right direction to maximize security while minimizing unnecessary friction - and begin to fill in the gaps they have in their networks that are making them less secure."

++

Mo Plassnig, Chief Product Officer & Chief Growth Officer, Immuta

"In security everything starts with identity - knowing who the users are (which is authentication). But, it doesn't end there. From there you must look at what those users can do (authorization) and then monitor what they did (accounting/auditing). Historically, implementing these three "A's" of security - authentication, authorization, and accounting - has been a very difficult, time-consuming, and risky process.

As the amount of data in the cloud continues to explode, many organizations are not considering all three A's. Recent data indicates that more than half (53%) of data professionals are getting over-provisioned access to data. While this is done with the goal of streamlining processes, encouraging collaboration, and easing administrative burden, it often leaves organizations open to unnecessary risk.

While getting a modern identity management system in place is a starting point, it needs to be integrated with overall data security strategies that are designed for the modern cloud data stack. Breakdowns in security are happening at the point of data access so ensuring you have a solution in place to detect when there is an insider threat and change policies is critical."

++

Peter Barker, Chief Product Officer, ForgeRock

"The traditional username-password login model is fundamentally flawed. Last year alone, more than 2 billion usernames and passwords were breached, and 50% of records breached were caused by unauthorized access. Not only are passwords a major security risk, they also hinder productivity and efficiency, leading to lost ROI for organizations seeking profitability more than ever before.

It's time to embrace passwordless authentication, abolishing traditional passwords once and for all. While many claim passwordless is in the distant future, the reality is that the right identity partner can make it a reality, right now, for both employee and customer end users.

Passwordless authentication replaces traditional passwords with more user-friendly, secure methods, ranging from biometrics, authenticator apps, and certificates. This Identity Management Day, let's say goodbye to passwords, and embrace a world where we never have to login again."

++

Glenn Mulvaney, VP Cloud Operations, Clumio 

"Identity management in the cloud-where data lakes, app data, and business information is often sprawled across many storage systems-is a fine balance between human authentication and system authentication. Multi-factor authentication (MFA) and two-factor authentication (2FA) are great tools for human authentication, but can hinder non-interactive data exchange apps and microservices because they require user intervention. In order to facilitate automated data exchange while maintaining strong identity security, organizations should classify their data based on access patterns, and ensure that system-to-system data exchange leverages API identity tools, OAuth, and mutual TLS.

CISOs need to think about identity hygiene holistically-which not only includes human identity management like limiting permissions to the principle of least privilege, MFA enforcement, and periodic credential rotation, but also app-oriented identity management, including robust key management across Personal Identifiable Information and sensitive data, API security, network isolation, and most importantly-backups of crucial data. While it is certainly damaging to let an intruder in, so long as there are secured, off-site system backups to restore data from, there is always a well-tested path to recovery. Companies can also keep their identity management efforts on track over time by identifying and looking for specific metrics and trends including self-reported spam / phishing rates from employees, employee engagement on security-related comms, and success rates on decoy tests. This is, of course, in addition to technology-focused metrics such as identity logs and unauthorized activity alerts, event monitoring, device and network behavior and so on. With the advent of generative AI tools, we all need to be very wary of identity mimicry that could at first glance be indistinguishable from legitimate communication."

++

Viktoria Ruubel, Managing Director of Digital Identity, Veriff

"The concept of ‘digital identity' has evolved tremendously over the past decade, and the explosion of digital platforms has led to today's online users having countless digital identities. It wasn't until recently, however, that users became both aware and concerned about the amount of personal data being collected and shared by third parties online. As privacy concerns for both users and businesses become top-of-mind and technologies advance, we'll see the next generation of identity verification come to the forefront. This will come in the form of reusable digital identity, that enables individuals and businesses to securely re-use a trusted digital identity across multiple online platforms and applications, creating more trust and better experience, and leading to less time and money spent by businesses in the process."

++

John DeSimone, President of Cybersecurity, Intelligence and Services, Raytheon Intelligence & Space

"Core to successful identity management is ensuring that the right policies, governance, and technologies are in place to give people access to the systems they need. While these elements can be managed at the component level, the best way for organizations to handle identity management is through a Zero Trust roadmap that implements the most important areas of protecting identity management first. Failure to think through these elements and manage them strategically can lead to breaches and enable attackers to jump from server to server and infect large quantities of computers and end users."

++ 

Hermann Hesse, vice president of solutions, StrongDM

"Identity Management Day is a great opportunity for technical and non-technical professionals to consider new approaches to identity and access management. As an industry, we need to fundamentally reimagine secure infrastructure access by integrating with the entire technology stack from legacy systems to the most updated cloud infrastructure. New findings reveal that a staggering 87% of infrastructure access credentials are utilized only once per quarter, if at all. This concerning trend poses a significant risk to organizations, as Verizon reports that 61% of all security breaches involve the exploitation of credentials to gain access to sensitive systems. These statistics highlight the limitations of existing least privilege and Zero Trust models, indicating the urgent need for enhanced identity management and access controls. We need to address these issues by ensuring that credentials only exist in the moments they're needed, so that every action is secure and auditable."

++

Matt Rider, VP of  Security Engineer, EMEA of Exabeam

“Not only is credential theft responsible for some of the most prolific cyber attacks, such as the infamous 2020 Twitter hack, but it is also one of the most common and widespread forms of cyber attack. In fact, the 2022 Ponemon Institute State of Cybersecurity Report found that a staggering 54% of security incidents are caused by compromised credentials.

“It’s for this reason that efforts such as Identity Management Day are so important. Not only does it provide the opportunity to raise awareness around the subject, but it also provides a space to educate the public on best practices. Basic cyber hygiene habits such as creating strong and unique passwords, keeping your software up to date, and staying wary of suspicious emails and attachments can go a long way to keeping your network secure.

“Additionally, security teams need better visibility and insights into user activities so that they can detect anomalies, investigate, and then mitigate the cyber threats lurking in their systems. From a technology perspective, one of the most potent weapons currently available is user and entity behavior analytics (UEBA), which allows an organization to create a baseline of ‘normal activity’ and thus flag any major deviations as potential security alerts, which security teams can then investigate.”

++

Chris Hickman, CSO, Keyfactor

"Google's initiative to shorten certificate lifespans from 398 days to 90 days would complicate today's identity management challenges further. It’s a significant jump and would require a higher degree of automation to manage frequent updates, or significantly more manual labor to keep up. Today, organizations already struggle to properly manage and secure certificates, with 77% of organizations reporting an outage in the past 24 months, and 53% acknowledging a lack of resources to do so. Shortening the lifespan could be compared to forcing individuals to renew their license/I.D., every three months.   
 
The reality is that too many certificates are not properly managed, and this puts the spotlight on that issue. There are other organizations that issue short life certificates; in a world where the threat landscape is constantly changing, stolen certificates are an issue. The shorter the window of opportunity to use a stolen certificate, the greater reliance you can put on the authenticity of the device or workload presenting that digital credential.
 
This is an important conversation to have on Identity Management Day because every device needs an identity, which comes in the form of digital certificates. Certificates need to be properly managed for organizations to have confidence in the digital trust of their network. Outages are costly and can be detrimental. If security teams are already struggling to properly manage and secure machine identities with certificates with a 398-day lifespan, just imagine the chaos a 90-day lifespan could institute."

++

Rod Simmons, vice president of product strategy, Omada

"There’s no doubt that companies face greater cybersecurity risk than ever. Most people think of this risk as coming from malicious outsiders bent on breaching their network and stealing their data. That’s often the case, but risk also comes from within when proper security controls aren’t in place. This can be due to a culture problem.  
 
To really strengthen defenses for the long term, you need a strong corporate culture around security. The objective is not to turn every employee into an IT expert, but to raise overall awareness of how their actions can help safeguard the organization. By instilling the notion that security is a shared responsibility across the entire company, rather than solely a concern for the IT department, all employees can better appreciate the role they play in protecting the organization's interests.   
 
Technology can’t fix culture. Only an organization’s leaders can do that, and they have to take a strong and proactive, top-down role in transforming a weak security culture. Change starts with fully understanding the importance of identity management to the organization overall. Enterprises need to make sure they have all the necessary capabilities in place to ensure success, because there are possible traps that need to be avoided, such as not including the appropriate stakeholders, the absence of best practices, being too ambitious out of the gate, and underestimating the significance of data quality.  
 
Identity governance and administration (IGA) is key to this. You need to know who has access to what, and why, to create a sturdy foundation for a stronger culture of security."

++

Almog Apirion, CEO and Co-Founder of Cyolo

"Identity Management Day aims to increase our focus on user identity and the techniques used by cyber criminals to compromise user logins. Overall, we need to encourage enterprises to take proactive actions to safeguard sensitive data and systems that user's access. The observation of this day underlines the importance of individuals assuming responsibility for their own digital identity and remaining attentive to their individual risk. However, it also brings to the forefront the need of all organizations to lower the risk of data breaches and cyberattacks by supporting better identity practices.

In actuality, hackers do not break in; rather, they log in. So, when we talk about enterprises, we need a shift into a robust zero-trust framework to protect all forms of user data. Identity-based access control enables businesses to strengthen their security posture while also gaining visibility and control over the access to their most critical systems.

By focusing on a modern zero-trust approach, and adopting strong authentication requirements, organizations can mitigate many of the advanced, persistent or emerging cyber threats. As additional vulnerabilities arise, businesses across industries will be better positioned to prevent unauthorized access to their data and mission-critical infrastructure."

++

Alec Nuñez, Director of Business Compliance, Poll Everywhere

"Identity Management Day, which was started in 2021, is held on the second Tuesday in April to highlight the importance of keeping digital identities protected. Identity management is the method of verifying the identities of network entities and the level of access to network resources. As threat actors and attack methods continue to evolve and grow in complexity, organizations need to continue to bolster identity management best practices and take all possible precautions.
Two important pieces of advice about identity management that organizations should include in their framework are:

1. Always be PoLPing (Practicing the Principle of Least Privilege). This means that a user should only have access to the specific data, resources, and applications needed to complete a required task.
2. Focus on the human element. Provide sufficient education and training to employees on how to protect their passwords and personal information, how to recognize phishing scams, and how to report suspicious activity. Understand how employees use systems and applications and take into account factors such as user experience as well as ease of use when implementing security measures; if the measures are too cumbersome or difficult to use, employees may find ways to bypass them, creating potential security vulnerabilities.

These two pieces of advice should be followed alongside other fundamental measures like two-factor authentication (2FA), monitoring for suspicious activity on employee accounts and systems, and planning for employee departures, including revoking access to company systems and applications. Despite best efforts, security incidents can and do still occur, especially as one of the most commonly made and exploited mistakes is using a weak password. Businesses should have a response plan in place (as well as a requirement for complex passwords in all reasonable situations) in the event of a security breach, including procedures for containing the breach, notifying affected parties, and recovering data.

A comprehensive approach to identity management is necessary, as it incorporates the human element as well as technological solutions to keep organizations as safe as possible."

++

Neil Jones, Director of Cybersecurity Evangelism, Egnyte

"In my experience, companies with the most effective cyber-protection programs have learned that identity management is a critical first line of defense against potential cyber-attackers. On Identify Management Day – and every day – organizations and their users need to follow best practices in order for identity management programs to succeed.

Best practices at the organizational level include:

• Requiring users to utilize strong passwords and to have passwords updated on a routine basis.
• Implementing Multi-Factor Authentication (MFA) in as many use cases within the company as possible.
• Closely monitoring log-ins that occur via remote access technology to confirm that the log-ins originate from expected geographical locations and don’t leverage compromised users’ accounts.

Best practices from a user’s perspective include:

• Never, ever sharing your sign-in credentials with anyone, as doing so can provide a malicious colleague with a gateway to an insider attack that appears to be perpetrated by you.
• Not utilizing your business email address or phone number for affinity accounts at supermarkets, pharmacies, etc. Over time, managing such messages from your business account can make you more susceptible to clicking on a phishing email that doesn’t come from a legitimate source because your guard is down.
• If you’re reading this and one of your passwords includes the name of a family member, your favorite pet’s name, or the location where you grew up, please change it immediately. Many Web site authentication questions leverage questions that contain such information to enable you to authenticate.

For maximum effectiveness, proper identity management should be combined with proven endpoint security and data governance solutions, since it’s imperative that organizations protect what cyber-attackers want access to the most – their data. It isn’t sufficient to protect the technical infrastructure around the data, you also need to protect the data itself."

++

Ravi Erukulla, VP of Analyst Relations and Customer Advocacy at Saviynt and Co-Chairman of Identity Management Day

"As organizations struggle to find a balance between sustaining existing identity-based processes and addressing new types of identity challenges, like the growth of IoT and machine identities, they must prioritize finding ways to converge identity management and governance to improve the overall security posture.
 
Organizations should leverage cloud-native tools that automate and consolidate identity-based tasks to get more value from their identity investments and alleviate the administrative burden for identity practitioners. With an intelligent, cloud-based identity program, enterprises will not only improve their identity management and governance systems, but will increase overall security awareness, decrease the burden of regulatory and compliance needs, and improve end-user experience and productivity."

++

Kevin Kirkwood, Deputy CISO at LogRhythm

"It is crucial for IT and security teams to effectively manage and regularly safeguard all digital identities in their environment as most breaches today start with compromised identities. The best chance of defending against fraudsters trying to access sensitive data is for organizations to deploy the requisite level of security that supports Identity Access Management (IAM) solutions along with enabling consistent identity and Single Sign On (SSO) through SIEM integration.
 
SIEM and IAM integration matures security operations by enabling IT and security personnel to quickly respond to security alerts with automatic preventative actions. Security analysts can conduct better investigations into both on-premises and cloud-based activities when they have a complete picture of IAM events. On this year’s Identity Management Day, it is critical that organizations prioritize integrating their SIEM solutions with IAM to start moving towards a Zero-Trust model that protects identities in their entirety."

++

Zach Capers, Senior Security Analyst at Capterra, and Gartner Analyst

"Identity management has become so fundamental to business and security that it’s often overlooked. One area that deserves more attention is the use of SMS in business scenarios. Threat actors are exploiting this type of verification tool to get around multi-factor authentication schemes and manipulating employees with phishing scams. Businesses should move away from the use of SMS in multi-factor authentication and educate employees about the risks of SMS-based attacks.

Below, are a few highlights we’ve uncovered in a recent Capterra study, as we continue to see employees being targeted across the board:

• 92% of employees have received at least one suspicious SMS message on their personal device in the last three months.
• Fraudulent messages commonly lead to bogus login pages that collect network credentials and other sensitive information.
• 85% of employees use a personal device for work—and nearly all of them have recently received at least one suspicious SMS message.
• 42% of businesses use SMS as part of a 2FA process that cybercriminals can easily exploit using techniques such as MFA fatigue and SIM swapping."
  

++

Stuart Wells, CTO of Jumio

"Identity Management Day underscores the importance of protecting our digital identities now that identity-related data breaches are becoming more frequent. Organizations, and the public alike, must adjust to the current cyberthreat landscape and take action by securing and responsibly managing their digital identities. After all, identity-related information remains one of the most coveted data by hackers and commonplace security measures like passwords, two-factor authentication and knowledge based authentication are no longer enough to keep data safe. Although cybersecurity is enhanced and developing daily to safeguard data, cybercriminals continue to find new and better ways to access it.

Business leaders and IT decision-makers must remain aware of hackers’ new and innovative techniques to steal data. Now, more than ever, is the time to implement stronger security to protect identity-related information. For example, identity verification solutions supported by biometrics can ensure that the user attempting to access an account is who they claim to be. By using biometrics to accurately verify users, organizations can help keep digital identities and data out of fraudsters’ hands."

++

Joseph Carson, Chief Security Scientist, Delinea

"Keeping your identity safe online is more important than ever. As cybercriminals become more sophisticated, they’re constantly finding new ways to exploit vulnerabilities in security protocols. Companies need to focus on centralizing identities while also reinforcing best practices and training to ensure employees are doing everything possible to secure their credentials. The foundation of all of this lies within the security of digital identities and privileges."

++

Paul Martini, CEO of iboss

"Ensuring that every user’s identity is properly managed, protected and secured is one of the most crucial tasks of any modern organization. Identity Management Day is an opportunity for all companies to consider how they are protecting users. By modernizing the legacy approach which validates identity only at time of login to a more modern Zero Trust approach which validates identity for each and every request to protected data and applications, organizations can greatly reduce the risk of breaches and data loss. This will ensure breached users and devices have access cut to sensitive resources as soon as the risk is identified instead of waiting for the next time the user is asked to login again."

##