The scope of identity and access management (IAM) has expanded over the years. In the beginning, IAM concerned only identities that represented humans, but more recently it has grown to encompass not only tools and technologies, but processes through which a digital identity is defined and managed to provide access to digital resources. IAM has evolved in response to new technologies and the vulnerabilities they introduce. In a back and forth pattern, IAM responds to changes in the threat landscape and the threat landscape responds to changes in IAM, and the cycle goes on.
IAM’s Evolution Over the Years
The critical nature of IAM makes it an essential component of cybersecurity. Good security hygiene includes a sound IAM strategy where all identities are managed with consistent policies and tools that provide security leaders with an understanding of who has access to its resources (especially the critical ones).
But keeping a high level of security – including good security hygiene – becomes more challenging with each passing day. The modern work-from-anywhere workforce demands access on any device and for any services. This requires digital identities to be securely established and verified, enabling secure digital communications to support e-commerce and other critical digital services. Not only are services located anywhere in the world, but there are also varying levels of trust and security required to assure that transactions are legitimate and sensitive data is safeguarded.
Things certainly have changed from the pre-internet days when all assets were controlled within private data centers and access was restricted to company-controlled devices and networks. The new era exposes users and organizations to new risks due to the expansion of digital services, increasing the threat and attack surface.
Coupled with this increased risk is the acceleration of regulations meant to hold organizations accountable for protecting customer data and giving consumers the ability to better control what data can be shared. Furthermore, the original technologies that provided identity and access management are built on legacy platforms and are unable to support these new requirements, forcing organizations to consider modern platforms and services that support these new use cases.
Cyber Attacks Have Also Evolved
It’s not a moment too soon to improve security, because hackers are always looking for novel ways to steal data. In fact, according to the 2022 Verizon Data Breach Investigations Report, there’s no let up in sight: “The past year has been extraordinary in a number of ways, but it was certainly memorable with regard to the murky world of cybercrime. From very well publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.”
And the cost of a data breach is going up as well. IBM Security reports that the global average cost of a data breach increased 2.6% from $4.24 million in 2021 to $4.35 million in 2022 — the highest it’s been in the history of its “The Cost of a Data Breach Report.”
The Verizon report points out that 80% of data breaches are the result of compromised login credentials. Credentials can be compromised by weak passwords, phishing, social engineering, malware, etc. And the recent advent of ChatGPT-style bots will certainly be exploited by cyber attackers. For example, lulling a user into a conversation that results in the user divulging personal information that can be used to compromise accounts. One more statistic from the Verizon report: “The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.”
A Few Notable Data Breaches of 2022
January 2022. An attack on servers exposed the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement.
July, 2022. Account information for 69 million users of the popular children’s game Neopets was exposed, including names, email addresses, zip codes, genders and birth dates. The attackers had access to the Neopets IT systems for 18 months before the breach was discovered.
August, 2022. DoorDash experienced a data breach that exposed the personal information of 4.9 million customers, workers and merchants. A third-party vendor was the target of a sophisticated phishing campaign. Information exposed included names, email addresses, delivery addresses, phone numbers and some partial payment information.
It’s no surprise that identity today has risen in importance as organizations recognize what’s at stake. Identity has become the first line of defense against cyberattacks. An organization’s brand and reputation are intertwined with its ability to avoid breaches and protect customer data, and identity security has become a board-level initiative prioritized by C-level executives.
Where Identity Management Day Comes In
The good news is that there are things we can do to minimize cyber threats. But the bad news is that most of us aren’t actually doing them. Raising awareness and reminding users and organizations to be vigilant is key.
Identity Management Day is a day dedicated to informing people and organizations about the dangers of casually or improperly managing and securing digital identities. We do this by raising awareness, sharing best practices, and inspiring individuals and organizations to act.
Identity Management Day, co-sponsored by IDSA and the National Cybersecurity Alliance (NCA), provides an opportunity for all of us to evaluate our role in protecting our digital ecosystem. Whether acting as consumers or employees or partners, our online behaviors matter. Reusing a password or clicking on a suspicious link can wreak havoc in our individual lives, but it can also be an opportunity for a cyber attacker to get a foothold inside a corporate network.
As part of my role at Saviynt, I have been privileged to chair IMD 2022 and again in 2023. I have seen first-hand the great information that flowed through various sessions, the engagement from the participants and the champions that supported Identity Security best practices during IMD 2022. While we emphasized the theme “Identity Security is everyone’s responsibility” last year, we will focus on how to “BeIdentitySmart, BeCyberSmart” this year.
I’d like to personally encourage you to join us on the journey to better identity management!
Explore more at https://identitymanagementday.org/. And register for the Identity Management Day virtual conference on Apr 11, 2023 – a day of awareness, learning and celebration.
I look forward to seeing you at IMD 2023. Register here.
About the Author: Ravi Erukulla is a long-time identity and security enthusiast and is particularly passionate about simplifying the way identity and security products are built and adopted. Ravi brings two decades of industry experience in identity, security, and technology solutions. In his current role as VP of Analyst Relations and Customer Advocacy at Saviynt, Ravi is responsible for driving analyst relations, industry alliance partnerships, and customer advocacy & engagement. Prior to joining Saviynt, Ravi led product management and engineering at Oracle and SAP for Identity and GRC products. Ravi holds a Master’s degree in Computer Engineering from the University of South Carolina.