The Identity Defined Security Alliance (IDSA) is proud to host the second annual Identity Management Day, in partnership with the National Cybersecurity Alliance (NCA). The NCA is on a mission to empower a more secure interconnected world and the IDSA believes that identity is the critical path to make that vision a reality. Therefore, in 2021 we launched Identity Management Day, which a global day of awareness focused on the importance of identity management and securing digital identities, and sharing best practices to help organizations and consumers #beidentitysmart.
Our membership is comprised of more than 40 leading identity and security vendors and practitioner experts, who play a critical role in developing vendor neutral education on the importance of securing digital identities and best practices to reduce the risk of an identity-related attack. We asked our membership to provide perspectives on the current state of identity security and advice on how to make us all more secure. The prevailing theme – identities are growing in numbers and in types, significantly expanding the threatscape. Organizations need to ensure that identity is core to their security strategy and individuals need to make protecting ALL of their identities a part of their daily lives.
“Organizations today are faced with a rapidly proliferating workforce. This is not only in terms of remote work, but also in an explosion of third-parties, auditors, interns, and contracted workers who require access to a similarly growing IT landscape of applications, infrastructure and data. To wit, there is no one solution that organizations can turn to in order to solve their identity security issues. A connected ecosystem of solutions that are married with strong business processes and committed corporate buy-in is needed in order to properly secure identities.”
Rod Simmons, VP of Product Management, Omada
“Identity is a foundational requirement for securing access to applications, resources, and infrastructure. With the transition to hybrid work becoming the new normal, identity becomes a core component when securing remote access to corporate networks. In fact, the CISA listed identity as the first pillar in a successful zero trust model when they released their Zero Trust Maturity Model guidance back in September. Traditional solutions such as legacy VPNs are no longer sufficient in order to properly secure this ever-growing attack surface.”
Den Jones, CSO, Banyan Security
“We all have a unique identity. When translated to technology, we have more than one account associated with our identities, and threat actors target our accounts to infiltrate an environment. Identity Management Day helps consumers, employees, and businesses understand the risks to their identities if an account is compromised, along with the best practices for securing accounts from identity-based attack vectors. If you consider how many accounts an individual may have to perform their role within an organization, protecting users’ identities is one of the best strategies to prevent future security breaches.”
Morey Haber, Chief Security Officer, BeyondTrust
“On the 2nd Identity Management Day, we find the world in a tumultuous situation. Unlike the covert cyberwars and script kiddies of the past, we now find ourselves staring at overt cyber hostility by nation states, innovative concoctions of simple and complex tactics by underage actors, and independent mercenaries heading to call to action by national leaders. Identity Defined Security is the only security perimeter and defense we have in the absence of national borders in cyberspace. So, let’s double down on Identity Management awareness and excellence to ensure a safe cyberworld.”
Manish Gupta, IDSA Customer Advisory Board Member
“Even though third-party access is at the heart of more than 51% of security breaches, it continues to be a gap in many organizations’ identity programs. Non-employees are given the same level of access as employees, oftentimes with less scrutiny in confirming they are who they claim to be, and that the level of access granted to them is appropriate and limited to only when needed. Managing all identities with the same diligence is a critical first step in creating a strong cybersecurity culture, inclusive of both employees and non-employees, and a resilient cyber framework to withstand ever increasing cyber security threats.”
David Pignolet, founder & CEO, SecZetta
“Identity security is more “essential” than ever. Many companies are only scratching the surface of identity security, focused only on granting access. That may have been good enough a couple of years ago, but today the stakes have never been higher for enterprise security. “Good enough” is no longer enough.
Enterprises face cyber threats daily, and breaches incur costs that are both financial and reputational—and in many cases, it has cost executives their careers. Today’s enterprises cannot afford to kick the can down the road further. Strong identity security is no longer a “nice to have” solution. It is essential. Placing identity at the core of the security architecture, and truly understanding who should have access to what and how that access is used is the only path forward to a secure enterprise.”
Matt Mills, President of Worldwide Operations, SailPoint
“When it comes to cyber threats, all roads continue to lead to identity. Digital transformation, the move to cloud, and requirements for remote work have only made it easier for cyber criminals as organizations struggle to secure an expanded threatscape and get a handle on identity sprawl. Companies of all sizes need to focus on centralizing identities while also reinforcing best practices and training to ensure employees are doing everything possible to secure their credentials. Remember: it only takes one compromised identity to negatively impact the company’s financial performance, customer loyalty, and brand reputation, potentially costing millions of dollars.”
Joseph Carson, Advisory CISO and Chief Security Scientist, Delinea
“Many organizations are just beginning to recognize the importance of having a strategy for managing the sprawling machine identities and credentials in their network. Just like human identities, machine identities are complex and come in many forms, which creates challenges and vulnerabilities for IT and security professionals. Two major challenges organizations face include a lack of visibility into the human and device identities accessing their data and managing them at scale. This makes it difficult for organizations to shift away from traditional networks and data centers and fully implement initiatives like cloud adoption and zero trust.”
Chris Hickman, Chief Security Officer, Keyfactor
“Big rises in digital and IT initiatives have contributed to an accelerated number of digital identities, running into the hundreds of thousands per organization. These identities are associated with machines and applications, as well as customers, staff and suppliers. And the majority of them routinely access sensitive or privileged data and assets.
Organizations face a widening identity-centric attack surface because investment in the cyber tools and techniques to secure this access has not kept pace with investments required to accelerate digital business initiatives, creating cybersecurity “debt” that must be paid down by introducing Zero Trust principles to Identity Security strategies.”
David Higgins, Senior Director, Field Technology Office, CyberArk
“In only two years, we’ve seen enterprises’ digital footprints grow monumentally. Companies have onboarded many new – and newly remote – employees, challenging already-stretched IT teams, expanding attack surfaces, and putting the company and personal data at risk. Organizations also had to establish new direct-to-consumer channels, which opened up new avenues for fraud. Enterprises need to be hypervigilant to these new digital threats and deliver security and experience flawlessly, without compromising either.”
Eve Maler, Chief Technology Officer, ForgeRock
“Unrecognized privilege sprawl, or the always-on administrative access, is a big factor exposing companies today. It occurs when administrative, or special rights to systems, have been over-provisioned.
Admins need access, but 24x7x365 standing privileges instead of a “Just-in-Time” approach are what get companies into hot water today, compounded by lack of proper de-provisioning when there should be. Whether from lax procedures, a lack of consistent oversight, or fear of disrupting established processes, de-provisioning or terminating privileged access is often neglected or mismanaged.
This enables lateral movement — what many cybercriminals use to infiltrate and attack systems. Unfortunately, the problem often grows in the dark without organizations realizing until it’s too late.”
Raj Dodhiawala, President, Remediant
“Sophisticated ransomware groups such as Conti and LockBit are doubling down on using identity systems as an attack vector—because that approach works, often to devastating effect. Many organizations still struggle to defend against these attacks because they’re hampered by legacy identity environments with weak password policies, a lack of identity security expertise, and inadequate processes and technology to address the problems.”
Sean Deuby, Director of Services, Semperis
“The rise of remote work has made it increasingly difficult to protect access to corporate resources as employees are connecting from anywhere, at any time, from anything. Thus, verifying the identity of the people and things that connect to enterprise resources is critical in this new Identity-centric paradigm. Enterprises need to take a comprehensive approach to address these identity challenges and avoid being stuck with multiple disconnected solutions resulting in increased cost and lower security.”
Jerome Becquart, COO @ Axiad
Thanks to all our IDSA Members! Visit Identity Management Day 2022 Resources and follow #IDMgmtDay2022 and #BeIdentitySmart on Twitter and LinkedIn to access all of the advice and best practices that will be shared as part of Identity Management Day.
Register today for the Virtual Conference on April 12th! Can’t make it? All sessions will be recorded and available through May 13th.
