Monthly Archives: November 2024

The 2024 Study on the State of Identity and Access Management (IAM) Security

Keeping enterprise and customer data secure, private, and uncorrupted has never been more important to running a business. Data is the great asset in our information-driven world and keeping it secure can allow your organization to maintain a healthy operation and reduce operational, financial, legal, and reputational risk.

This report is to understand how organizations are approaching Identity and Access Management (IAM), to what extent they are adopting leading security practices, and how well they are mitigating identity security threats. Sponsored by Converge Technology Solutions, Ponemon Institute surveyed 571 IT and IT security practitioners in the US to hear what they are currently practicing in IAM.

Keeping information safe has gotten more complex as technology has advanced, the number of users has grown, and the devices and access points they use have proliferated beyond the walls of the enterprise. Attackers see their opportunities everywhere.

Threat actors have also changed. It’s no longer the “lone wolf” hacker that is the threat, but now organized criminal organizations and bad-actor nation states are a constant threat to our data security. They have more sophisticated tools, expanding compute power, and AI. They’ve also had decades to hone their methods and are innovating daily.

Not a week goes by without a new data breach hitting the news cycle. A single successful attack can be painfully expensive. In the United States the average cost per data breach was $9.48 million in 2023. And this is just the financial impact which may not include reputational harm, loss of customers and other hidden costs.

Surprisingly, stolen or compromised credentials are still the most common cause of a data breach. While there is an entire industry devoted to identifying and remediating breaches as or after they happen, the best defense is to prevent credential theft in the first place.

At the heart of prevention are the practices of Identity and Access Management or IAM. IAM ensures that only trusted users are accessing sensitive data, that usernames and passwords aren’t leaked or breached, and that the enterprise knows precisely who, where and when their systems are being accessed. Keeping the bad guys from stealing credentials severely limits their ability to cause harm. Good IAM and awareness training does that.

The State of the Art of IAM

Like all technology practices, IAM has evolved over the years to become more sophisticated and robust as new techniques have been developed in keeping data and systems secure. Organizational adoption and enforcement vary greatly.

While some advanced businesses are already using endpoint privileged management and biometrics, there are still organizations with policies loose enough that using a pet’s name with a rotating digit as a password is still possible or credentials are on sticky notes stuck to employee monitors.

For most companies, it all begins with the basics of authentication. If you’re only using username and password, it is no longer enough authentication for your “primary” login for mission-critical systems. In legacy systems, where sophistication beyond usernames and passwords are not available, best practices must be taught and enforced rigorously. Practices such as very long passwords or passphrases and checking passwords against a blacklist must be put in place. These password basics are a starting point that many, many users still don’t universally adhere to.

The next critical step is adding Multi-Factor Authentication (MFA). Many cyberattacks are initiated by phishing where credentials and personal information are obtained from susceptible users. Others are brute force attacks where the password is eventually guessed. Using MFA introduces a second level of authentication that isn’t password-based to thwart attackers who may have discovered the right password. If your organization hasn’t yet implemented MFA, it is past time to act. This additional layer of security can dramatically reduce the risk of credential compromise.

If you’ve already deployed basic MFA, the next logical steps include Adaptive Authentication or Risk Based Authentication. This technique adds intelligence to the authentication flow to provide strong security but reduces a bit of the friction by creating authentication requirements based on the risk and sensitivity of each specific request rather than using the same MFA prompt every time. This reduces MFA response fatigue for end users.

On the leading edge, organizations may choose to forgo using passwords altogether and go passwordless to nearly eliminate the risk of phishing attacks. This method uses passkeys that may leverage biometrics (e.g., fingerprint, retina scan), hardware devices or PINs with cryptographic key pairs assigned and integrated into the access devices themselves.

A layer on top of these methods is Identity Threat Detection and Response (ITDR). This technology gathers signals across the ecosystem to automatically deal with a credential breach (or risk of one) as they happen to limit lateral movement. ITDR uses analytics and AI to monitor access points and authentication and identify anomalies that may represent possible attacks to force re-authentication or terminate sessions before further damage can be done. These systems have sophisticated reporting and analytics to identify areas of risk across the environment.

Regulatory Compliance: Identity Governance and Administration (IGA)

Regulatory non-compliance is another risk of failed IAM. Since regulations such as GDPR (General Data Protection Regulation), SOX (Sarbanes-Oxley), and HIPAA (Health Insurance Portability and Accountability Act) all set standards for data privacy, it is imperative that organizations identify, approve, and monitor access to critical data and systems.

The authoritative source of identity information for most organizations should be their HR system(s). A properly configured IGA solution utilizes this authoritative source as the starting point for determining access to an organization’s critical systems based upon the person’s role.

Beyond providing access, a viable IGA solution should also allow you catalog and attest to user entitlements associated with mission critical systems and systems with regulated data to create an audit trail. Periodic reviews of access (e.g., quarterly, annually) in addition to Separation of Duty (SoD) policies and event driven micro-reviews should be part of an IGA solution to ensure that compliance requirements are continually met.

Another avenue that is often exploited is over-privileged user accounts, where a user has access to data or systems that they don’t need, creating unneeded risks. User accounts can gain too much privilege in many ways, such as the retention of past privileges as individuals’ roles within the organization change. By managing lifecycle events with an IGA solution, organizations can minimize the risks of overprivileged accounts being compromised.

IGA solutions can enforce a policy of “least privileged access” where users are only assigned the necessary privileges to perform the duties required of them. This approach combined with SoD policy enforcement can help to greatly reduce your data security risk profile.

Similarly, Role Based Access Control (RBAC) can be a valuable methodology for managing the evolving access requirements of an organization. RBAC associates the required access based on the role an employee plays within the organization instead of using mirrored account privileges, thereby limiting the scope of what they can access to what is necessary. RBAC can greatly reduce the timeline necessary to roll-out large changes to systems and data thus allowing your organization to adapt quickly to the market and new requirements.

In addition to improving security, an IGA solution should also make life easier for users and administrators. An integrated IGA solution can take time- and labor-intensive manual provisioning operations and move them to automated request and fulfillment processes. The IGA solution not only performs the actions faster than manual provisioning activities, but it also ensures that the right resource is granted to the right person with the right approvals at the right time.

Privileged Access Management (PAM): The Rise of Enterprise Password Vaults

PAM systems control access and passwords to highly sensitive data and systems, such as those controlled by IT to access root systems, administrator access, command-line access on vital servers, machine user IDs or other applications where a breach could put the entire IT footprint in jeopardy. The key component of a PAM system is an enterprise password vault that monitors access activity on highly sensitive accounts.

The password vault does more than just safely store passwords. It updates them, rotates them, disposes of them, tracks their usage and more. Users “borrow” privileged accounts temporarily for time-bound sessions, creating an abstraction between the person’s typical user account and the privileged account, minimizing the potential for privileged account credential compromise. Once a vault is established, the next level is to automatically rotate the passwords after they are borrowed. This ensures that nobody but the current user knows the password for a temporary timeframe.

For highly regulated systems with extremely sensitive data, like found in healthcare and finance, security can go one step further and automatically proxy the privileged session so that even the admin doesn’t even know the username and password to use it. These sessions can also be recorded for forensic evidence of the work performed under privilege to provide auditability.

Privileged Identity Management (PIM) is another approach based upon the concept of zero standing privileges that can work in conjunction with traditional PAM. This is a “just-in-time” temporary enrollment into privileged access and their subsequent removal after use. In PIM, each session is provisioned, subject to approval, based on the requester’s justification for needing access. Sessions are time-bound and an audit history is recorded. This ensures that the most sensitive systems are extremely difficult to hack.

Adoption and Use are Key to IAM

IAM best practices and new technologies don’t work if they are not fully implemented to understand the current prevalence, adoption and impact of IAM practices, Converge Technology Solutions sponsored the Ponemon Institute to study and understand organizations’ approach to IAM and how they are working to mitigate security threats targeting their user credentials, sensitive information, and confidential data.

Ponemon Institute surveyed 571 IT and IT security practitioners in the US who are involved their organizations’ IAM program. The top three areas of respondents’ involvement are evaluating IAM effectiveness (51 percent of respondents), mitigating IAM security risk (46 percent of respondents) and selecting IAM vendors and contractors (46 percent of respondents).

The key takeaway from this research is how vulnerable organizations’ identities are to attacks. While organizations seem to know they need to improve the security posture of their IAM practices, they are not moving at the necessary speed to thwart the attackers. According to the research, organizations are slow to adopt processes and technologies that could strengthen the security posture of IAM programs.

Only 20 percent of respondents say their organizations have fully adopted zero trust. Only 24 percent of respondents say their organizations have fully implemented passwordless authentication, which uses more secure alternatives like possession factors, one-time passwords, register smartphones, or biometrics.

Following are research findings that reveal the state of IAM insecurity.

Less than half of organizations represented in this research are prepared to protect identities and prevent unauthorized access. Only 45 percent of respondents say their organizations are prepared to protect identities when attackers have AI capabilities. Less than half (49 percent) use risk-based authentication to prevent unauthorized access and only 37 percent of respondents say their organizations use AI security technology to continuously monitor authenticated user sessions to prevent unauthorized access.

Organizations lack the ability to respond quickly to next-generation attacks. Forty-six percent of respondents say if a threat actor used a stolen credential to log in to their organization, it could take 1 day to 1 week (18 percent), more than 1 week (28 percent) to detect the incident. Eight percent of respondents say they would not be able to detect the incident.

IAM security is not a priority. As evidence, only 45 percent of respondents say their organizations have an established or formal IAM program, steering committee and/or internally defined strategy and only 46 percent of respondents say IAM programs compared to other security initiatives are a high or very high priority.

IAM platforms are not viewed by many organizations as effective. Only 46 percent of respondents say their IAM platform(s) are very or highly effective for user access provisioning, lifecycle and termination. Only 44 percent of respondents rate their IAM platform(s) for authentication and authorization as very or highly effective. Similarly, only 45 percent of organizations that have a dedicated PAM platform say it is very or highly effective.

More organizations need to implement MFA as part of their IAM strategy. Thirty percent of respondents say their organizations have not implemented MFA. Only 25 percent of respondents say their organizations have applied MFA to both customer and workforce accounts.

Few organizations have fully integrated IAM with other technologies such as SIEM. Only 30 percent of respondents say IAM is fully integrated with other technologies and another 30 percent of respondents say IAM is not integrated with other technologies. Only 20 percent of respondents say practices to prevent unauthorized usage are integrated with the IAM identity governance platform.

As evidence that IAM security is not a priority for many organizations, many practices to prevent unauthorized usage are ad hoc and not integrated with the IAM platform. To perform periodic access review/attestation/certification of user accounts and entitlements, 31 percent of respondents say they use custom in-house build workflows, 23 percent say the process is manual using spreadsheets, and 20 percent of respondents say it is executed through IAM identity governance platform. Twenty-six percent of respondents say no access/review/attestation/certification performed.

Organizations favor investing in improving end-user experience. Improved user experience (48 percent of respondents) is the number one driver for IAM investment.  Forty percent of respondents say the constant changes to the organization due to corporate reorganizations, downsizing and financial distress is a reason to invest.

To read the rest of the findings in this report, visit the Converge Technology Solutions website. 

Suicide after a scam; one family’s story

Bob Sullivan

I’ve been saying for a while that the two halves of my journalism career — consumer protection and cybersecurity — are merging together.  I will tell anyone who listens that poor customer service is our greatest cybersecurity vulnerability. Consumers often trust criminals more than the institutions designed to protect them. and when you listen to some customer service interactions, that’s not as surprising as it sounds.

So this month, I’m sharing a story we covered on The Perfect Scam podcast, which I host for AARP.  It makes clear that the consequences of unpatched vulnerabilities, including inadequate customer service, can be deadly. On the other hand, I want those of you who work to protect people to hear this story as a reminder that what you do is incredibly important and valuable and….sometimes a matter of life or death.  Keep that in mind on the hard days.

This month, we interviewed an adult daughter and son whose father took his own life after becoming embroiled in a crypto/romance scam.

“When he had to accept that this is a world where this happened, he was no longer able to be in this world,” his daughter told me.

As I interviewed Dennis’ children, I really connected with him. He was a single dad; he encouraged his son to join multiple rock bands (even when they were terrible, I was told). Dennis even spent years photographing his son making music.  And today, he’s a successful musician. Dennis spent summers at the lake in Minnesota with his daughter and her kids.

He was a great guy who wanted one more bit of love, affection, excitement, and purpose in his life. He thought he’d found that with Jessica, and with crypto. He wasn’t looking to get rich. He was looking to leave something for his family.

Instead, every dollar he had saved to that point in his life was stolen. And when the very last dollar was gone, the criminals talked him through opening up an LLC so he could borrow more money, which they stole.  Even after the kids lovingly stepped in, and dad was persuaded he’d been defrauded, he still believed in Jessica. He figured she was a victim, too.  And whoever Jessica was, Dennis was probably right. As we’ve chronicled before, many scam callers are victims of human trafficking, forced to steal money online against their will.

And when Dennis just couldn’t wrap his head around everything that had happened, he ended his life.

“I heard a story of someone in a book, and the way it was talked about in that story was knowing that he took his own life, but also feeling like he was killed by a crime,” his daughter told me.

(This story and accompanying podcast include extensive discussion of suicide. If you or someone you love is in crisis, call 9-8-8, a free hotline staffed by professionals who can provide immediate help.)

Readers of my newsletter know this is not the first time I’ve talked about the scam/suicide connection. Last year we told the story of Kathy Book, who survived a suicide attempt and bravely talked with me about her experience. The stakes for scams have risen so much in the past couple of years, even since I started working on The Perfect Scam. I’m hardly the only one who thinks so. 

Also, please don’t be fooled into thinking this malady impacts only the elderly. Everyone can be a victim under the right circumstances. The pain, fear and shame of being a victim have driven many to contemplate self-harm, often with tragic results. Teenagers.  Women.  Anyone. 

Look, nobody wants to have this conversation.  I will be eternally grateful to Laura and Matt for speaking to me about their father — all because they want to help others. I can’t imagine how difficult that was for them, and what a gift it is to the rest of us. I can assure you I don’t want to talk with any more family members about their loved ones’ pain, suffering, and suicide.  And I know I sound like a broken record when I talk about scams being more sophisticated, more prevalent, and more dangerous.  But please, talk with one person you love about the dangers posed by crypto, and online dating, and online job hunting, and even online games. Tell them the Internet is full of liars who know how to say something to stir their our and make us click on something we’d “never” click on, or do something we’d “never” do.  It’s ok to repeat yourself.

But most of all, be a person that can be talked to under any circumstances. Cultivate a non-judgemental, open spirit so they know you can be trusted. Tell them that no matter how bad things might suddenly seem — an IRS audit, an arrest warrant, accusations of child pornography — they can always talk with you, there’s always another way.

If you’d like,  listen to this week’s episode, Suicide After a Scam: One Family’s Story.  Especially if you still have that nagging feeling like, “This could never happen to me or anyone I know.”