Last week, the parent company of a mobile money transfer utility called CashApp began notifying more than 8 million customers and employees that their names and brokerage data had been stolen by a former employee.
When they left the company, that person’s access to at least some of the company’s systems was not terminated. As a result, they were able to download a number of reports.
This may not be a surprise. According to a survey in a report by CyberArk Software, released today (registration required), employees estimate that they access an average of 30 applications or accounts that are not managed by federated identities.
Although the data stolen from CashApp did not include passwords, social security numbers, or payment card information that could be immediately monetized, the incident was embarrassing to say the least.
It’s the latest example of why managing the identity of employees, partners, and customers should be an essential part of every IT manager’s defense strategy.
However, it is not managed well enough. For example, only 48% of CyberArk survey respondents said their organization had Iidentity security controls for their critical applications.
This is one of the reasons IT vendors have declared April 12 Identity Management Day. Now in its second year, they hope IT managers – and consumers – will take the time to consider whether their identity and access management practices not only meet the challenges of today, but also those of the near future. .
Related Content: Identity Management Best Practices
Identity and access management (IAM) is the key to a zero-trust framework, which infosec professionals say is a must-have for organizations today. Hybrid IAM solutions are essential for organizations running combined on-premises and cloud environments.
Identity management can be limited to “incoming/moving/leaving” employees (from hire to departure), in the words of Andras Cser, vice president and principal analyst for the security and risk management practice from Forrester Research. But, he said in an interview, it should also include access management (IAM) – limiting access to data only to those who need it, otherwise known as restricting the number of privileged accounts.
Directly or indirectly, identity issues — meaning stolen or lost credentials — can be involved in more than 80% of data breaches, he said. “If you look at most breaches, there is some kind of escalation or lateral movement of the attacker. The attacker accesses a desktop or laptop computer and from there their task is to harvest any type of credentials to move to other systems and penetrate deeper.
“There are other ways to do it, but if you have the identity of [or credentials with access to] a sensitive database or server, or an administrator password, it’s much easier to break into than any other way.
With the compromise of usernames and passwords looming so large in many breaches, why, asked Cser, aren’t IT managers taking it seriously enough?
“There’s a lot of complacency,” he replied, with companies “hoping they won’t be a target. Keeping passwords is my pet peeve. Passwords for anything security have run their course. You should not rely on passwords at all. I know it’s easy and cheap, but passwords are a thing of the past.
Use multi-factor authentication (MFA) or passwordless solutions such as biometrics for identity management, he urged. “Everything except passwords.”
MFA needs to be properly adopted, he agreed, which means not using insecure methods to send additional authentication code, such as text messages. Other measures, such as ensuring that a malicious actor cannot convince support teams to add a hacker-controlled phone or email for sending codes, should also be adopted.
Related Content: 5 Signs of IAM Problems
Second, he added, “People have these overarching identity strategies – which is good – but you have to implement things in very small pieces. This [identity management] is such a vast area. People are eager for results, but you need to do your homework, especially when it comes to managing the hiring/moving/leaving process.
“Another mistake people make is that they think that identity management tools replace business process design, which is absolutely not the case. If you have an old, outdated identity infrastructure, a shiny new solution won’t solve your problems — in fact, it will only make them worse.
For example, he said, a complex employee or customer onboarding process needs to be streamlined before adding an IAM tool. “An IAM tool can do almost any kind of mapping with your business process, but if your business process is silly to begin with and too complex, you’re just implementing an existing mess.”
The biggest problem is the multiplicity of entry points for creating client user IDs, he said. A large bank, for example, may have different portals for creating user IDs from different business units. As a result, there are identification silos.
“The final mistake is not treating identity and access management as critical infrastructure, as network security is.”
Related Content: The Future of IAM
Asked what IT leaders should be doing, Cser said IAM governance is only part of the solution. IT also needs to get rid of passwords; automate the IAM side of onboarding, internal transfers, and departures; and if you need to allow employees to use passwords, periodically force a reset for better security.
In its report, CyberArk stated that CIOs/CISOs reported implementing real-time monitoring and analytics to audit all privileged session activity; implementing least-privilege/zero-trust security principles on infrastructure that runs business-critical applications; and adding processes to isolate critical applications from internet-connected devices to limit lateral movement.