If somebody stole your credentials, would your organization be able to detect it? If so, how long do you think it would take?
Many might not know the answer to the first question, and many more might be embarrassed to answer the second. But identity breaches can be very destructive and expensive in terms of the damage hackers do: the loss of sensitive data, damage to brands and reputations, compliance failures, and large remediation costs. Identity breaches have increased a whopping 71% year over year using stolen or compromised credentials[1]. Most IT operations have multiple security layers protecting the enterprise. It’s much easier for a hacker to steal a credential and log in than hack in. Attackers do it because it works.
The best way to prevent malevolent bad actors is to make sure they don’t get access to your systems in the first place. This is the practice of Identity and Access Management or IAM, making sure that only the correct, authenticated customers and employees have access to the systems they need while minimizing the risk of phishing or stolen credentials. The practice has come a long way from simple usernames and passwords. New techniques such as ITDR solutions and zero-trust environments and passwordless strategies are changing how smart companies secure their systems. IAM can also be a source of business value beyond security and can be an important part of building the right employee or customer experience by making the authentication process as easy for the user as possible while maintaining high levels of security.
Identity Threat Detection and Response (ITDR) and zero-trust
Converge is working with many companies to improve their monitoring and credential breach detection with Identity Threat Detection and Response, or ITDR. ITDR is a relatively new IAM category and it helps identify credential breaches and minimize lateral movement. ITDR generally performs three different tasks:
- Detect the identity breach using aggregated signals and AI
- Quarantine and limit the “blast radius” (i.e., the amount of damage done)
- Execute an immediate response that is unique to the organization
Ideally, the ITDR solution will integrate across the entire security environment, regardless of the vendor or source, and aggregate signals across the ecosystem to sense when confidence in a user’s authentication has degraded below a certain level. The goal is to aggregate as many possible signals and detect when the organization has a significant chance of risk. In response, ITDR ensures that we limit the damage, such as expiring the user’s session at the IdP level, and then log them out of all applications versus waiting for individual sessions to time out on their own. This has the ability to stop the hacker/bad actor in their tracks once the breach is detected. After this, custom responses are usually made, such as alerting the security team and tracking the history of the attack so fixes can be made to prevent similar attacks in the future.
Integration of multiple identity technologies is key to building a zero-trust environment. Converge’s cybersecurity practice implements a lot of extended detection and response XDR technology like CrowdStrike, secure access service edge technology like Zscaler, and Okta Identity. When these technologies are integrated and share signaling, companies can vastly improve the security posture. For example, context can be used like a person’s geo-location, the type of data they are trying to access, or the device profile. By integrating these systems we can extend zero-trust beyond the traditional perimeter.
Beyond the username and password: Passwordless
Passwordless approaches forgo passwords and instead use passkeys that use public key cryptography and are linked to biometrics (e.g., facial scan, fingerprint) or other authentication methods that vastly improve security, nearly eliminate phishing, all while improving the user’s experience. Organizations that adopt passwordless approaches are incredibly resistant to phishing because there is no password to steal. In the past, deploying passwordless at large organizations was complex because the passkeys were typically tied to an individual device, but users often had multiple devices (e.g., desktop, laptop, different stations, tablet, phone). With updated passwordless standards like FIDO2, companies can synchronize passkeys across multiple devices. With commercial options now available, like Okta FastPass, enterprise-level passwordless approaches are very viable.
Passwordless technologies like FastPass make for much better, faster and less frustrating user experiences, which means less employee friction and more productivity. It takes a third of the time to log in. It often (but not always) uses a fingerprint which is much easier than remembering and updating a password constantly. The passkey only needs to be reset every 90 days. You don’t need to trade off a smooth and quick user experience for security.
Business value and identity governance
Unless an organization has had a recent big breach or compliance failure, their IAM ambitions are often slowed down by operational and capital budgetary constraints. Smart security practitioners need to build a solid business case and ROI model to justify the investment in identity technology. Traditionally this is done by using data points such as “service desk call volume reduction due to user self-care” and “automated user access provisioning and termination” that reduces admin overhead, or in compliance-based metrics, such as “reduce the cost of compliance through automating access review and reporting.” While such metrics are useful, we can go further in justifying security expenditures by focusing on saved software costs, increased productivity and better user experiences.
For example, identity governance is often about providing least privileged access, meaning limiting what systems or levels of access a user has. The less access, the less security risk by a bad actor. But a careful look at limiting access to software can also lead to fewer users needing expensive SaaS licenses that they may not need, or at least don’t need frequently. If a good, automated provisioning and identity system is set up, you can limit the amount of SaaS licenses while still promising users’ access to those systems at the time of need. This can reduce SaaS costs, especially with large populations of employees.
Customer identity
Customer identity is going through a renaissance. Most organizations have some kind of access management program that was designed and deployed 15 years ago and have been evolving it to take on the newer protocols and have it scale to work on the cloud. Most companies would benefit from a transformational approach at this time.
The authentication/authorization process for customers is often a vital part of the customer experience and the company’s brand. Companies should be able to build the most customized experience that supports the company’s brand and desired experience, but also have the tools to solve the details of the authentication process that may be beyond the company’s core competency, such as using cryptography, Self Sovereign Identity (SSI), Web3, passwordless and other emerging identity strategies. We are now seeing companies shift that responsibility to a dedicated identity company who is focused solely on identity and adopting their best practices and accountability.
For example, Converge is working with a financial services company who have both wealth management and retirement clients. These groups have worked completely siloed for the past two decades and most customers have different identities and authentication credentials for each business line. The company needed to bring them together and consolidate identity. Converge deployed Okta’s Customer Identity Cloud (Auth0) with pre-built integrations and workflows to achieve identity consolidation. By leveraging out-of-the-box workflows and integrations we are accelerating our project and reducing risk. In the end, our financial services client can leverage new capabilities like passwordless for the client, identity verification for sensitive transactions, and much simplified registration processes – all without developing the expertise in-house.
Conclusion
In the recent Ponemon Institute report, Unprepared & Vulnerable: The Urgency in Reinforcing IAM Protocols to Prevent Data Breaches, sponsored by Converge, it was revealed that 54% of respondents reported that their organizations experienced at least one data breach in the last 24 months due to leaked, compromised, or stolen credentials. Surprisingly, between 30% and 54% of organizations have not yet implemented MFA to protect their workforce accounts from compromise. Of the 46% that do use MFA, less than half (49%) are using advanced risk-based authentication to prevent unauthorized access.
The report includes the top five actions your organization can take today to improve identity posture. Embracing these forward-thinking security practices is crucial for defending against the sophisticated landscape of cyber threats. Download your copy!
Fast-Track your security with Converge IAM Workshop
Converge offers an Identity and Access Management Workshop: a rapid assessment and interactive workshop where we discuss your identity priorities, educate you on the latest technologies and provide recommendations and business justification for making IAM improvements using the latest techniques. It’s a fast and smart way to get started. The identity and access management problem is getting harder, but there are great ways to improve both your security and user experience.
Let’s work together and get started.
This post is summary of a session by Kyle Watston, VP of IAM, Converge Technology Solutions and Okta. It can be viewed here.
[1] 2024 IBM X-Force Threat Intelligence Index