Identity management is crucial for an effective cybersecurity defence, but isn’t as hard as some organizations believe, experts said at a webinar as part of Identity Management Day.
In fact one speaker, Lawrence Cruciana, president of North Carolina-based managed security service provider Corporate Information Technologies, reduced creating an identity management plan down to a phrase for small businesses: “TWO STEPS.’
Each letter in the phrase stands for one of eight points, but Cruciana hopes it will be easier to memorize:
- Take an inventory of the organization’s data assets;
2. Write down all the systems that require identity for access, and the systems (like Active Directory) responsible for identity;
3. Outline your regulatory or contractual requirements for identity. For example, a partner may require your firm to have multifactor authentication before connecting to its network;
4. Stakeholder (business unit) alignment with the identity management program must be gained. For example, these employees have to use multifactor authentication, these people need a hardware token/USB key for access;
5. Trust is ephemeral, meaning it can’t be granted permanently to users. “We can’t just say, ‘Bob has access to this system’ and never review it,” he said;
6. Existing IT systems have to be considered under the identity management program, not just new systems;
7. Prioritize the application of identity management based on systems that have the greatest value or impact to the business;
8. Strategic buy-in from senior executives is essential.
“Very often we see identity is seen as something you implement, it’s a technical step,” he said. Identity management — especially in smaller organizations — needs to be elevated to the business process owners, the information system owner, and ultimately to the senior executive or board.
Cruciana was speaking during one of several sessions sponsored by the Identity Defined Security Alliance and the U.S. National Security Alliance.
Often for a small business the key application is email, he noted. “Having strong identity management and a robust multifactor authentication program applied to email can mitigate the broadest areas of risk we see in small organizations,” he said.
Cruciana’s session was aimed at SMBs. Also during that session, Harry Perper of the Mitre Corp. noted the Center for Internet Security’s CIS cybersecurity controls include guidelines for implementing identity management.
Multifactor authentication (MFA) may be the most important control an SMB can implement. “Mandate it everywhere possible,” he said. Sending authentication codes by SMS text isn’t the safest method, he added, but in some cases may be good enough. Using an authenticator app (such as from Google, Microsoft or Duo) is safer. Hardware tokens in the form of USB keys that generate authentication codes should be for employees who have privileged access to the most sensitive data and systems, he said.
In a separate session, Tom Sheffield, senior director of cybersecurity at retail chain Target said any MFA system is better than none. In some cases, SMS-based authentication may be acceptable for guests on your network. It’s all about risk, he said. Discover your assets and map MFA against your risks.
MFA should be rolled out in phases, he added, first going after the systems with the highest risk.
Some organizations are hesitant about MFA, said Martin Kuppinger, principal analyst at KuppingerCole Analysts, a German-based cybersecurity advisory firm. They worry it impedes system usability. This is a matter of education, he said. “Our thinking must be not to balance security and convenience, but how do we combine security and convenience.”
Manish Gupta, director of global cybersecurity services at Starbucks, talked about the coffee chain’s efforts to abandon passwords and demand facial or fingerprint recognition for employee logins, as well as behavior-based authentication. This starts with an application establishing a user’s baseline behavior — such as typing and mouse movement behavior — and then looking for anomalies. The technology depends on the strength of the analysis engine, he admitted.
Going passwordless can be a struggle in some countries, he added, where regulations may restrict the use of biometrics or the use of smartphones to receive authentication codes.
“The best thing we can do as identity leaders is be the voice of security,” said Sheffield. “We need to speak to our cybersecurity partners, our business partners, our technology partners of the importance of all the foundational [cybersecurity] capabilities, and be the advocate for them and get [people] to understand why these are necessary.”