Blog
IDENTITY MANAGEMENT DAY 2023: Advice from Cyber Pros
Tomorrow, April 11 is Identity Management Day . This day serves as an annual reminder to increase awareness and education for leaders, IT decision-makers and the general public on the importance of identity management.
The dangers of improper management of digital identities are at an all-time high. We spoke with our blog volunteers to get their insights into what best practices their companies are following, along with how you can get on a path to better identity management.
Why is identity management and security important in 2023?
“In the current digital landscape, identity security has gained paramount importance due to the growing cyber risks posed by phishing and social engineering attacks utilizing AI. These attacks have become more complex and challenging to detect, leading to increased instances of data breaches, account takeovers, and impersonation attacks. For instance, popular social media platforms such as YouTube and Twitter have seen a surge in account takeovers and impersonation incidents. The ubiquity of digital identities and the dependence on personal information for online transactions make individuals more susceptible to identity theft and fraudulent activities. Thus, a robust identity security framework is essential to safeguard against these risks and ensure the protection of personal information. Failure to implement proper identity security measures could result in significant financial loss, reputational damage, and legal implications for individuals and organizations.” – Suman Garai, (ISC)² Candidate
In general, do you feel identity management best practices are being discussed enough at the leadership level?
Many of this group of volunteers shared a similar sentiment that identity management and policies around it should and need to be driven by top-level management to promote organizational buy-in. Identity management best practices and training should take place throughout the year, not just annually, and should align with the regulations, standards, frameworks and governance of the organization. It was also stated on multiple accounts that these efforts could and should be steered by a committee of key organizational stakeholders.
“Identity and access are important to any security, compliance, and governance plan for an organization. I believe that additional education and understanding of best practices are required from leadership down within all organizations.” – Dwayne Natwick, CISSP
How does your organization provide employees with identity management education?
“Our in-house product of identity manager and access manager ensure that we are following standards. Further, we have onboarding training to demonstrate the life cycle and process involved in that. Time to time, we have corporate self-paced training to ensure we are adhering to standards.” – Neeraj Vijay, CISSP
Chinatu Uzuegbu, CISSP recommends
- Online/Virtual Trainings/Webinars
- Face-to-face knowledge sharing with demonstrations.
- Batch training for the Identity Management key players.
- Training based on the Need-to-Know and Least Privilege.
- Security awareness programs for all employees.
Face-to-face knowledge sharing with lab demo leveraging on the concept of Need-to-Know and Least Privilege would be most impactful and secured as it ascertains that employees are trained with granularity only what they need to know and do their jobs securely.
What identity management best practices do you find help keep your organization secure?
“Privileged Administration Management.” – Doug McLaughlin, CISSP
“MFA, logging and monitoring of login activities, using user behavior analytics type solutions to detect anomalies.” – Suranjit Paul, CISSP
Lorenzo Leonelli, CISSP advises
- User Education and Awareness: Security breaches brought on by negligence or user error can be prevented by educating users about the risks of using weak passwords, phishing scams, and other typical security concerns.
- Identity Verification and Validation: Users’ and devices’ identities should be confirmed and authenticated before granting access to systems and data. This can help guard against identity theft and help prevent unwanted access.
- Strong authentication: Using mechanisms like two-factor authentication (2FA) or multi-factor authentication (MFA), which need additional factors to be entered, can help ensure that only authorized users have access to sensitive systems and data.
- RBAC, also known as role-based access control, is a technique for limiting access to systems and information based on a person’s job function or role within the business. This lessens the possibility of data breaches and helps prevent unwanted access. 5. Reviewing user access privileges on a regular basis can help to find and delete unused or out-of-date privileges, lowering the risk of unwanted access.
If you are interested in participating in future blog surveys, please let us know by completing an (ISC)² Volunteer Application .