Identity management, as a concept, has been around for a while, although many of us are just hearing about it now. It sounds impressive, but what does it really mean, and are there steps your organization should be taking to ensure you have good identity management practices in place?

What is Identity Management?

Identity management (also called identity and access management or IAM) is just a fancy name with a high price tag that essentially covers all of the cybersecurity best practices you likely already have in place. The goal of any IAM strategy is to define and manage the roles and access privileges of all users on your network, and specify the circumstances under which users should be granted or denied privileges.

IAM Takes Cybersecurity Beyond the Workplace

While most organizations have robust cybersecurity practices already in place, the most significant shift IAM brings to the table is bringing cybersecurity out of the workplace and into the personal sphere.

As hacking and other forms of cybercrime become increasingly common, many individuals have begun to pay cybersecurity companies to protect their personal identity by monitoring their personal data for suspicious activities. Though this approach to cybersecurity builds on basic best practices already in place, this is the first time these practices have been applied to individuals in a non-workplace setting as the concept that individuals need to take cybersecurity steps to protect their personal digital assets continues to gain traction.

Identity & Access Cybersecurity Best Practices: A Brief Refresher

We have discussed cybersecurity best practices in the past. However, you should review your current cybersecurity posture frequently so you can ensure your current protocols continue to safeguard your digital assets and meet your needs.

Knowledge is Power

A lack of data can cripple even the best cybersecurity solution. Make sure your network is being monitored 24/7/365 for suspicious activity, and all activity on the network should be logged. 

From an identity and access standpoint, suspicious activity may include users logging on at strange hours or from strange locations (a sign that their credentials may have been stolen by cybercriminals) or signs of credential stuffing, where cybercriminals try multiple username and password combinations in rapid succession in the hopes that one pairing will grant access.

Not Everyone Needs to Access Everything

Some areas of your network are bound to contain more sensitive systems and data than others. As such, these areas, such as financial records, should be afforded extra protection. While your network likely already has a firewall around its perimeter, you should consider installing internal firewalls around critical or sensitive systems as a second line of defense if your perimeter is breached.

The Importance of Strong Password Guidelines

Choosing a strong, hard to guess password is a simple step all users can take to improve your cybersecurity posture. To help ensure all users are choosing good passwords, you should be enforcing password best practices. NIST (the National Institute of Standards and Technology) offers comprehensive guidelines on choosing secure passwords in section 5.1.1.1 (Memorized Secret Authenticators) of their Digital Identity Guidelines document.

The Benefits of Password Managers

The best passwords are long and truly random, unlikely to be guessed by anyone in a reasonable amount of time. However, long random passwords are also a pain to memorize, encouraging users to write them down or otherwise store them insecurely, defeating their purpose.

To help ensure users are choosing strong passwords, you may want to consider using a password manager. A password manager works like a book of passwords where only the user has the master key. Passwords within the manager can be randomly generated, and many password managers will flag reused passwords so that users know the password they are using isn’t unique and needs to be updated.

The Power of MFA

Physical devices such as computers and smartphones can be stolen or lost, and passwords can be compromised, which is why many organizations and individuals are turning to MFA. MFA (multi-factor authentication, also called two-factor authentication) pairs a strong password with a second form of identification, such as a hardware element or text message confirmation. 

When a user enters their username and password, the system sends them a push notification, often to their smartphone. The push is generated by the MFA app, and the user must acknowledge the push (either by clicking on a link in the message or entering a randomly generated temporary code on the login page) before they are granted access to the network.

Make Sure You Have Offboarding Procedures in Place

While many organizations invest a lot in their onboarding processes to ensure new hires are set up for success, not all organizations invest in offboarding processes. Making sure you have policies and procedures in place for revoking credentials from former employees is vital for good cybersecurity. 

Former employees and cybercriminals alike may act unscrupulously and use their old credentials to gain access to the system. If cybercriminals are successful, their unauthorized access may go unnoticed for a while since the former employee is no longer monitoring their old account. 

Offboarding is also a good policy to have regarding your personal data. Make sure you are completely aware of any other parties that have access to any personal accounts, including bank accounts or even your Netflix account, and know how to have their access removed should the need arise.

Consider a Zero Trust Approach

Zero Trust Security is exactly what it sounds like: Don’t trust any user until they are verified. Like current best practices, traditional cybersecurity approaches included strong perimeter security, such as firewalls. However, one of this model’s main failings was that if an unauthorized user was able to breach the perimeter, there was little to no internal security to prevent them from accessing sensitive areas of the network. 

Zero Trust Security rests on the belief that trust should never be automatically granted either outside or inside a network’s perimeter. All users must verify their identity every time they try and move around the network. This way, even if the perimeter is breached, unauthorized users can be more easily contained to the network’s less sensitive areas. 

Further Reading

Cybersecurity is everyone’s business, from the intern in the mailroom all the way up to the CEO, and this idea has spread beyond the workplace and into the home. To help ensure your cybersecurity posture as a business is as strong as possible, you should be:

  • reviewing your policies regularly
  • including cybersecurity in your onboarding process for new employees 
  • offering frequent refresher training for all employees

On a personal and workplace front, you should make sure that you, your family members, and your co-workers all understand the importance of good cybersecurity and why each policy and procedure is in place.

If you could use a refresher, we have included a list of articles for your review below. If you have any questions about cybersecurity or could use some expert advice, please contact our experienced team

Educating Yourself & Your Team

Cybersecurity Awareness is Increasingly Important, Especially With 2020 Around the Corner

The Modern Hacker: Who They Are, Where They Live, & What They’re After

VirtualArmour Academy

Essential Best Practices

Cyber Hygiene 101: Basic Steps to Keep Your Company Secure

Cybersecurity Spring Cleaning: It’s Time to Review Your Security Practices

Creating a Response Plan

Building a Cybersecurity Incident Response Program

Best Practices for Organizations with BYOD Policies

Keeping Your Network Secure in a “Bring Your Own Device” World

Securing Your Website

Basic Website Precautions: Keep Intruders Out With These Fundamental Security Best Practices

Common Cybersecurity Attacks to Prepare For

In a Remote World, Social Engineering is Even More Dangerous

5 Old-School Hack Techniques That Still Work (& How to Protect Your Data)

Everything You Need to Know About Ransomware (2019 Edition)

Don’t Let Phishing Scams Catch You Unaware

Cryptojacking: Because Every Currency Needs to Be Protected

Hackers Are Increasingly Targeting People Through Their Phones

Airports are a Hackers Best Friend (& Other Ways Users Expose Themselves to Risk) 

How Fear Motivates People to Click on Spam

What to Do if You’ve Been Hacked

Hacked? Here’s What to Know (& What to Do Next)

Industry-Specific Resources

Healthcare

The Ultimate Guide to Cybersecurity in the Healthcare Industry 

Case Study: Your Healthcare MSSP

Finance

How the Financial Industry Can Strengthen Their Cybersecurity

Case Study: Your Financial Services MSSP

Retail

Case Study: Your Retail MSSP

Energy

Case Study: The MSSP for the Energy Industry

Service Providers

Case Study: The MSSP for Service Providers

Higher Education

Cybersecurity Basics Every College & University Needs to Have in Place

Manufacturing

Cybersecurity for the Manufacturing Industry, What You Need to Know Now