Assess and manage identity security
Strong identity security and governance are key to the future of zero trust.
Analyst view
Effectively protects all managed identities
To ensure that identity security is significantly improved, organizations must be willing to take a step back, understand where vulnerabilities lie, and identify threats that could exploit them.
Each organization may handle many different identity types. This leads to a complex system of identity storage, ownership and security requirements. The first step in improving anything related to identity security will be to fully understand all the different identities that exist, where they exist, who owns the processes involved, and what threats exist that might exploit managed identities.
Only when an organization successfully classifies the information needed to protect all of its identities can they build an identity security architecture that describes an approach to identity security appropriate for the modern era.
Ian Mulholland
Research Director, Security, Risk and Compliance Information Technology Research Group
executive Summary
your challenge
When it comes to identity and access management, many security leaders struggle to meet the recommendations of internal and external parties.
Many identity and access management processes are notoriously inefficient and many known solutions are difficult to implement.
Common obstacles
Improving identity security can be challenging:
For most organizations, identity and access management has been allowed to grow organically and become inflexible and difficult to control.
In most cases, the number of identities and the items they access is increasing every year, thus requiring more scalable processes and technologies.
Information Technology Methods
Info-Tech has developed an efficient approach to building an identity security architecture.
This unique approach includes the following tools:
Establish identity security governance.
Create an identity manifest.
Identity-based threat modeling.
Build an identity security architecture.
Information Technology Insights
Building an identity security architecture is a high-value move that will drive the modernization of identity security.
Identity management and proper credential management are key security factors
Key findings:
450 % increase in username/password breaches Leaks involving
usernames and passwords increased by 450% in 2020, totaling 1.48 billion breached records.
$8.64 million average cost of
non-compliance in the United States
The average cost of a non-compliance in the United States was $8.64 million, the highest in the world and an increase of 5% from the previous year.
2x
the amount of time people spend online In 2020, the amount of time people spend online has more than doubled, totaling more than 7 hours per person per day. Source: ForgeRock
In 2020, the world has witnessed a massive digital migration. However, the migration did not result in a safe transition. For the third year in a row, identity security has been one of the weakest links in any security program. The shift to remote work has greatly increased stolen data.
Weak identity controls continue to provide easy access to corporate data for bad actors. Identity and access management practices have been a weak point for many organizations. Learn how to best manage and manage your identity using an identity-centric approach to security planning.
Average cost and frequency of malicious data breaches by root cause vector
Leaked credentials are an expensive and common threat vector
Of the ten initial threat vectors for malicious breaches represented in an IBM report, compromised credentials were the most frequently recurring attack vector, accounting for 20 percent of all malicious breaches .
Appropriate manifests of identities and their respective repositories are critical to ensuring the security of credentials and any access they may be associated with.
Preparing yourself saves cost and hassle
Stolen or compromised credentials are one of the most expensive causes of malicious data breaches, according to a 2021 report by IBM.
Unified Endpoint Management (UEM) and Identity and Access Management (IAM) products and services can give security teams an advantage by providing insight and deeper visibility into internal networks and potentially suspicious activity.
20%
of breaches were carried out through leaked credentials.
The $5.33 million
is the average total cost of a data breach for businesses with more than 25,000 employees, while the average total cost for businesses with fewer than 500 employees is $2.98 million.
Identity Security and Governance Framework for Security Leaders
Security leaders see modern identity security challenges as too big, and they prefer to focus on narrower challenges that appear to be easily solved using tools like SSO/MFA/PAM. However, this limited attention is passive rather than active and may end up being more expensive in the long run. Building an identity security architecture is a high-value move that will drive the modernization of identity security.
Info-Tech's approach to assessing and managing identity security
| 1. Establish Identity Security Governance | 2. Assess and mitigate identity threats |
|---|
| stage step | standard identity taxonomy Establish Identity Security Roles and Responsibilities
| Create an identity manifest Assess identity-based threats and mitigations Building an Identity Security Architecture
|
|---|
| Stage results | | |
|---|
Insight Summary
general insight
Security leaders see the challenges of modern identity security as too big, and they prefer to focus on narrower challenges that can be easily addressed using tools such as single sign-on, multi-factor authentication, or privileged access management. However, this limited attention is passive rather than active, and it may end up being more expensive in the long run. Building an identity security architecture is a high-value move that will drive the modernization of identity security.
Phase 1 Insights
People using different taxonomies may conflict. Once a standard definition has been developed, any existing conflict of understanding can be leveraged as an educational opportunity.
Work with other identity owners to ensure governance is clearly defined before any major changes are made.
tactical insight
At some point, your identity process is working, otherwise the business wouldn't work - your process may be riskier or more intrusive than you'd like. Use what exists today as a starting point, rather than starting from scratch.
Stage 2 Insights
Understanding current and future threats to your identity program is critical to modernizing your identity security. Use a structured approach to ensure you identify all identity-based threats that pose a risk to your organization.
tactical insight
Modernization starts with understanding legacy components.
Use Info-Tech's blueprint to understand your readiness for each threat vector
its benefits
IT can determine the ability of its current security architecture to handle various attack vectors.
IT will no longer need to ban certain applications and services because they are cloud-based.
Analysis and threat modeling is no longer about simply guessing what the most pressing problem is. Understand your vulnerabilities and remediate and plan proactively rather than reactively.
Commercial interests
Line-of-business managers can see which areas need improvement and which can be de-prioritized.
Gain an in-depth understanding of the management aspects of security and threat vectors and techniques.
Learn which mitigations and detections should be implemented to best protect your environment without the extra guesswork.
Use Info-Tech's Blueprint to Improve Your Enterprise Security Posture
Threat preparation can be used to effectively assess:
Organizations are prepared to
expose operational weaknesses and shift teams from a reactive approach to a more proactive security program.
Enhanced Threat Detection, Prevention, Analysis, and Response
Enhance collaboration and use of security investments through a simulated assessment of the threat collaboration environment.
Improve Security ROI
Assess how core employees are using processes and technology to protect the organization.
Identify blind spots and opportunities for continuous improvement
Increase visibility into current performance levels and accurately identify opportunities for continuous improvement through a holistic measurement plan.
Iteration benefits
Experience incremental value over time by understanding the attack vectors that can attack you. With continuous updates, your security protocols will evolve with less associated effort, time and cost.
Short-term benefits
Make sure your organization is ready.
Determine the effectiveness of the overall security program.
Simplify security management procedures.
Identify people, process and technology gaps.
long term benefit
Reduce accident costs and remediation time.
Enhance operational collaboration between prevention, detection, analysis and response efforts.
Strengthen the security pressure posture.
Improve communication with executives about business-related security risks.
Maintain reputation and brand equity.
Info-Tech offers various levels of support to best meet your needs
DIY kit
Our team has made this critical project a priority and we have the time and capacity, but it would be helpful to provide some guidance along the way.
guide the implementation
Our team knew we needed to fix a process, but we needed help setting priorities. Checking in along the way will help us stay on track
workshop
We need to get this project up and running now. Once we have a framework and strategy in place, our team has the ability to take over
consult
Our team did not have the time or knowledge to undertake this project. We need assistance for the entire project.
Diagnostics and consistent frameworks are used across all four options
guide the implementation
What does a typical GI look like on this topic?
Phase 1:
Establishing Identity Governance
Call #1: Scope requirements, goals, and your specific challenges.
Call #2: Build an Identity-Secure RACI Graph.
Phase 2:
Assess and Mitigate Identity Threats
Call #3: Identify and document existing identity types.
Call #4: Assess identity-based threats and mitigations.
Call #5: Create an identity security schema.
Guided Implementation (GI) is a series of calls with information technology analysts to help implement our best practices in your organization.
A typical GI is 1 to 5 calls over the course of 1 to 5 months.
Workshop overview
| Day 1 | Day 2 | 3rd day |
|---|
| Establishing Identity Governance | Assess and mitigate identity threats | Assess and mitigate identity threats |
|---|
| Activity | 1.1 Use standard identity classifications.
1.2 Identify the tasks of your identity security program.
1.3 Assign responsibility and ownership to each task in the RACI diagram.
1.4 Analyze your RACI chart. | 2.1 File Identity Repository.
2.2 Inventory your identity type.
2.3 Review and assess identity-based MITRE ATT&CK® threats.
2.4 Review and evaluate identity-based MITRE ATT&CK® mitigations. | 3.1 Completion of the deliverables that were in progress during the previous two days.
3.2 Set a review time for workshop deliverables and discuss next steps. |
|---|
| Deliverables | Identity classification Identity Security RACI Chart
| Identity List Identity-Based Threat and Mitigation Assessment Using the MITRE ATT&CK® Framework Identity security architecture with priority controls
|
|
|---|
Perform a brief case study
Industry: Consulting Services
Source: Cloud Security Alliance
Deloitte
Deloitte experienced a major data breach on September 25, 2017, in part due to weak identity, credential and access management. The vulnerability is a direct result of the poor security of administrative email accounts used by attackers to achieve privileged and unrestricted access to all areas of the company.
The account has only one password and no multi-factor or additional verification process. More worryingly, attackers could access the account for over a year undetected, allowing them to store and monitor all email coming in and out of the company. Sensitive information, Personally Identifiable Information (PII), usernames, passwords, IP addresses and schemas were accessed, including blue chip customers' personal data.
key takeaways
Security accounts, including two-factor authentication and restricting the use of the root account.
Enforce the strictest identity and access controls on cloud users and identities.
Isolate and segment accounts, virtual private clouds (VPCs), and identity groups based on business needs and the principle of least privilege.
Rotate keys, remove unused credentials or access rights, and employ centralized programmatic key management.
Deloitte Impact Report
Security incidents and data breaches can occur due to:
Insufficient credential protection
Lack of regular automatic rotation of encryption keys, passwords and certificates
Lack of scalable identity, credential and access management systems
Failed to use multi-factor authentication
Failure to use strong passwords
Malicious actors masquerading as legitimate users, operators or developers can:Read, disclose, modify or delete data
Release Control Plan and Management Features
Spy on data in transit
Publishing malware that appears to come from legitimate sources
Stage 1
Establishing Identity Governance
| Stage 1 | Stage 2 |
|---|
1.1 Adopt a standard identity taxonomy
1.2 Establish roles and responsibilities for identity security | 2.1 Create an identity inventory
2.2 Assess identity-based threats and mitigations
2.3 Build an identity security architecture |
|---|
This stage will guide you through the following activities:
This stage involves the following participants:
security team
IT leadership
business stakeholders
legal
Human Resources
Assess and manage identity security
1.1 Adoption of standard identity classifications
Estimated time: 30 minutes
1.1.1 Review Information Technology Identity Taxonomy: Review terms and definitions related to identity security on the next slide.
1.1.2 On Demand: As a group, discuss each term and its associated definition. Modify the definitions as needed to suit your organization. The goal should be to arrive at a common identity security taxonomy.
enter
output
Material
participant
security team
IT leadership
business stakeholders
legal
Human Resources
1.1 Identity Concepts and Definitions
Common identities can foster mutual understanding
1.2 Establish Identity Security Roles and Responsibilities
Estimated time: 1-2 hours
1.2.1 List project tasks: Start building the RACI diagram by defining a list of project tasks. Divide tasks into four categories: plan, execute, monitor, and measure. List the tasks next to the RACI chart as row headings.
1.2.2 Assign responsibility and ownership to each task: For each task in your RACI chart, identify which stakeholder groups are responsible (A), responsible (R), consultative (C) and/or informed (I) . Stakeholder groups should be listed as column headings at the top of the RACI chart.
1.2.3 Analyze your RACI diagrams: To ensure you have strong role assignments, be aware of common mistakes and red flags when building your RACI diagrams. These may include having too many people responsible for a task or not assigning a responsible person/group. These are defined in more detail in later slides.
Download the Identity Security RACI Chart Tool
enter
output
Material
participant
security team
IT leadership
business stakeholders
legal
Human Resources
1.2.1 List the tasks of the project
To start building a RACI diagram for your identity security project, list the tasks required by the project. Divide these tasks into four categories: plan, execute, monitor, and measure. To help develop this task list, consider the sample tasks listed below:
plan
Adopt a common identity security taxonomy.
Establish identity and access management policies.
Establish identity governance goals.
Inventory identities and assign data owners.
Identity-based threat modeling.
Identify identity security control requirements.
Develop an identity security architecture.
Define separation of duties constraints.
Define authorization requirements and ensure that the system supports them.
implement
monitor
Monitor access requests (Cloud Access Security Agent/Security Information and Event Management).
Report violations of policies or procedures.
View/audit access permissions to prevent permissions creep.
measure
If you are using Info-Tech's Identity Security RACI Chart Tool, enter your task list into Tab 2, Column B, Smart RACI Chart.
1.2.2 Assign responsibility and ownership to each task
For each task in the RACI chart, identify which stakeholder groups are accountable, accountable, consultative, and/or informed. There should be one and only one person/group responsible for each task, and at least one person/group responsible. The number of consultative and informed persons/groups will vary for each organization.
Responsible (R): A person who works to complete an activity; their task is to complete the activity and/or make decisions.
Person in charge (A): The person responsible for completing the activity. Ideally, this is a person, usually an executive officer or project sponsor.
Consultation (C): A person who provides information. This is usually a few people, often referred to as subject matter experts (SMEs).
Informed (I): Someone who understands progress. These are the resources that are affected by the outcome of the activity and need to be updated in a timely manner.
