Challenges in IAM and Cybersecurity Standards

As technology continues to evolve and use cases increase in complexity, businesses and organizations need more guidance from individuals skilled in data protection and breach prevention. Cybersecurity remains a top concern for anyone handling sensitive information, but recent incidents and study results indicate an alarming lack of understanding regarding the importance of access control and unified security management.

Some organizations are taking steps to implement better protocols, but others still struggle with vulnerabilities and lack the tools or education to meet the security challenges presented by modern network configurations and diverse modes of access. The following cases highlight some of the major concerns IT and cybersecurity professionals need to address.

Department of Defense Creates New Cybersecurity Standards

In July 2019, the U.S. Department of Defense (DoD) publishes a draft of its new five-level cybersecurity standards system for contractors and subcontractors. Known as the Cybersecurity Maturity Model Certification (CMMC), the standard is being developed to create a unified approach to security when dealing with sensitive government data and prevent potentially catastrophic security incidents. The Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute are major players in CMMC development. 

Current inconsistencies in contractor security processes cost the government billions of dollars every year, which includes the loss of intellectual property. The CMMC seeks to address and combat this loss by enforcing standards through third-party compliance audits, ongoing risk mitigation and the collection and analysis of metrics. Because DoD data is highly sensitive and a breach could present a threat to national security, rigid enforcement is required to ensure the safety and privacy of information at all times.

Full implementation and inclusion in contractor agreements is expected to begin at the start of 2020 with the goal of being able to monitor and protect the entire supply chain. 

Over 600,00 Patients Affected by Oregon DHS Breach

The effects of a breach at the Oregon Department of Human Services (DHS) in January 2019 are still being felt as notifications go out to the 645,000 people whose records were compromised. This is significantly more than the original estimate of 350,000 and is a sobering reminder of the widespread problems just a few compromised accounts can cause.

Hackers used a phishing scam to steal the credentials of nine DHS employees, which granted access to emails, messages and attachments. Although it’s unclear whether the hackers actually looked at or did anything with the data, it took 19 days for the DHS to detect the breach, perform a password reset and put an end to the unauthorized access. During this time, hackers may have had the chance to view private patient data, including health information and social security numbers. Over 2 million emails were affected by the breach.

The DHS provides training to help employees detect phishing emails and employs multi-factor authentication for login procedures, but some are still questioning the efficacy of these methods in the aftermath of such a massive event. Additional measures may be necessary to prevent similar incidents from occurring in the future and protect patients from fraud and identity theft.

Identity and Access Management Challenges

According to a study conducted at the 2019 RSA Conference by access management firm One Identity, businesses continue to struggle with Identity and Access Management. 34 percent of attendees consider privileged identity management (PAM) to be one of the most “difficult operational tasks” for businesses, followed by user password management and lifecycle management. Seventy-one percent cited data loss as a top security issue, and 44 percent recognized both insider and outsider threats as significant concerns.

Despite these findings, only 14 percent of respondents felt better access control would have a positive effect on cybersecurity. This suggests businesses understand the potential threats of poor identity and access management (IAM) but fail to see why strong IAM policies are necessary to protect sensitive data.

Statistics from employee respondents shed light on the significant threats resulting from improper or inadequate IAM protocols. Among those polled:

• 70 percent would look at sensitive files if granted unlimited access
• 60 percent would take company data with them when leaving their positions if they knew they wouldn’t get caught
• 40 percent have shared passwords with someone else

Based on such responses, problems potentially resulting from insider threats alone should be enough of a concern to prompt companies to adopt stronger strategies for provisioning, deprovisioning and access management. Implementation of tougher controls under the guidance of knowledgeable cybersecurity experts can mitigate risk and reduce the likelihood of data loss or compromise. 

For IT professionals, these changes and challenges present opportunities to aid businesses and organizations with developing improved strategies for cybersecurity, breach prevention and employee access control.

Identity and access management certifications

Cybersecurity certification and ongoing education prepares those in the IT industry to build defenses against the latest threats and implement the best protective technologies available.

Blockchain for Healthcare Data Security

Data breaches can cost healthcare organizations $380 per affected record, but current systems are vulnerable to numerous types of attacks. Patient data is extremely valuable to hackers looking for detailed identity information, which makes securing electronic health records (EHRs) and associated personal details a top priority in the healthcare industry.

Emerging blockchain technology may offer a solution to healthcare’s biggest security challenges. Features such as decentralized storage, cryptography and smart contracts provide a framework for organizations to improve data protection while maintaining accuracy and preventing unauthorized access to or alteration of patient information.

Maintaining Consistent Permissions

A blockchain may be set up as permissionless or permissioned. Permissionless, or public, blockchains are theoretically accessible to any user, but becoming part of a permissioned blockchain requires consent from the owner. Given the highly sensitive nature of patient data, permissioned blockchains are more appropriate for healthcare settings.

This can present problems if permissions aren’t handled properly. Healthcare professionals must have easy access to patient data at a moment’s notice, especially in emergencies. Inconsistent permissions may block access at critical moments, which could put patients in life-threatening situations.

Blockchain technology employs two solutions for seamless, secure permission management:

• Smart contracts grant access using predetermined parameters agreed upon by all parties involved in the contract. This rule-based form of access control can be customized to automate a variety of workflows.
• Cryptographic keys put access control in the hand of patients. Each patient has a “master” key to “unlock” health data and can give a copy of this key to health care professionals or institutions as needed. Actions may be restricted to reading or writing information, and patients can revoke keys in the event the device on which a key becomes compromised.

By allowing for the automation of processes currently requiring one or more middlemen, smart contracts and cryptographic keys minimize the risk of human error and reduce the time between the collection of health information and fulfillment of actions like insurance billing and payment. 

Protecting Patient Information and Identities

Giving patients the choice of whom they share their keys with effectively puts them in control of what can be done with their health information, including who can access it and when. Because data can’t be decrypted without a key, no one should be able to read patient information without express permission. Hackers obtaining encrypted health data would need to also steal the keys to make use of the information they obtain. Combining keys with smart contracts prevents unauthorized parties from adding information to a patients’ records, including outsiders seeking to tamper with data for malicious or self-serving purposes. 

Utilizing the blockchain also creates an environment in which all participants, including patients, review information before it officially becomes part of a record. This provides the opportunity for healthcare providers and patients to evaluate information, thus preserving the accuracy of data throughout the blockchain. Since 40 percent of patient health records currently contain errors, switching to this kind of collaborative system has the potential to improve patient care and reduce the risk of life-threatening mistakes. 

Companies like MedChain and MedRec are currently working on permissioned blockchain platforms to bring these benefits to healthcare organizations and the patients they serve. By moving patient health information to a decentralized storage solution in which records are broken into fragments and distributed across the blockchain, these companies seek to provide a better way for healthcare organizations to protect patient information.

Challenges of Blockchain Implementation

While the blockchain has many potentially beneficial applications in the healthcare industry, the technology still needs time to mature before it becomes practical to pursue widespread adoption. Adherence to HIPAA regulations is a key concern when storing private patient information in a decentralized environment, and use of blockchain technology alone isn’t enough to ensure complete privacy. Stringent security regulations, including encryption and onsite administrative protocols, would be required of each healthcare organization retrieving, storing or sharing patient data within a permissioned blockchain.

Implementing permissioned blockchain models in existing systems requires help from IT professionals who are trained and certified in the technology and familiar with the security challenges such a framework poses in a healthcare setting. An appropriate system of checks and balances must be established at the outset to prevent data errors from becoming permanent parts of the blockchain, and provision must be made for accessing records in the event of emergencies in which patients are rendered incapable of granting access using their security keys. 

Identity and access management certifications

Healthcare organizations looking to blockchain technology to improve patient privacy and ensure greater accuracy need to weigh the benefits against the potential pitfalls and work with qualified identity and access management professionals to deploy solutions customized to the unique security and compliance needs of the industry while focusing on access management, data protection and the prevention of identity theft.

Voice-Enabled IoT Security Risks

Voice-enabled internet of things (IoT) technology has taken the consumer market by storm, with in-home use of smart speakers jumping 78 percent between 2017 and 2018. Today, 21 percent of the U.S. population uses some kind of voice-enabled IoT device on a regular basis.

At the enterprise level, voice adoption is most prevalent in the industrial sector, but the technology is making its way into more businesses as new options for consumer outreach, workflow automation and collaborative communication become available. This widespread implementation raises significant security concerns, which businesses need to recognize and address if the full benefit of the technology is to be realized. 

The Rise of Voice-Enabled Devices in Enterprise Environments

According to a study by Pindrop, a voice technology security company, 57 percent of managers believe introducing voice-enabled technology would “increase operational efficiencies,” which hints at the potential power of voice in enterprise environments. Gartner predicts voice will comprise 25 percent of employee interactions with business applications by 2023, a very probable scenario in light of the number of new enterprise IoT devices appearing on the market.

Although voice can be used to monitor network health, maximize resource efficiency, track collaborative projects and connect with customers, use cases go far beyond these basic tasks. The introduction of devices like Google Glass Enterprise Edition has changed the way companies approach manufacturing processes by introducing powerful voice-controlled artificial intelligence (AI) and machine learning (ML) tools into industrial environments. Communication devices from Orion Labs are breaking down language barriers to enable more efficient and productive collaboration between in-house and remote team members.

In healthcare, voice has the potential to create personalized programs and protocols for patients without requiring a significant increase in workloads for physicians. Dictation, documentation and electronic records may come together in the near future to allow healthcare providers to make more accurate diagnoses and care decisions. 

Security Risks of IoT in Business and Manufacturing

It’s not hard to see how introducing voice technology into these situations could put sensitive information and processes at risk. Voice-enabled IoT collects massive amounts of data, which is very attractive to hackers and makes enterprises using voice devices prime targets for attacks.

A single compromised device could allow a hacker to infiltrate an entire network and gain access to proprietary information, interfere with critical processes or interrupt manufacturing procedures. In industrial settings, vulnerable IoT could present a threat to workers who rely on devices to provide accurate operational and procedural information. While some hackers may simply decide to cripple a company by slowing or halting production, others may take a more malicious approach with the potential to cause serious harm.

If voice becomes more prominent in healthcare, the danger may be just as significant. IoT devices used to record and recall patient histories, including medication information, could become targets of malicious attacks, leading to disastrous mistakes with care protocols and putting patients’ lives at risk.

Hackers may use a variety of tactics to infiltrate voice-enabled IoT devices, including:

• Sending very high- or low-frequency commands undetectable by the human ear
• Altering audio to include additional commands or cause commands to be understood and executed differently
• Making use of “voice spoofing” for unauthorized activation and access

In addition to threats from the outside, enterprises must also be aware of the potential for a new style of insider attack involving the exploitation of devices already recognizing and responding to trusted voice input.

How Companies Can Protect Voice-enabled IoT

Introducing more voice technology into business environments requires a new approach to access management and data security. As voice commands are integrated into standard processes and workflows, voice biometrics will become part of users’ identities and need to be verified and monitored to ensure authenticity. Voice IoT devices themselves must be protected with the strongest security protocols possible and updated regularly to prevent known vulnerabilities from becoming points of entry for hackers.

Devices come with built-in security features, which much be set up at the time of implementation. Default settings and passwords pose a serious risk and should never be left in place once a device has been connected to an enterprise network. Businesses using multiple IoT devices can benefit from mapping their systems to identify all connected endpoints and the interactions between them and setting up a system to regularly monitor use throughout the network. If both industrial and office IoT are in use, it’s best to keep networks separate to prevent widespread infiltration.

Businesses across sectors can reap substantial benefits using voice to improve operations, collect more detailed information and provide better customer service, but any implementation plan must include a knowledgeable approach to security. Updating standard protective measures can help minimize the risks associated with introducing new voice technologies into enterprise environments by protecting against data compromise, unauthorized network access and identity theft.

Identity and Access Management Jobs

The global technology growth has led to high demand for skilled employees. However, estimates for 2019 reveal a profound skill deficit within the employee pool. Three million IT positions need to be filled, but there are not enough qualified individuals to fill them. Within the cybersecurity sector, 500,000 security specialists are needed within the United States alone. Individuals with professional certifications, technical, knowledge, and a deep understanding of identity risk management standards and guidelines are highly sought.

Identity and access management jobs and career path with certification courses from Identity Management Institute

IAM Positions at All Levels and Skills

Positions that need to be filled include entry-level positions as well as high-level positions and numerous mid-career level positions. Enterprise level organizations are in need of talented individuals but so are start-ups and mid-size businesses. There are positions for third-party, independent contractors as well. Regardless of education level, experience level or required salary, there are openings for individuals with an IT background and an interest in identity and access management.

Below is a list of a few popular identity and access management jobs and titles that are often listed on job boards:

  • IAM System Architect
  • IAM System Engineer
  • IAM Access Control Specialist
  • IAM Administrator

Recent graduates and experienced professionals with identity and access management certification are qualified to fill these open positions.

The Need for Identity and Access Management Certification

Government agencies are becoming stricter when it comes to data privacy. The European Union’s GDPR standard is expected to become the default standard, even in regions where industries are not obligated to comply. As a result, organizations seek certified security specialists who remain current on legislation, technology and consumer demands.

In addition, entities like the United States Department of Defense require contractors and employees to fulfill DOD IAM levels. A solid background in IAM practices and strategies prepare individuals to pass DOD standards. Since data security jobs are in high demand, supplementing existing IT knowledge with security certifications increases employability.

Other regions and industries seeking identity and access management certified employees include insurance organizations, consumer-facing organizations within the retail and service industries, legal organizations, biomedicine and pharmaceutical companies, real estate firms and others.

Employees with roles beyond the IT department also benefit from identity and access management certifications. Whether acting as a data analyst, human resources administrator or business analyst, holding a certification in fraud prevention, data protection or identity theft is helpful to employers and essential for a well-rounded resume.

Identity and Access Management Jobs Salary

The range of positions available within the identity and access management job market lends itself to a range of salaries. Location dictates salaries, as does the size of the organization and required skill set, experience and education. Starting at the highest level and moving to the lowest, here is a sample of salaries for identity and access management jobs.

IAM System architects can expect to earn an annual salary of $100,000 to $200,000.

IAM System Engineers and Developers are needed across a range of business levels, not simply enterprise organizations. This results in a range of salaries, with the highest reaching $140,000 per year and the lowest within the $60,000 per year range.

IAM Access Control Specialists, administrators, data analysts and business analysts can expect to see salaries within the $35,000 to $75,000 range.

Higher salaries are provided to those with high levels of education, experience and creative thinking. This information is provided within identity and access management job descriptions.

Employers Seek Creativity, Education and Certification

Increased awareness of the need for data privacy, new regional privacy standards and enterprise level security tools require organizations to move beyond a generic approach to data access. Single sign-on technology, biometrics, multi-factor authentification, role-based access control and privileged access management provide enterprise organizations with the flexibility they need to meet the privacy demands of government regulators as well as answer the concerns of clients and employees.

Since organizations are not looking for generic solutions, they are offering detailed job descriptions with specific skill sets. Knowledge of the organization’s industry is also highly prized.

A sample of job descriptions reveal that certain skill sets are in demand, but the depth and extent of those skills are dependent upon the individual’s role within the organization, the organization’s size and the regulatory requirements of the organization’s industry. Here are some job descriptions that run the gamut from highly skilled to generally skilled.

Identity and Access Management System Architect

This role requires the most education and experience. Qualified individuals have experience with project management, leadership, software development, cybersecurity and industry-specific knowledge. Sometimes called a Digital Transformation Architect, this multi-faceted individual ensures that executive roles, IT departments and consumer-facing tech are in alignment with security standards.

Individual and Access Management Engineer

IAM engineers are experienced software engineers and developers. Due to the lack of IAM engineers, many employers are seeking flexible and adaptable software developers with an interest in cybersecurity.

Recent job descriptions in high demand locations are specifically looking for software engineers who aren’t afraid to make mistakes, have a creative approach to problems and “an ability to understand business’ functions and technology use.”

Individuals who have the skills needed to fulfill high level sysadmin and devops positions, and who aren’t intimidated by power structures, have what it takes to fulfill the Individual and Access Management job responsibilities of an IAM engineer.

IAM Administrator

These individuals play a highly technical role and are often the first responders to security breaches and other incidents. Employers expect these individuals to have a degree in computer science, experience with ID provisioning, experience in IT operations and the ability to track and manage multiple intake systems and experience performing root cause analysis.

Identity and Access Management Analyst

This identity and access management job description fulfills the needs of entry-level job seekers with degrees in computer science or cybersecurity. In this position, candidates should have a functional understanding of database administration, directories and protocols among others.

Identity and access management job responsibilities, regardless of position level and experience, require adherence to a code of ethics and knowledge of critical risk domains, or CRD, to include:

  • Regulations and Compliance
  • Program Management and Administration
  • Risk Assessment and Mitigation
  • Product Development and System Management
identity and access management career path

Identity and Access Management Career Path for Experienced Professionals

Experienced individuals employed as system engineers and architects can improve their chances of being hired, promotion and higher earnings by pursuing the following certifications:

Individuals employed in consulting, analyst positions such as data analysts, or administrative roles, such as human resources, compliance, or department supervisors can increase their opportunities to provide better security services by pursuing the following certifications:

Identity and Access Management Career Path for College Graduates

College graduates have spent numerous academic hours honing their coding and software development skills, experimenting with new platforms and learning the ins-and-outs of cloud and hybrid systems. These skills are in high demand across industries due to the evolving nature of software systems and cloud development tools. To increase employability and meet the needs of cyber security-aware firms, adding the following certifications to a resume helps candidates stand out from generic job seekers.

Numerous identity and access management jobs need to be filled. These jobs range from software engineering, product development, consulting, project management, and access administration among others. Employment indicators show that IT job salaries may have reached a plateau. Augmenting your current technical skills with an IAM certification can boost salary options and increase job opportunities as identity and access management has become the core solution for the cyber security industry.

Technical identity and access management experts need to better understand the IAM risks and best practices in order to design and implement products that address the evolving challenges. On the other hand, non-technical IAM specialists need to better understand the IAM tools and their features in order to use the IAM systems and manage projects effectively.

Biometric Authentication Benefits and Risks

Biometric identifiers are currently used as part of the authentication process at 62 percent of organizations, and 70 percent of U.S. consumers would like to see biometric authentication expand into their places of work. Often used alone or as part of multi-factor authentication protocols, biometric data is seen as a more secure alternative to traditional passwords.

However, concerns about potential vulnerabilities are beginning to arise as the use of biometrics becomes more prevalent. What risks are businesses and organizations taking by adopting biometric authentication, and how does it impact customers and employees? 

Privacy
Unlike passwords and verification codes, biometrics are fundamental parts of users’ identities. The following common identifiers represent unique physical or personality traits:

• Fingerprint scan
• Iris scan
• Facial scan
• Voice recognition
• Handprint geometry
• Vein mapping
• Behavioral characteristics

Whether inherited or learned, these markers are core aspects of personally identifiable information (PII) and can’t be changed. Hacked passwords are easy to reset, but what can consumers and employees do if a hacker steals what’s essentially part of their biology?

The use of biometrics in authentication means every action taken is connected to the user to whom specific identifiers belong. Once a malicious third party manages to compromise a scan or fool an algorithm, it puts the real users’ reputation at risk. Technology for capturing images and information used in biometrics is becoming more powerful, which allows for more nuanced and detailed profiles of consumers and employees. However, just one vulnerability in the way the data is captured, stored or transmitted can expose private PII and allow hackers to not only access business networks but also take over every account associated with an individual’s biometric information.

Inaccuracy and Fraud
The tendency of users to assign similar or identical passwords to multiple accounts is often cited as a major problem for system security, but this becomes less of a concern when passwords are encrypted and hashed. Hashing assigns a completely unique identifier to every password, which is difficult or impossible for hackers to decode. This allows users to set passwords they can remember for easy access to systems.

By contrast, scanners used to capture and read biometric data aren’t accurate 100 percent of the time. Even slight variations in how a user touches a fingerprint scanner or looks at a camera during a facial scan will create different images. The resulting discrepancies can cause authentication to fail and lock legitimate users out of the system.

The irony of this situation lies in a hacker’s ability to reproduce a convincing fake of the original scan and use it for successful access. Information is vulnerable when it’s recorded, stored and transmitted, giving hackers multiple opportunities to lift identifying data.

Storage and Encryption
Once identifiers are collected, the data has to be stored somewhere. Because no form of storage can be considered completely safe, this creates the same problem as any other access management strategy in which businesses and organizations are responsible for securing users’ identities. Encrypting data during transfer only addresses part of the problem, since hackers can still access biometric information as it’s collected and when it’s being matched to previously captured data.

Businesses can improve security by adopting runtime encryption, which keeps sensitive data encrypted during use, or choosing not to store biometrics at all. Authentication apps utilizing biometric data stored locally on users’ devices minimizes the danger of compromise but still carries risks if a device is lost or stolen. Compromised applications on devices or networks create additional vulnerabilities, which much be considered when determining the best method to implement.

Complacency
Predictions show almost 90 percent of business will use biometrics by 2020, and yet it still has the kind of mystical appeal often associated with science fiction. Business owners must beware of seeing biometric authentication as a cure-all or magic bullet for solving problems with access management.

Research conducted at Michigan State University showed just how dangerous this kind of thinking can be. Using machine learning, researchers created a set of incredibly accurate “MasterPrints,” synthetic fingerprints with the ability to match to numerous real fingerprints and undermine the security of biometric scanners. In another startling example, Vietnamese hackers were able to use a just a handful of materials and tools to create masks capable of fooling Apple’s FaceID. Without other security measures in place, biometrics are vulnerable to compromise and can leave business networks vulnerable to these types of attacks. 

Businesses faced with the challenges of implementing biometric authentication need expert help to prevent the personal identifiers of their customers and employees from becoming compromised. With so much at risk, both an accurate understanding of potential vulnerabilities and a solid identity theft prevention plan are essential to preserve the privacy and integrity of personal data.