Businesses, enterprises and organizations need the expertise of identity management consultants to address the increasing challenges posed by the rapid pace of technological change. As internet of things (IoT) technology, artificial intelligence (AI) and machine learning (ML) play bigger roles in networks across industries and more services migrate to the cloud, security needs are expanding beyond the capabilities of onsite IT resources. 

Identity and access management career path with job titles and job descriptions with duties and tasks.

Identity management consultants can offer much-needed insight and assistance by assessing risks, developing solutions and implementing better systems for identity creation, user management and access control. The job covers a range of important duties and requires a combination of education and experience to address the unique needs of businesses in a variety of industries. 

Identity Management Job Overview

Identity management consulting incorporates a wide range of duties to provide optimal security through proper access control. 

Audits and Assessments 
Access and security audits are key in identifying vulnerabilities within existing systems. It’s the job of an IAM professional to conduct these audits along with threat and risk level assessments. 

Identifying Risks and Mitigating Threats 
The best solutions are built to the specifications of individual businesses and organizations. IAM specialists understand the complexities of modern systems and work to identify potential risks unique to each situation. Using this information, they deliver appropriate solutions to prevent as many threats as possible. 

Conducting Research, Analyzing Data and Creating Reports 
Auditing and risk management both require detailed technical research and understanding of the resulting data. Many businesses lack the resources and expertise required for proper analysis and need a third party to condense the findings into accessible reports from which suitable solutions can be built. 

Choosing Appropriate Types of Access Control 
Existing systems may be operating with outdated access control protocols and require modernization to strengthen security. An identity consultant understands the difference between rule-based and role-based access control and chooses the most appropriate option to maintain a “least privilege” level of access for all users. 

Designing, Configuring and Implementing IAM Solutions 
Complex systems require robust identity and access solutions, and IAM consultants may find it necessary to incorporate a wide range of tools to create an appropriate protocol, including: 

• Onboarding and offboarding 
• User provisioning and deprovisioning 
• Modern access management options, such as single sign-on (SSO), federated identities, multi-factor authentication (MFA) and privileged account management 

This requires working with one or more of the current identity and access solutions used by modern businesses and collaborating with other professionals to reach a successful outcome. A typical team may include consultants, analysts, programmers and other IT professionals. 

Ongoing Support 
Once new protocols are in place, identity management consultants stay on board to guide companies through the early days of implementation and provide additional support, ensuring all procedures are properly followed. 

Identity Management Job Titles

Identity management consulting is often a full-time job and demands varying levels of expertise. Lower-level positions may be listed with titles like: 

• Identity and access management consultant 
• Cyber identity and access management consultant 
• IAM technical consultant 
• IAM analyst 
• IAM engineer 
• IAM solution engineer 

It’s common for these positions to require less experience and education and include identity management duties such as managing networks, applications and users. High-level positions include: 

• Cloud security specialist 
• IAM experienced consultant 
• IAM senior consultant 
• IAM specialist 
• IAM technical specialist 

Because these jobs involve creating, implementing and overseeing complete identity management systems designed to meet specific security needs and also involve complex compliance standards, additional higher education is necessary. Some employers require identity and access management certifications and numerous years of experience working with relevant protocols, software and systems. 

Importance of the Identity and Access Management Role

Statistics show the critical need for more comprehensive IAM solutions across industries:

• Only 7 percent of businesses have “good visibility of all critical data” 
• Only 20 percent of businesses maintain complete visibility of all users 
• 77 percent of IT professionals say their organizations lack solid cybersecurity incident response plans 
• 56 percent of IT professionals cite targeted phishing as the biggest threat to network security 

Add to this a growing number of users, increased device diversity and the need for many companies to onboard either temporary employees or third-party vendors, and risk levels skyrocket. More endpoints being introduced into networks create more areas of potential vulnerability, leaving IT departments to face challenges for which they’re not prepared. 

The consequences of poor identity management and other weak security practices can be staggering: 

• The average cost of a data breach in 2018 was $3.86 million 
• “Mega” breaches, in which 1 million to 50 million records are involved, can cost between $40 and $350 million 

Eighty percent of breaches involve privileged credentials, and this highlights the importance of defining proper access levels, determining the appropriate scope of access for each user and maintaining boundaries across systems. Improving identity management procedures is a key component of risk reduction, and IAM consultants can provide the services businesses and organizations require to offload their IT departments and maximize the use of existing IT resources. 

Many companies are still fighting to get a handle on the data they receive, transmit and store, especially as cloud migration becomes more common. Identity management makes both onsite and cloud network environments safer for employees and customers by providing solutions for creating, protecting and managing identities in ways designed to prevent unauthorized access. 

New access management solutions and sign-in protocols are making it harder for hackers to steal, guess or fake credentials. However, it’s still common for businesses and organizations to use outdated identification and authentication methods with loopholes even amateur hackers can exploit. Because 75 percent of breaches are the result of external threats, it’s essential to close these loopholes. 

Profile of an Identity Management Consultant

Ideal candidates for identity management consultant positions are self-driven and not afraid to take the initiative. The job requires strong leadership and management skills, a commitment to hard work, the ability to juggle diverse projects and good problem-solving and troubleshooting capabilities.

Companies frequently list the following educational and technical requirements that IAM consultants must demonstrate in their identity and access management resumes: 

• Bachelor’s or master’s degree in information technology, cybersecurity, computer science, information systems security or a related field 
• One or more IAM certifications 
• One or more years of IT consulting experience 
• Two or more years of experience implementing key elements of IAM protocols 
• Knowledge of IAM software and systems, such as Oracle, SailPoint, CA Identity Suite or IBM’s security solutions 
• Proficiency in word processing, presentation and reporting software, cloud systems, HTTPS, XML and/or Java 

Additional experience with specific aspects of identity management may also be required depending on the level of the position. Other critical skills include: 

• A solid understanding of IAM concepts and systems 
• Knowledge of key IAM standards 
• The ability to work with a variety of identity, access and privileged account management solutions 
• Aptitude in technical research and the willingness to perform necessary research 
• Ability to work with others to create, implement and teach new protocols 
• Knowledge of current compliance regulations and the solutions necessary to meet them 

Ongoing training is often an integral part of a career in identity management. Companies also prefer candidates with customer-oriented mindsets and the desire to fulfill the specific needs of clients. 

Where to Find Identity Management Jobs

The same technologies creating the high demand for IAM specialists also make it possible to perform many consulting duties remotely. Employers are increasingly offering this option, but most positions appear to involve at least some amount of travel to onsite locations. 

Companies across industries are facing similar network security challenges requiring input and guidance from consultants in the IAM field. Individuals with the proper qualifications can find positions with: 

• Educational institutions, especially colleges and universities 
• Enterprise-level companies seeking help to establish essential protocols 
• Financial institutions 
• Healthcare providers and networks 
• IT consulting firms 
• Providers of IAM products 
• Security product and service providers 
• Small- and medium-sized businesses setting up or expanding their networks 

Salaries in the field are generous and range from around $43,000 to over $123,000 per year. According to PayScale, the average annual salary for identity management consultants is just over $76,000; Glassdoor reports a higher average of $100,408. Depending on the identity management job position, responsibilities and company structure, additional income may be available in the form of commissions and bonuses. 

Certified Identity Management Professional (CIMP)

Challenges for Today’s Identity Management Professionals 

Identity management consultants address the challenges faced by companies in diverse industries as they seek to improve security protocols and incorporate more stringent rules for access control. Trends in technology necessitate the retirement of outdated login and authentication methods, such as single-factor or password-based logins, in favor of options incorporating factors recognized as more reliable. Protecting login credentials from theft and compromise could prevent the majority of breaches. 

To minimize the potential extent of breaches should they occur, IAM specialists must address other common challenges: 

• The accumulation of access rights beyond those needed to successfully perform a job or role 
• Lack of regulation for device access, especially in companies with BYOD policies 
• User access via unsecured connections, such as Wi-Fi hotspots 
• Increasing numbers of remote workers using devices with varying levels of security 
• The need to assign unique identities to devices and applications for smoother workflows 
• Proper user provisioning and deprovisioning 
• The need to bridge the gap between applications with different authentication protocols or security standards 

The introduction of new IoT technologies and the incorporation of the blockchain into IAM protocols will create greater complexity within systems in the future, and compliance standards are likely to continue to adapt in response. Companies are already struggling to meet existing standards, including GDPR, and face significant penalties if they fail. It’s the job of IAM consultants to provide help navigating these changes and ensure all protocols meet the required standards. 

Even as security measures improve, hackers are adapting their strategies to get around new solutions. IT professionals report an increase in targeted attacks on individuals, such as spear phishing, in an attempt to steal privileged credentials and therefore gain deeper access into networks. Companies must be prepared with the latest access management tools and the knowledge required to identify and prevent potential cyberattacks. 

Providing identity management consulting services is a demanding undertaking but opens the door to a lucrative field with many opportunities for growth. Qualified individuals enjoy good job prospects across industries. Although the position requires a significant amount of education, knowledge and experience, compensation is often generous. Those who are willing to continue learning to stay abreast of changes in regulations and standards can enjoy a dynamic work environment in which new innovations brings new challenges in need of creative solutions. 

Identity and access management certifications

Digital identities provide access to systems and services in a variety of use cases. A single identity may represent a person, device or organization, and access permissions must be managed properly to minimize the risk of cyberattacks. Efficient identity management is also required for streamlined workflows, regulatory compliance and reliable security. 

As digital access becomes more complex, businesses must look into the future to prepare for the unique challenges posed by the entrance of more devices into systems and the increasing sophistication of hackers. New trends in digital identity management provide the tools IT professionals and cybersecurity experts need to secure networks against fraud. 

Zero Trust Takes Center Stage 

Traditional access management falls short when it comes to the level of security necessary to protect modern networks. It assumes all users granted access to the network are trustworthy, and therefore every action and permission associated with their identities can safely be performed without further verification. However, this approach has a fatal flaw: Hackers using stolen credentials are given the same level of trust as legitimate users and may be able to penetrate deep into a network before the deception is discovered. 

This has given rise to the trend of the “zero trust” model, in which network insiders and outsiders are treated as posing equal levels of risk. Instead of relying only on preset permissions, rules or roles, zero trust systems monitor user behaviors and allow access based on perceived risk levels. Information is compartmentalized into “microsegments,” and as a user moves within the system, his or her behaviors generate a risk score. If the score is too high, further access requires re-authentication using multiple identifying factors. 

In addition to microsegmentation, companies opting for zero trust access can set additional restrictions based on location, IP addresses and specific permissions. Doing so ensures users aren’t allowed more access than is necessary to do their jobs, an identity management best practice known as the principle of least privilege (POLP) designed to minimize how much hackers can get away with using a single set of stolen credentials. 

Blockchain Leads to Decentralized Identities

Maintaining a centralized database of user identities is time-consuming for businesses and can pose a major security risk if the information is ever compromised. The rise of blockchain technology may make it possible to move to a decentralized model in which users create their own identities, register authenticating factors and have the information verified by a trusted third party before being stored in the blockchain. 

Each block in the blockchain contains digital information, such as an identity, and carries a unique identifying code called a “hash.” By adding identities to the blockchain instead of a central database, users make themselves part of what Gartner refers to as the identity trust fabric (ITF). The ITF technology is still being developed and will require better management of accessibility, privacy and security before it can be implemented on a broad scale, but it may be available as early as 2020. 

The shift to decentralized identities parallels the predicted demise of single-factor, password-based authentication. With 81 percent of data breaches attributed to weak or compromised login credentials, it’s necessary to adopt a system in which access requires stronger authentication credentials. Identities stored in the blockchain can be used to access applications from a variety of service providers without creating the points of vulnerability associated with password access. 

Advanced Analytics Allow Adaptive Access 

Rule-based access control relies on rules established by a network administrator to determine if requests within the system should be approved or denied. This allows for a measure of control over who can access specific data and applications, when access is to be granted and whether any restrictions are created based on location or other attributes. However, it’s impossible to foresee every scenario in which a user or group of users may require access. Restrictive rules can create bottlenecks in workflows, and liberal rules increase security risks. 

Adaptive access offers a smarter alternative. Adaptive environments use a combination of advanced analytics information and machine learning technology to learn users’ behavioral patterns and grant or deny access based on whether or not behaviors are perceived as normal. This creates a more “risk-aware” system with an inherent ability to detect anomalies and trigger security actions as necessary. 

Intelligent digital identity management is a crucial factor in the fight against cybercrime. To prevent networks from falling victim to attacks, businesses must look forward and prepare to implement new security technologies. Adapting to the latest technologies means being able to use the tools available to establish proactive responses and protect systems from a growing number of threats. Businesses ready to evolve with these changes will be better able to manage risks and maintain the strong security required to protect networks in the modern technological era.

Identity and access management certifications

Federated identity management challenges are presented with the rising adoption of identity federation among businesses and can have particular benefits at the enterprise level. By creating one central identity to access all network applications, companies simplify workflows and remove barriers to productivity. However, a unique set of security challenges must be met when using federated identity technologies. 

Security Concerns of Identity Federation by Identity Management Institute

Why Federated Identities? 

With 83 percent of enterprise workloads expected to be handled by public, private and hybrid cloud environments by 2020, the adoption of more efficient sign-on methods is critical. The extensive number of applications, projects and use cases at the enterprise level can’t be managed adequately using a system in which employees must sign in with a different set of credentials each time they move between platforms. Doing so creates several problems: 

• Each login is a point of vulnerability 
• Repeated logins reduce productivity 
• The login process creates distractions and undermines efficiency 

A federated identity makes it possible for users to sign in to any application within the “federation” using the credentials from a single application. This centralized identity forms the basis of single sign-on and is independent of platforms and technologies. By using federation, an enterprise can integrate multiple applications into a single system without the need to create a custom authentication protocol. 

Security Concerns in Federated Identity Management Challenges

Switching to federated identities as an alternative to outdated authentication methods isn’t without its risks. Most companies adopting federation only do so for a handful of applications and find it difficult to build a network in which all programs can be accessed using a single identity. This makes some areas of the network subject to common security risks, including breaches caused by the use of weak passwords. Complicating the matter is the lack of federated identity management plans in many businesses. The rapid spread of technology has left enterprises without the capabilities to implement the level of management necessary to ensure security across the board. 

For federated identities to work, user information must be shared with the third party entrusted with authentication. The nature of this information and how it’s shared, processed, stored and protected has an impact on the safety and privacy of users. Not all providers within a federation conform to the same security standards, and the use of multiple providers creates additional points of vulnerability. Enterprises must understand the security protocols and compliance measures used by third-party providers before committing to any partnerships. 

Insider threats and identity theft, two common and troubling security concerns for modern enterprises, remain problematic even with the use of a federated system. Companies need to be completely certain of the trustworthiness of users in the network and have authentication protocols designed to ensure each user is who he or she claims to be. Employee education is necessary to minimize the risk of human error, because a single compromised set of federated credentials can grant hackers access to multiple applications and allow a breach to spread rapidly across a network. 

Improper provisioning leading to privilege creep can also leave the door open for devastating breaches. A user’s federated identity should allow only the level of access required for his or her job, and any temporary access necessary for short-term projects should be revoked as soon as it’s no longer needed. Automated solutions for granting and revoking access are becoming more common as enterprises seek to improve network security and reduce the risk of data loss or theft. 

Creating a Reliable Federation Strategy

Despite its potential drawbacks, the use of federated identities has significant advantages for enterprise-level businesses. Unifying diverse applications to eliminate bottlenecks and silos creates a smoother user experience and empowers employees to work efficiently. 

To meet the security concerns among federated identity management challenges and leverage the associated benefits: 

• Focus on applications designed for federation 
• Determine the standards required to maintain interoperability
• Establish strong security standards for proprietary and third-party applications 
• Seek a provider with minimal data sharing requirements 
• Ensure the provider is in compliance with relevant regulations 
• Automate user provisioning 
• Perform routine identity audits 
• Remove dead, abandoned or orphaned accounts 

Enterprises relying on applications with which federated identities can’t be used should consider if the same functionality can be achieved with newer applications or if the existing application can be updated for integration into a federated system. Critical programs lacking the functionality for federation require additional considerations to ensure security. 

As identity federation becomes more common, the resulting partnerships between providers and businesses are likely to drive the establishment of tighter security policies across the board. Recent changes in regulations governing data privacy require diligence on the part of all parties involved in the creation and management of federated identities, so businesses desiring to enjoy the benefits of this modern authentication method must understand the risks and take steps to mitigate as many as possible.

Identity and access management certifications

Privilege or access creep poses a threat to security in all networks but can be a particular problem in larger companies where many employees share enterprise resources and inappropriate access levels often go unnoticed for a long period of time which can potentially lead to devastating breaches.

Understanding Access Creep

Privilege creep occurs when employees accumulate more access rights than are required to perform the tasks associated with their positions. Also called access creep, the process occurs gradually over time and is often the result of: 

• Failure to revoke temporary access granted for special projects 
• Updated job duties or requirements 
• Promotions or changes in position within the company 

In all these cases, employees may retain access to data, applications and resources unrelated to their duties, thereby putting the system at risk in a number of ways. The most notable of these risks include: 

• Increased potential for insider threats resulting from the use of excessive access for personal gain or retaliation by disgruntled or dissatisfied employees 
• Hackers’ ability to infiltrate higher levels of the network using a single set of stolen credentials 

Accumulation of unnecessary privileges also poses a threat to compliance, especially in enterprise environments handling highly sensitive data, such as Social Security Numbers or health records. Failing to maintain compliance with privacy laws and regulations or suffering a breach in which large amounts of data are lost or compromised can have severe financial and reputational consequences.

Excessive Access in Privileged Accounts

Some users within enterprise systems, such as administrators and managers, require access to sensitive data or resources to do their jobs efficiently. Services and applications may also need a higher level of access to ensure workflows proceed without interruption and communication across the network is maintained. Alarmingly, the 2016 Verizon Data Breach Investigations Report revealed 53 percent of breaches result from the misuse of credentials associated with privileged access. It’s not uncommon to find credentials for sale on the Dark Web, and a hacker needs to purchase only one set to undermine the integrity of an entire enterprise system.

In many cases, users make it easy for hackers to obtain login information and access networks without buying credentials. About 80 percent of access breaches in enterprises result from weak or stolen privileged account credentials, and once hackers hijack these accounts, it can be difficult to determine the true extent of a breach. Privilege creep exacerbates the problem by extending hackers’ access deeper into the network. It can take IT professionals a considerable amount of time to sort through access information, pinpoint the cause of the breach and implement countermeasures to restore network security. 

Smart Strategies to Maintain Appropriate Access Levels

Proper identity and access management strategies can prevent privilege creep and reduce the risk of associated data breaches. Enterprises must focus on following best practices to establish and maintain strong identity governance policies.

Least Privilege

The principle of least privilege provides a baseline for managing all user accounts. By granting each user the lowest level of access necessary to fulfill his or her role within the company, enterprises can ensure smooth workflows while preventing unauthorized access across the network. Enterprises should also consider implementing role-based access in lieu of user-based methods to assign access levels based on the tasks a user must complete rather than associating privileged access with individual accounts.

Reduce the risk of access creep with periodic access audit and certification.

Auditing and Recertification

Routine access audits clarify access needs for enterprise users and pinpoint areas of weakness, including abandoned or orphaned accounts. Removing these accounts eliminates points of weakness hackers could otherwise exploit. Periodic recertification subjects active user accounts to scrutiny to determine if current access levels are appropriate or need to be adjusted. These processes are an essential part of access management and could benefit the 52 percent of enterprises unable to account for all privileged credentials within their networks. Clear policies for managing temporary access and processing changes in employee roles within the enterprise reduce the risk of access privileges extending beyond what’s appropriate. Identity Management Institute members include experts in access audit and certification.

Modernizing Access 

Many enterprises continue to rely on passwords and other outdated authentication methods, and a surprising 54 percent use paper or Excel spreadsheets to store details about access credentials. In situations where the use of passwords remains necessary, credentials must be managed in a secure centralized location to prevent loss or compromise. Switching to multi-factor authentication relying on stronger methods, such as the use of hard tokens, one-time PINs and geofencing, makes it more difficult for hackers to penetrate deep into networks. 

Preventing privilege creep at the enterprise level starts with clarity regarding access needs throughout the company and the establishment of strategic access management strategies. With the use of intelligent identity management tools and strong authentication methods, it’s possible to manage employee access to reduce the risk of internal and external breaches resulting from the misuse or compromise of privileged credentials.

Subscribe to the Identity Management Journal to receive periodic announcements and articles.

Identity and access management certifications

Imagine arriving at work one morning to discover all of your employees have received an important video announcement from you and are scrambling to comply with the instructions it contains. Their responsiveness would be impressive if not for one thing: You never recorded or sent the video, and now you somehow have to undo the resulting damage. 

Improvements in artificial technology (AI) and machine learning (ML) could soon make such flawless deceptions possible. Called “deepfakes,” these videos have the potential to undermine security at every level from small businesses to global governments. 

How Deepfake Videos Work

A deepfake is a video made by employing AI and ML to create an exact likeness of a person saying or doing things he or she never actually said or did. The deception plays on the human tendency to believe what is seen and can be very effective in making it appear as though the contents of a video is genuine. 

These videos aren’t simply fakes created by hackers skilled in forgery. Deepfakes rely on a form of machine learning in which two networks are fed the same data sets and pitted against each other in a back-and-forth battle of generation and detection. Known as generative adversarial networks (GANs), these systems consist of one network creating fakes and another evaluating the fakes for flaws. The data set consists of hundreds or thousands of images and videos of the person to be imitated, and a forgery is considered good enough when the detection network no longer rejects the results. 

Hackers and Malicious AI

When deepfakes first appeared on Reddit, people mostly used the technology to goof off and create fake pornographic videos. However, the software to produce such videos is readily available to everyday users, making it simple for hackers to employ deepfake tactics and use realistic false content to manipulate their targets. 

Deepfake videos are prime candidates for viral status and can spread rapidly across social media. Because fake rumors can take as long as 14 hours to be recognized and debunked, a well-produced deepfake could become entrenched in the public mind as truth long before the deception was detected. Hackers can take advantage of the popularity of viral fakes to spread videos containing malware or record messages designed to entice users to click on links as part of a phishing attack. 

Videos may also be used to draw people to websites in which malicious code has been embedded, turning their computers into tools for mining cryptocurrency. Known as cryptojacking, this kind of attack can also be launched on mobile devices and run undetected in the background as users go about their daily tasks. 

Deepfake Deceptions and Access Control

Deepfake technology hasn’t yet progressed to the point of perfection, but rapid advances in AI and ML mean scenarios like the one described above can no longer be relegated to the realm of science fiction. Using deepfakes, hackers could trick employees into giving away a great deal of information, including access credentials, financial records, tax documents, customer profiles and proprietary company data. 

Because GANs require a significant number of images to create realistic deepfakes, this kind of attack isn’t likely to become the norm overnight. However, the internet in general and social media in particular provides a wealth of pictures and videos posted by users and could theoretically be mined for the data sets necessary to train GANs to produce convincing results. 

Employees tricked by deepfakes or those who indulge in viral videos on company time could easily open the door for hackers to access business networks and fly under the radar or launch large-scale attacks. Such a prevalent threat to access control and compliance requires an updated approach to security. 

Preparing for Deepfake Security Threats

To get your network and your employees ready to stand up against the potential risks posed by deepfake videos: 

• Develop and deploy ongoing security training 
• Monitor employee activities on company devices 
• Update your BYOD policy to prevent infected devices from spreading malware to your network 
• Invest in security software with deep learning capabilities to predictively detect malware threats 

Combining employee training with machine learning software minimizes the likelihood of human error and leverages the power of artificial neural networks to protect your company from sophisticated threats. 

The rise of deepfake videos in a world where fake news is already a concern signals a future in which it could be nearly impossible to trust anything you read, hear or see. Detecting falsehoods requires an updated approach to security, including employing the same technologies used to create deepfakes. The future of security may boil down to beating hackers at their own games, and learning to identify and outsmart threats launched using fake video content could be just the start of a new wave of necessary security upgrades.

Identity and access management certifications

Taking on new suppliers as you grow your business is associated with a unique set of challenges and risks. Partnerships increase the number of people with access to your systems, and managing this access requires diligence when assessing potential security issues. 

When Should Vendors be Allowed Access? 

Efficiency is key to success in the modern market. Companies failing to adapt to the pace of commerce become overwhelmed by the number of administrative tasks necessary to keep the business going and are eventually outpaced by competitors. 

Third-party vendor access is one way to streamline your business processes and eliminate the bottlenecks created when performing transactions with partners outside your system. Onboarding your suppliers maintains efficiency by making it possible to communicate, place orders and send payments without leaving your company’s system or requiring additional software or services to handle supplier transactions. 

Onboarding supports flexible workflows and allows your system to remain both scalable and adaptable. If vendors are left out of the system, your company is forced to use outdated technologies to deal with an increasing number of supplier relationships. The segmented nature of these relationships increases the likelihood of duplicating suppliers for the same or similar products, paying more than you need to for essential supplies and failing to maintain the proper level of communication. 

Major Security Risks of Third-Party Access 

For vendor onboarding to be secure, however, you must understand the risks associated with each potential partner. Despite vendor access accounting for an average of 89 connections per week, only 34 percent of companies allowing vendor access actually know which system logins can be attributed to their suppliers. In a survey conducted by Bomgar, 69 percent of businesses said they could associate a security breach in the previous year with a problem with vendor access. 

These statistics highlight the critical importance of third-party access risk management, yet only 52 percent of companies have solid security standards governing vendor onboarding. To keep your network safe from accidental or deliberate breaches caused by third parties, consider these factors before clearing a vendor for system access: 

• Credit history, including bankruptcies and liens 
• Reliability with delivering orders and services
• How security risks are handled 
• How often security audits are performed 
• Maintenance of data security 
• Regularity of data backups 
• Number and types of devices used for network access 

Use these details to assess the level of risk for each vendor, and tailor your security efforts to address specific risks associated with each third party. 

Maintaining Compliance 

Regulatory compliance is a growing concern for all businesses. From credit card processing to email opt-ins, customers want to know their data is safe and that they have the choice to revoke a company’s privilege to use, transmit or store personal information. 

Vendors not in compliance with the regulations to which your business is subject are a risk not only to the network but also to the reputation of your company. Being flagged for noncompliance carries hefty fines and possible legal consequences, and it reduces consumer confidence when customers realize their data isn’t as safe with you as they thought. 

Discuss your company’s compliance strategies with each vendor you wish to onboard, and look into their histories to find out if they’ve dealt with any compliance or security issues in the past. Evaluate certificates of compliance for relevant regulations so that you know your company will be in the clear should you choose to allow network access. 

Steps for Successful Third-Party Onboarding 

According to CSO Online, security breaches related to vendor access cost businesses a total of $10 million in 2016. A strategic third-party onboarding process minimizes the risk of your business suffering loss from similar incidents. 

Onboarding should begin with an assessment of the potential risks associated with allowing a specific vendor to access your systems. It’s important to be as detailed as possible during the vetting process. Utilize all information available about each vendor to get a clear picture of how well they adhere to regulations. If their compliance and security measures check out, you can collect the information you need to add them to the system and allow for streamlined access. 

To keep company data safe, it’s essential to follow the same onboarding process for every vendor, every time. Implement monitoring solutions to track logins and system activity for all users, making use of modern technologies to detect potentially malicious activities. Train employees in all security measures relating to third-party access, including how to respond should monitoring software discover unauthorized activities. 

Whether it’s a new company or a group you’ve worked with for years, no exceptions should be made when onboarding any third party. Maintain the security of your system and prevent problems with compliance by establishing proper boundaries with vendors and re-evaluating access needs over time.

Identity and access management certifications

As businesses increasingly leverage cloud storage services, identity and access management in cloud platforms has become a major challenge and risk concern for cloud users.

Identity and access management in cloud platforms

Overview of Identity and Access Management in Cloud Platforms

The rapid migration of systems and data to the cloud with cloud storage accounting for $50 billion of the total amount of $266 billion spent on public cloud services by the end of 2020 raises unique concerns regarding data security, identity management and access control. As more businesses of all sizes opt to invest in the tools offered by popular cloud platforms, it will be increasingly necessary for executives and their IT departments to develop the appropriate identity and access management (IAM) policies designed to address the emerging concerns.

Cloud platform providers are responding to the need for stronger security with integrated IAM solutions. Knowing what offerings are available and how to leverage the tools included in each platform provides a framework for smarter, stronger IAM policies made to address the growing number of potential vulnerabilities and new types of risk associated with connected devices and remote workers in modern businesses.

Cloud computing tools are most commonly offered in two ways: software-as-a-service (SaaS) and platform-as-a-service (PaaS). In a typical SaaS model, the customer pays a monthly or yearly fee to use an application or software platform managed entirely by a third-party provider. PaaS offers more flexibility by allowing customers to control which apps are deployed on a third-party platform.

Cloud Platform Providers

Top cloud platform providers give businesses flexible, customizable cloud environments in which to build networks of integrated and complementary applications designed to support more efficient workflows, improve collaboration and increase productivity. Each provider has its own suite of available applications and range of features to address the diverse requirements of today’s connected businesses.

A white paper published by Identity Management Institute for its members offers analysis of the 3 major cloud platforms Amazon, Microsoft, and Google.

The Role of Middleware for Identity and Access Management in Cloud Platforms

The job of middleware is to connect client requests made via a network to the data being requested. In cloud environments, these tools may be bundled as part of a PaaS offering or obtained through another provider. The link created by middleware serves to bridge the gap between the front end of an application, which the user sees and interacts with, and the back end, consisting of computers, servers and data storage.

For the purposes of IAM, middleware can be used to simplify authentication and user access across extensive suites of cloud-based applications. Third-party authentication options like Okta, Ping Identity and Symantec VIP are known as authentication-as-a-service (AaaS) and are part of the growing number of cloud-based services being established to support the many businesses migrating to the cloud.

Conclusion

Preserving data integrity requires IAM policies designed to clearly define user roles and privileges and control access to applications within cloud computing platforms. Businesses planning to invest in cloud platforms and move more computing infrastructure to the cloud must carefully assess the security controls available and seek PaaS solutions designed to integrate with, supplement and strengthen existing security frameworks.

As businesses move into the future and embrace updated technologies, flexibility in cloud environments will become more important, and security concerns will continue to evolve. Today’s top cloud platform providers offer scalable, customizable solutions with built-in IAM tools, and it’s up to IT specialists to identify the unique concerns of the businesses for which they work and choose the best solution to address workflow needs and security requirements.

The Sarbanes-Oxley (SOX) Act of 2002 is just one of the many regulations you need to consider when addressing compliance. Also called the Corporate Responsibility Act, SOX may necessitate changes in identity and access management (IAM) policies to ensure your company is meeting the requirements related to financial records integrity and reporting.

 

What is Sarbanes-Oxley (SOX)?

SOX was passed in July of 2002 in response to a rash of incidents resulting from malpractice in accounting. The regulation added to existing guidelines and included “reforms to improve financial disclosures from corporations and prevent accounting fraud” with the aim of protecting investors from “fraudulent accounting activities.”

All publicly traded companies located or doing business in the U.S. are subject to SOX regulations. The act:

• Increases corporate responsibility for financial reporting
• Establishes new accounting guidelines
• Mandates protections against accounting fraud
• Imposes more serious punishments for noncompliance

Records collected and stored by companies affected by SOX are subject to a number of protocols intended to increase accuracy in reporting and discourage unlawful falsification and destruction of records. With strict rules governing financial reporting and how long records are stored, SOX changes the way many businesses approach accounting.

SOX Compliance Requirements

The first step in SOX compliance is to establish an “accounting framework” to create verifiable paper and data trails for all financial activities. Every action with the potential to affect financial reporting must be traced and documented as proof of compliance, including changes made to financial and accounting software.

In addition, companies must establish internal controls designed to prevent fraudulent activities and reporting. CEOs and CFOs are required to personally certify all records as “complete and accurate” in accordance with section 302 of SOX, affirming they’ve reviewed the controls at least once in the past 90 days.

Section 404 outlines the requirements for monitoring and maintaining controls. Using a framework like COBIT, companies must conduct an annual audit to determine how well the controls are working. and report the results directly to the Security Exchange Commission (SEC). All audit records, whether physical or digital, must be kept on file for no less than five years.

Should a security breach compromise finances or records, SOX regulations require affected companies to report the incident as soon as possible.

Risk of Noncompliance

Failure to comply with SOX can incur serious penalties. Company executives who certify false reports can be fined up to $1 million for each instance, sentenced to up to 10 years in jail or both. Willful certification of false reports carries a fine of up to $5 million, a jail term of up to 20 years or both. The severe nature of these penalties drives home the importance of having strong security measures, especially since a single accounting error can compound and create several inaccurate reports if it isn’t caught in time.

How Does IAM Relate to SOX?

Because both physical and digital records are affected by SOX, access management is an integral part of compliance. When the act was first passed, many businesses weren’t yet dealing with the complexities of connectivity seen in modern enterprises. However, the requirement to put “adequate internal controls” in place for “financial reporting and governance” extends to IT, especially in environments where multiple device types connect to the corporate network from a variety of locations and a great deal of information is handled in the cloud.

Strategic IAM practices control several factors with the potential to affect financial reports:

• Insider threats
• Data breaches
• Human error

By automating activities such as user provisioning and deprovisioning and implementing granular conditional access controls, companies minimize the risk of unauthorized access and reduce instances of privilege creep. Assigning identities to devices makes it easier to control how and where employees access corporate networks, helping prevent some of the problems associated with establishing and enforcing BYOD policies.

Business IAM solutions also include automatic logging and reporting tools so that clear reports can be generated for every audit. Since corporations tend to have large numbers of employees with various levels of network access, automated logging and report generation are essential for SOX compliance. Without these tools, it would be nearly impossible to track the actions of every user and every device, and suspicious behavior could escape notice long enough to cause serious problems.

All digital security policies, including IAM, should be evaluated for efficacy as part of the annual SOX compliance audit.

Access Management Controls

For SOX compliance, organizations should keep the following access management areas in mind:

  • Manage access rights during on-boarding, role changes, off-boarding
  • Ensure Segregation of Duties (SoD)
  • Maintain access control matrix
  • Perform periodic access audits
  • Automate reporting

Staying in compliance with regulations like SOX is important for the safety of your company and the data you handle. If you haven’t yet put measures in place to ensure compliance in regards to financial records and reporting, work with your IT department to develop an IAM strategy designed to minimize errors, prevent unauthorized access and secure all records during transmission and storage.

Read additional articles in our IAM blog.

The increasing number of connected technologies used by businesses and consumers is creating more points of data vulnerability. Each new endpoint provides a potential “in” for hackers and increases the risk of identity theft from data exposure.

Business owners must recognize the growing identity theft threat to their companies, employees and customers and take steps to mitigate the risks and ensure personal data stays out of the hands of malicious third parties.

More Technology, Greater Risk

The vision of a completely connected world, once realized only in science fiction, is quickly becoming a reality. Internet of Things (IoT) technology forms an expanding web of devices in constant communication with each other and with a variety of networks. This connectivity permeates every aspect of business and personal lives and has greatly increased the risk of identity theft.

According to a survey by The Harris Poll, almost 15 million people had their identities stolen in 2017 and experienced nearly $17 billion in total losses. The Consumer Sentinel Network lists identity theft as the second most common reason for fraud reports, surpassed only by debt collection fraud.

Why are connected technologies of particular concern when considering identity theft risk? IoT devices constantly collect and send data about users, including intimate details most consumers never realize they’re sharing. Modern hackers have access not only to identifying information but also may obtain data about individuals’ personal lives, right down to their fitness habits, the groceries they buy most often and even rough maps of their homes.

Today’s Biggest Threats to Identity

Although the Federal Trade Commission lists employment and tax fraud and credit card fraud as the two most common forms of identity theft, account takeovers are becoming more attractive to modern hackers. More connectivity means hackers can gain access to a larger database of information and launch more widespread attacks using a single set of stolen credentials.

In the 1,597 data breaches recorded by the Identity Theft Resource Center in 2017, hackers gained access to users’ names, social security numbers, birthdates and driver’s license numbers, all of which can be used to impersonate an individual or mine for more data. However, to steal an account, all a hacker needs is a user’s login information and a strategy for flying under the radar when committing fraudulent acts.

The risks associated with this type of identity theft are seen in the increasing popularity of online fraud, especially in the realm of online payments. Over 80 percent of credit card fraud is now committed in “card not present” situations, such as the use of digital payment gateways. Electronic Health Records (EHRs) are also popular targets, although hackers seem to be developing a greater interest in social security numbers when obtaining user data.

Business Identity Theft?

Individuals aren’t the only ones at risk. Businesses can also fall victim to identity theft. Both the high volume of activity and large transactions occurring at the corporate level attract hackers looking for big payouts. Unlike in data breaches, however, hackers committing business identity theft don’t infiltrate a network to steal information. Instead, they impersonate the identity of a business to commit fraud.

Businesses of all sizes are susceptible to this form of identity theft, but small businesses may be at a greater risk due to a tendency to ignore potential threats. Over half of small businesses have no concept of their level of risk from cyber attacks, and 58 percent fall victim to malware as a result. Business identity theft can affect credit score, cash flow, tax filings and brand reputation.

Strategies to Safeguard Identity

Business owners and corporate IT specialists must be aware of the risks associated with the unique nature of their onsite networks and the ways in which employees and customers connect to and interact with these networks.

Identity theft “red flag” risk assessments and routine security audits reveal points of weakness and the need for stronger safeguards and better access management polices. Using information gathered from these assessments, businesses should:

• Invest in updated security software designed to handle connected technologies
• Consider incorporating machine learning into security protocols
• Review and update access permissions
• Implement data encryption tools
• Establish protocols for user provisioning and deprovisioning
• Create policies limiting which company details can be shared publicly
• Continually educate employees on how to minimize risk

Securing internal networks with these tactics closes many common loopholes hackers use to access personal information and helps to protect businesses, employees and customers from the devastating consequences of identity theft.

Although the rapid spread of new technologies is putting personal information at greater risk for theft, business owners can take steps to increase security and protect proprietary and consumer data. Technology will continue to shift and expand, and diligent awareness of threats is essential to preserve data privacy and prevent identity theft.

Whether it’s another data breach at a major company or a shift in the way large businesses approach security, recent news continues to highlight the importance of strong identity and access management policies with help from artificial intelligence and machine learning applications. Knowing the threats you may encounter and the protections available can guide you in making the best decisions to secure your systems.

Amazon Data Breach – What You Need to Know

On November 21, 2018, just two days before the Black Friday shopping frenzy, Amazon experienced a “data issue” involving leaked “customer names and email addresses.” According to reported news, the online retail giant blamed the data exposure on a “technical error.” Users affected by the problem were sent a vaguely worded email assuring them there was no need to change their passwords.

Many users assumed the email was a phishing attempt and were baffled. However, even though Amazon is staying quiet about the details, the reported leak was legitimate. No information was forthcoming from the company about the number of people affected or the root cause of the issue, but poor access management is one potential culprit. When permissions are granted beyond a user’s access needs, errors are more likely and hackers have more opportunities to gain entrance into a system.

This leak serves as a reminder to assess permissions and keep access privileges under control in enterprise systems. With so many users interacting throughout the network on the front and back ends, it’s critical to ensure each person only has access to the information and applications necessary to perform essential tasks.

The Rise of Next-Gen IDaaS

As traditional authentication methods lose efficacy, businesses need new ways to address identity management and enforce privilege levels such as the new generation of Identity as a Service (IDaaS) that is available to companies searching for smarter, stronger IAM tools.

For example, Janrain Identity Central provides fresh ways to manage customer identities and sign-on procedures. Companies interacting with large numbers of users on a daily basis can leverage Identity Central’s enterprise-grade tools to improve the customer experience across all access points.

Janrain’s new offering includes tools designed to:

• Handle customer registration and authentication
• Improve customer preference and consent management
• Enable continuous integration
• Set up and maintain single-sign on (SSO) access
• Speed up self-service account recovery
• Centralize policy administration and enforcement
• Improve identity analytics

With these options readily available, companies are better able to monitor customers’ access behaviors to detect and stop fraud, and, deal with bottlenecks leading to registration abandonment.

More IDaaS solutions like Identity Central are likely to arise as customer access management increases in complexity. Companies need IDaaS to ensure a high level of security for sensitive data without hampering the customer experience. Being able to provide straightforward registration options and a seamless transition between applications removes potential barriers and allows customers to interact appropriately while preventing unwanted data access.

Do Enterprises Need AI?

With connectivity no longer limited to in-house networks and the number of internet-ready devices continuing to increase, enterprises need a better way to manage risk levels. Threats are becoming more numerous and sophisticated as hackers adapt to the changing landscape of modern networks. With IoT, BYOD, remote work and cloud-based collaboration becoming the norm, there are a growing number of endpoints at which malicious third parties can gain network access.

To address these changes, companies must be ready to switch from threat prevention to proactive detection and response. Outdated security protocols can’t offer the dynamic tools necessary to protect against numerous modern threats, which is why many businesses are turning to artificial intelligence (AI) and machine learning (ML).

With these sophisticated tools in place, enterprises can build security strategies designed to handle the 750 or more applications running on their networks and the 1,500 users accessing each application throughout the day. AI and ML are better at detecting unusual behavior anywhere on a network and can trigger immediate responses to detect a threat before it turns into a full-blown breach. Because these modern security resources can “learn” which behaviors are normal and which aren’t, enterprises no longer have to rely on periodic software updates to get all the information on new threats. Instead, AI and ML work together to “understand” when something is amiss and launch a defense as quickly as possible.

The smartest thing you can do to ensure your systems and data are protected against the growing number of unique threats from malicious parties is to be alert:

  • continue to watch the changing identity and access management landscape,
  • learn from security breaches in the news,
  • get more information about new solutions as they become available, and
  • implement the most relevant options for your organization.

Sign up for the Identity Management Journal to receive articles and announcements.