The global technology growth has led to high demand for skilled employees. However, estimates for 2019 reveal a profound skill deficit within the employee pool. Three million IT positions need to be filled, but there are not enough qualified individuals to fill them. Within the cybersecurity sector, 500,000 security specialists are needed within the United States alone. Individuals with professional certifications, technical, knowledge, and a deep understanding of identity risk management standards and guidelines are highly sought.

Identity and access management jobs and career path with certification courses from Identity Management Institute

IAM Positions at All Levels and Skills

Positions that need to be filled include entry-level positions as well as high-level positions and numerous mid-career level positions. Enterprise level organizations are in need of talented individuals but so are start-ups and mid-size businesses. There are positions for third-party, independent contractors as well. Regardless of education level, experience level or required salary, there are openings for individuals with an IT background and an interest in identity and access management.

Below is a list of a few popular identity and access management jobs and titles that are often listed on job boards:

  • IAM System Architect
  • IAM System Engineer
  • IAM Access Control Specialist
  • IAM Administrator

Recent graduates and experienced professionals with identity and access management certification are qualified to fill these open positions.

The Need for Identity and Access Management Certification

Government agencies are becoming stricter when it comes to data privacy. The European Union’s GDPR standard is expected to become the default standard, even in regions where industries are not obligated to comply. As a result, organizations seek certified security specialists who remain current on legislation, technology and consumer demands.

In addition, entities like the United States Department of Defense require contractors and employees to fulfill DOD IAM levels. A solid background in IAM practices and strategies prepare individuals to pass DOD standards. Since data security jobs are in high demand, supplementing existing IT knowledge with security certifications increases employability.

Other regions and industries seeking identity and access management certified employees include insurance organizations, consumer-facing organizations within the retail and service industries, legal organizations, biomedicine and pharmaceutical companies, real estate firms and others.

Employees with roles beyond the IT department also benefit from identity and access management certifications. Whether acting as a data analyst, human resources administrator or business analyst, holding a certification in fraud prevention, data protection or identity theft is helpful to employers and essential for a well-rounded resume.

Identity and Access Management Jobs Salary

The range of positions available within the identity and access management job market lends itself to a range of salaries. Location dictates salaries, as does the size of the organization and required skill set, experience and education. Starting at the highest level and moving to the lowest, here is a sample of salaries for identity and access management jobs.

IAM System architects can expect to earn an annual salary of $100,000 to $200,000.

IAM System Engineers and Developers are needed across a range of business levels, not simply enterprise organizations. This results in a range of salaries, with the highest reaching $140,000 per year and the lowest within the $60,000 per year range.

IAM Access Control Specialists, administrators, data analysts and business analysts can expect to see salaries within the $35,000 to $75,000 range.

Higher salaries are provided to those with high levels of education, experience and creative thinking. This information is provided within identity and access management job descriptions.

Employers Seek Creativity, Education and Certification

Increased awareness of the need for data privacy, new regional privacy standards and enterprise level security tools require organizations to move beyond a generic approach to data access. Single sign-on technology, biometrics, multi-factor authentification, role-based access control and privileged access management provide enterprise organizations with the flexibility they need to meet the privacy demands of government regulators as well as answer the concerns of clients and employees.

Since organizations are not looking for generic solutions, they are offering detailed job descriptions with specific skill sets. Knowledge of the organization’s industry is also highly prized.

A sample of job descriptions reveal that certain skill sets are in demand, but the depth and extent of those skills are dependent upon the individual’s role within the organization, the organization’s size and the regulatory requirements of the organization’s industry. Here are some job descriptions that run the gamut from highly skilled to generally skilled.

Identity and Access Management System Architect

This role requires the most education and experience. Qualified individuals have experience with project management, leadership, software development, cybersecurity and industry-specific knowledge. Sometimes called a Digital Transformation Architect, this multi-faceted individual ensures that executive roles, IT departments and consumer-facing tech are in alignment with security standards.

Individual and Access Management Engineer

IAM engineers are experienced software engineers and developers. Due to the lack of IAM engineers, many employers are seeking flexible and adaptable software developers with an interest in cybersecurity.

Recent job descriptions in high demand locations are specifically looking for software engineers who aren’t afraid to make mistakes, have a creative approach to problems and “an ability to understand business’ functions and technology use.”

Individuals who have the skills needed to fulfill high level sysadmin and devops positions, and who aren’t intimidated by power structures, have what it takes to fulfill the Individual and Access Management job responsibilities of an IAM engineer.

IAM Administrator

These individuals play a highly technical role and are often the first responders to security breaches and other incidents. Employers expect these individuals to have a degree in computer science, experience with ID provisioning, experience in IT operations and the ability to track and manage multiple intake systems and experience performing root cause analysis.

Identity and Access Management Analyst

This identity and access management job description fulfills the needs of entry-level job seekers with degrees in computer science or cybersecurity. In this position, candidates should have a functional understanding of database administration, directories and protocols among others.

Identity and access management job responsibilities, regardless of position level and experience, require adherence to a code of ethics and knowledge of critical risk domains, or CRD, to include:

  • Regulations and Compliance
  • Program Management and Administration
  • Risk Assessment and Mitigation
  • Product Development and System Management
identity and access management career path

Identity and Access Management Career Path for Experienced Professionals

Experienced individuals employed as system engineers and architects can improve their chances of being hired, promotion and higher earnings by pursuing the following certifications:

Individuals employed in consulting, analyst positions such as data analysts, or administrative roles, such as human resources, compliance, or department supervisors can increase their opportunities to provide better security services by pursuing the following certifications:

Identity and Access Management Career Path for College Graduates

College graduates have spent numerous academic hours honing their coding and software development skills, experimenting with new platforms and learning the ins-and-outs of cloud and hybrid systems. These skills are in high demand across industries due to the evolving nature of software systems and cloud development tools. To increase employability and meet the needs of cyber security-aware firms, adding the following certifications to a resume helps candidates stand out from generic job seekers.

Numerous identity and access management jobs need to be filled. These jobs range from software engineering, product development, consulting, project management, and access administration among others. Employment indicators show that IT job salaries may have reached a plateau. Augmenting your current technical skills with an IAM certification can boost salary options and increase job opportunities as identity and access management has become the core solution for the cyber security industry.

Technical identity and access management experts need to better understand the IAM risks and best practices in order to design and implement products that address the evolving challenges. On the other hand, non-technical IAM specialists need to better understand the IAM tools and their features in order to use the IAM systems and manage projects effectively.

Biometric identifiers are currently used as part of the authentication process at 62 percent of organizations, and 70 percent of U.S. consumers would like to see biometric authentication expand into their places of work. Often used alone or as part of multi-factor authentication protocols, biometric data is seen as a more secure alternative to traditional passwords.

However, concerns about potential vulnerabilities are beginning to arise as the use of biometrics becomes more prevalent. What risks are businesses and organizations taking by adopting biometric authentication, and how does it impact customers and employees? 

Unlike passwords and verification codes, biometrics are fundamental parts of users’ identities. The following common identifiers represent unique physical or personality traits:

• Fingerprint scan
• Iris scan
• Facial scan
• Voice recognition
• Handprint geometry
• Vein mapping
• Behavioral characteristics

Whether inherited or learned, these markers are core aspects of personally identifiable information (PII) and can’t be changed. Hacked passwords are easy to reset, but what can consumers and employees do if a hacker steals what’s essentially part of their biology?

The use of biometrics in authentication means every action taken is connected to the user to whom specific identifiers belong. Once a malicious third party manages to compromise a scan or fool an algorithm, it puts the real users’ reputation at risk. Technology for capturing images and information used in biometrics is becoming more powerful, which allows for more nuanced and detailed profiles of consumers and employees. However, just one vulnerability in the way the data is captured, stored or transmitted can expose private PII and allow hackers to not only access business networks but also take over every account associated with an individual’s biometric information.

Inaccuracy and Fraud
The tendency of users to assign similar or identical passwords to multiple accounts is often cited as a major problem for system security, but this becomes less of a concern when passwords are encrypted and hashed. Hashing assigns a completely unique identifier to every password, which is difficult or impossible for hackers to decode. This allows users to set passwords they can remember for easy access to systems.

By contrast, scanners used to capture and read biometric data aren’t accurate 100 percent of the time. Even slight variations in how a user touches a fingerprint scanner or looks at a camera during a facial scan will create different images. The resulting discrepancies can cause authentication to fail and lock legitimate users out of the system.

The irony of this situation lies in a hacker’s ability to reproduce a convincing fake of the original scan and use it for successful access. Information is vulnerable when it’s recorded, stored and transmitted, giving hackers multiple opportunities to lift identifying data.

Storage and Encryption
Once identifiers are collected, the data has to be stored somewhere. Because no form of storage can be considered completely safe, this creates the same problem as any other access management strategy in which businesses and organizations are responsible for securing users’ identities. Encrypting data during transfer only addresses part of the problem, since hackers can still access biometric information as it’s collected and when it’s being matched to previously captured data.

Businesses can improve security by adopting runtime encryption, which keeps sensitive data encrypted during use, or choosing not to store biometrics at all. Authentication apps utilizing biometric data stored locally on users’ devices minimizes the danger of compromise but still carries risks if a device is lost or stolen. Compromised applications on devices or networks create additional vulnerabilities, which much be considered when determining the best method to implement.

Predictions show almost 90 percent of business will use biometrics by 2020, and yet it still has the kind of mystical appeal often associated with science fiction. Business owners must beware of seeing biometric authentication as a cure-all or magic bullet for solving problems with access management.

Research conducted at Michigan State University showed just how dangerous this kind of thinking can be. Using machine learning, researchers created a set of incredibly accurate “MasterPrints,” synthetic fingerprints with the ability to match to numerous real fingerprints and undermine the security of biometric scanners. In another startling example, Vietnamese hackers were able to use a just a handful of materials and tools to create masks capable of fooling Apple’s FaceID. Without other security measures in place, biometrics are vulnerable to compromise and can leave business networks vulnerable to these types of attacks. 

Businesses faced with the challenges of implementing biometric authentication need expert help to prevent the personal identifiers of their customers and employees from becoming compromised. With so much at risk, both an accurate understanding of potential vulnerabilities and a solid identity theft prevention plan are essential to preserve the privacy and integrity of personal data.

Each new data breach casts doubt on whether personal data can ever truly be kept private. Despite increased efforts to improve security and prevent hacking, major sites continue to become the targets of global hackers. What do these breaches teach businesses and users about modern cybersecurity, and what can be done to minimize future risks?

What can we learn from data breach incidents? Lessons learned from data breach cases.

Millions of Users Compromised on Instagram

In March 2019, Facebook announced in a blog post that tens of thousands of Instagram users’ passwords had been “accidentally” stored in a format readable by third parties, although the social site claimed none of the passwords were “internally abused or improperly accessed.” By April, the number of affected users had increased to the millions, suggesting the breach was much more extensive than was first believed.

All affected users should have been notified by Facebook, but despite the apparent lack of malicious activity, the full impact of any vulnerability may not always be known. With no indication of who might have had access to the passwords or how the data might be exploited, it’s possible information associated with the accounts could have been compromised.

Instagram was in the spotlight again about a month later when information on 49 million users, including celebrities and popular influencers, was discovered in a database belonging to Chtrbox, an influencer marketing site. Information was reported to include profile pictures, likes, shares, follower counts, locations, phone numbers and email addresses.

Chtrbox claimed only 350,000 records were in the database, all compiled from publicly available information and not Instagram itself. If any of the data did actually come from Instagram, it’s possible a flaw in the website, which may have existed since October of prior year, could be to blame. The database was “inadvertently left unsecured for approximately 72 hours” before being fixed. 

Canva Design Tool Attacked and Breached

Other sites are equally vulnerable even when they don’t contain the same level of personal data found on social media platforms. A breach of the Australian design tool Canva highlights this unsettling reality. Canva allows users to create custom images for social media posts and profiles, email marketing, blogs and print advertising and was recently breached by an opportunistic hacker going by the name “GnosticPlayers.”

The hacker claimed to have stolen data on 932 million users from 44 sites across the web, including Canva which closed its database server after detecting the breach in mid-May 2019, but it was too late to prevent 139 million records from being compromised. Seventy-eight million of the affected users sign into Canva through Google accounts, which could put additional information outside of the design platform at risk.

Canva assures its users no login credentials were compromised because all passwords for the site and third-party login options are encrypted and impossible to decode. However, it continued to advise users to change passwords for Canva accounts as a precaution. 

How Should Users Respond?

The smartest thing for individuals to do after a data breach is to change passwords for the affected sites and any sites where the same email address and password combination are used. Those signing in through a third party, such as Google, may also want to consider updating those passwords, as well. Even though affected users receive notification from companies that experience a data breach, a password reset is always a good precautionary measure following data compromise.

Creating stronger passwords, eliminating duplicates and managing password information more carefully reduces the risk of multiple accounts being compromised. Adopting the highest security settings and adding firewalls, anti-spyware and anti-malware programs to all devices can provide another layer of protection during daily work and web browsing. 

How Should Businesses Respond?

Companies handling any kind of personal information need to implement more sophisticated security measures and take advantage of solutions incorporating artificial intelligence and machine learning to monitor network use and detect anomalies suggestive of possible malicious activity. Early detection is key in preventing extensive breaches, and technology is continuously being updated to handle new threats.

IT professionals trained in disciplines relevant to breach prevention can help business owners develop and deploy improved cybersecurity plans and educate both employees and customers in better password management practices. Some companies are dealing with increased threat risks by phasing out passwords completely and introducing more secure login options.

It’s unlikely breaches will ever stop completely, but businesses and users are responsible for taking proactive steps to reduce risks as much as possible. For IT professionals, massive breaches like those affecting Instagram and Canva highlight the growing need businesses have for better access control and cybersecurity protocols. Individuals with knowledge and experience in identity risk management and identity theft prevention can provide the guidance required to identify potential vulnerabilities and thwart hackers before millions of records are compromised.

Identity and access management certifications

For banks, credit unions and other financial institutions, verifying the identity of customers is of vital importance. Compliance regulations are becoming more complex, requiring more diligence and detail during onboarding and throughout the customer lifecycle. Among these regulations is the “know your customer” (KYC) process, which may directly affect how institutions handle identity management.

Know Your Customer information by Identity Management Institute

What is Know Your Customer (KYC)?

When a customer wants to do business with a financial institution, it’s up to the institution to make sure the person is who he or she claims to be and the transactions being performed are legitimate. At its most basic, KYC means getting a better understanding of each customer’s identity prior to entering into any kind of relationship or agreement. The process prevents individuals on prohibited lists and those with whom doing business poses too great a risk from negatively impacting operations.

The KYC regulations began in 2001 as part of the Patriot Act and include two main requirements:

• Customer Identification Program (CIP), in which identifying information is gathered and analyzed 
• Customer Due Diligence (CDD), a predictive approach to fraud prevention requiring knowledge of customer behaviors to assign risk ratings and detect anomalies suggestive of fraud

Maintaining KYC compliance through these processes poses a challenge in light of the changing nature of identity and the growing volume of customer data in a connected age.

How Do KYC Rules Impact Identity Management?

In combination with other anti-money laundering (AML) regulations, KYC is meant to help minimize problems with fraud, money laundering and the siphoning of funds to terrorist groups. By identifying customers as legitimate or risky before giving them the green light, CIP and CDD should, in theory, reduce the number of fraudulent or illegal transactions and lessen the likelihood of identity theft.

However, implementing CIP and CDD can complicate the process of identity verification, making even simple transactions cumbersome and creating bottlenecks for both customers and institutions. Getting a more detailed understanding of identities requires customers to collect and present a greater number of documents, which financial institutions then must verify as genuine.

Due to the longer process, onboarding time has already jumped significantly since more institutions began complying with KYC. In 2016, it took 22 percent longer to onboard corporate clients, and the process slowed down another 18 percent the next year. This can have a serious impact on a bank’s ability to build its customer base and makes it nearly impossible for businesses to complete important financial tasks during the onboarding period. 

How Can Businesses Become KYC Compliant?

As with other regulations implemented to protect privacy, minimize fraud risk and combat identity theft, failure to comply with KYC can carry hefty fines. Between 2008 and 2018, financial institutions in the U.S. alone had to shell out $23.52 billion as a result of noncompliance, representing a large percentage of the $26 billion global total.

What can businesses do to avoid penalties?

Cybersecurity experts, particularly those versed in identity theft prevention, can help clarify the confusion surrounding identity management protocols, and KYC analysts are available to lessen the burden associated with identity verification and policy implementation. With the help of these professionals, businesses are better equipped to maintain compliance through:

• Smarter, more thorough customer onboarding procedures
• Ongoing monitoring using automated tools and artificial intelligence
• Identification of unusual behaviors indicative of fraud

These processes make it easier to identify high-risk customers and flag possible cases of identity theft before significant damage is done or compliance is threatened.

The Best Approach for Compliant Identity Management

With 16.7 million victims of identity fraud in 2017 and $16.8 billion stolen as a result, financial institutions can’t afford to ignore KYC. Compliance can be considered part of what’s now known as customer identity and access management (CIAM), the next step in the evolution of modern identity management protocols. CIAM adds another layer to traditional IAM to help businesses address the complications of an increasing number of identities, platforms, devices and touchpoints.

Minimizing the risk of fraud and identity theft in financial transactions requires continuous identity checks and verification during the course of the customer lifecycle, for which businesses can invest in seamless digital verification solutions. These solutions are compatible across platforms and can be scaled to handle global transactions. This aids in streamlining an otherwise cumbersome process and may help offset the average annual KYC compliance cost of $48 million.

For IT professionals, staying on top of KYC regulations is necessary to help financial institutions and businesses deal with the challenges of identity management in the modern era. Businesses need help staying compliant, and compliance requires a strategic approach to verifying and protecting customers’ identities. Certification in identity theft and fraud prevention can help IT professionals bring knowledge and expertise to businesses seeking guidance with KYC compliance.

Identity and access management certifications

Managing user identities and permissions is an essential component of cybersecurity, particularly at the enterprise level. Increasing numbers of devices and a greater diversity of device types calls for a smarter, more detailed approach to network security, and businesses are turning to artificial intelligence (AI) for help.

Breaches, Cybercrime and AI

The threat of a breach is significant for today’s companies. Two-thirds of organizations experienced a breach in 2016, and the global cost of cybercrime in general is expected to reach $6 trillion by 2021. Exposure of personal information is of particular concern. While breach numbers fell 23 percent between 2017 and 2018, 126 percent more records were compromised

Although better identity and access management (IAM) practices can lower the risk of cloud breaches by 63 percent and server and application breaches by 46 percent, thereby protecting user and consumer data, the vast majority of organizations lack a “mature approach” to IAM. Enterprises are attempting to remedy the situation by introducing artificial intelligence (AI) into their security protocols. About 15 percent of enterprises currently use AI, which has the potential to both minimize breach risk and improve business operations.

Smarter Workflows through Intelligent Access

Role-based access is a common approach to IAM, but it can fall short in workflows in which employees need short-term or one-time access to network assets. Even with a single sign-on model, users may be required to sign into multiple different applications to complete a single task or project, which can significantly slow down day-to-day business activities.

Granting special access has its own challenges. There’s always the chance access won’t be properly revoked when permissions are no longer needed, and accounts with more privileges are attractive to hackers looking for easy ways to infiltrate networks.

Using AI can minimize the risk of both workflow bottlenecks and increased account vulnerability. With AI-powered security, businesses can implement continuous authentication protocols in which user activities are monitored on an ongoing basis during sessions using a robust set of identifiers, including visual and audio cues.

Fine-Grained Access at All Permission Levels

Continuous authentication is a must when privileged accounts are required. AI provides the means by which businesses can monitor all user activities and behaviors within their networks on a moment-by-moment basis. With the security system always checking for anomalies and unusual patterns, it’s possible to fine-tune access privileges and revoke access when a user doesn’t behave as expected. Such security measures can be implemented to cover every device connecting to a business network, regardless of platform or location.

As of 2018, 32 percent of organizations were relying completely on AI for cyber threat detection, which indicates the technology is paying off. To get the greatest benefit, however, security systems must be provided with as many identifying factors as possible. A more robust identity profile for each user creates smarter access control across the network.

Learning and Intervening Without Humans

AI is often combined with machine learning (ML) to create powerful tools for breach detection and prevention. As users interact with a network, ML algorithms “learn” their normal behaviors and can adapt in response to this information. This technology is making it increasingly possible to automate security and reduce the number of alerts requiring human attention.

Growing businesses and enterprises need automation to handle an otherwise overwhelming amount of user data. Adding even a few users to a network introduces new behavior patterns with variations and nuances unique to each user. Monitoring these behaviors and identifying discrepancies becomes almost impossible in large networks, but AI and ML can keep up where human efforts fall short.

Better Responses to Incidents

So far, AI is showing the most promise when it comes to incident response. Between 2015 and 2016, the number of days it took organizations to detect a breach dropped from 146 to 99, a significant change considering the amount of damage hackers can do in a short time.

Using predictive analytics, security systems with AI components are better equipped to estimate the potential extent of a breach and the level of risk at the time of detection. This sets interventions in motion sooner, whether from a human cybersecurity team or the AI tool itself. With the help of ML algorithms, AI can determine when user behaviors require a lockdown of certain parts of the system and minimize data loss by preventing hackers from getting any deeper into the network.

For IT professionals, AI represents the next frontier in security and access management. The demand for trained security professionals is likely to keep growing as AI and ML become more powerful and give rise to new options for breach prevention. Certification as an identity and access management specialist or technologist provides both the knowledge and experience to help businesses keep up with the changing IAM landscape.

Identity and access management certifications

Consumers are a high-risk group when it comes to identity theft. According to the 2018 Identity Fraud Study by Javelin Strategy and Research, 6.64 percent of all consumers, or 1 in 15 people, were victims of identity fraud in 2017. Account takeovers jumped 61 percent between 2015 and 2017, and those with social media profiles were 30 percent more likely experience account compromise.

This spike in malicious activity presents a serious concern for business owners trying to protect their customers’ data and identities. With a new case of identity theft occurring every 2 seconds, it’s essential to employ professionals possessing the knowledge and experience to minimize consumer risk and ensure safer network environments.

How Can CIPA Certification Help?

The Certified Identity Protection Advisor (CIPA) designation is for “professionals who can educate, guide, and support consumers with their identity theft prevention, detection, investigation and resolution solutions.” As a registered trademark of the Identity Management Institute (IMI), this certification signifies a person has the skills to address the growing problem of identity theft among consumers and provide education to “lower fraud losses”associated with consumer information and identity compromise.

The benefits of becoming a CIPA aren’t limited to individuals working in IT. Anyone whose job or industry deals with situations in which identity theft is a serious potential problem can take advantage of CIPA training. This includes those providing healthcare, insurance, legal advice and financial or accounting services, as well as law enforcement officials. By offering “strong identity theft protection training,” CIPA certification prepares professionals in all these areas to address the unique challenges involved in dealing with consumer accounts and data protection.

Symantec reports an alarming 87 percent of customers have left personal information exposed when accessing accounts containing sensitive data, such as email, banking and financial services, indicating many are ignorant of rudimentary security measures. Since a single compromised account can lead to a devastating breach, businesses need help educating consumers in the basics of identity theft prevention. 

What Are the Benefits of Being a CIPA?

In the business world, there’s a growing need for professionals to help address the challenges associated with identity theft. Business owners don’t have the time or resources to teach customers how to avoid every possible action known to leave personal accounts vulnerable to attack.

A CIPA designation gives professionals the ability to aid in minimizing threat risks to consumers and the companies with which they do business. This offers a “competitive edge” in the cybersecurity market and makes CIPAs more desirable as potential hires, specially when combined with other identity and access management certifications. High-risk organizations in particular require the guidance a CIPA can offer when seeking to reduce the overall likelihood of a breach.

Because CIPA training and certification provides a detailed understanding of identity theft risks and protection solutions, professionals with this designation are able to:

• Share and follow best practices for avoiding identity theft
• Develop and implement identity theft risk management plans
• Set up and maintain tools to detect potential fraud
• Direct customers in their rights and business in their obligations regarding data protection and breach prevention
• Help consumers investigate and resolve identity theft cases in a timely manner

Potential employers see certification as confirmation of a professional’s skills in these areas and recognize the benefit of hiring a CIPA over someone without specialized training.

How to Get a CIPA Certification

The Identity Protection Advisor certification is only offered through the IMI and requires membership to apply. Professionals wishing to go through the training and take the exam must sign up using the CIPA application on the IMI website.

Once an application is pre-approved, candidates must pay a certification fee, plus any applicable membership fees. The certification fee includes a study guide and the cost of the exam itself. A short CIPA video training is also available for an additional fee. Candidates have one year from the time payment is received to study for and pass the exam with a score of at least 70 percent. CIPA candidates can also order the Credit Report Review and Error Correction Guide video training.

There are 10 “Critical Risk Domains” (CRDs) covered in the training and certification process, including fraud detection, theft and fraud prevention, risk management, relationship management, awareness and investigation and resolution. Knowledge from each domain is required to both pass the exam and provide essential identity theft prevention services to businesses and their customers. 

Professionals who qualify for certification with a passing grade are required to remain IMI members and pursue continuing education opportunities to maintain the designation. These include:

• Reading relevant books
• Writing articles, books or training materials
• Attending or teaching training courses
• Attending seminars and conferences

For more information on becoming a Certified Identity Protection Advisor, visit the IMI’s CIPA certification page. See details of the risk domains covered on the exam, take a practice test and explore other certifications for professionals seeking to expand their skills sets.

Changing cybersecurity concerns impact every organization handling sensitive personal data. The latest trends in identity and access management (IAM) point toward a future in which most data and applications reside in the cloud and the concept of a “user” becomes more and more flexible. For IAM specialists, the challenge lies in keeping up with these changes and understanding how to adapt security protocols to meet the needs of clients across industries.

IAM Meets UEM for Stronger Device Security

Until recently, functions in IAM and unified endpoint management (UEM) overlapped, but each solution ran on a separate platform. As the number and types of devices used to access networks increases, it’s becoming necessary to bring the two together into a single system for easier management.

UEM involves “securing and controlling” all the devices on a network in a connected, cohesive manner from a single console. Devices may include:

• Desktop and laptop computers
• Smartphones
• Tablets
• IoT devices

Businesses of all sizes are now dealing with situations in which employees access applications and data from multiple devices, often moving between devices during the workday. Each device needs to be not only monitored but also secured to prevent data compromise or theft.

Some IAM providers are beginning to add UEM capabilities to their offerings in response to these changes, and UEM companies are doing the same with IAM. However, for companies not using comprehensive platforms, it’s necessary for IT professionals to seek IAM and UEM solutions designed for smooth integration to ensure there are no gaps in security coverage. 

Microservices Increase IAM Flexibility

Device diversity and complex workflows require flexible environments for access and security. Vendors are making this easier for developers and end users by modularizing common IAM functions into “microservices.”

In a modular system, services like token validation and authentication are provided as independent, self-contained modules, which can then be connected using integrations. Communication via APIs keeps services independent of any particular platform or operating system, so developers can also incorporate IAM modules into apps. Integrations can be challenging when grouping modules from different vendors, but these links are essential for proper communication. Information must flow uninterrupted between modules for access and authorization to remain efficient.

Cloud Migration Requires Updated Access Roles

Just as IAM structure is changing, so are definitions that were once clear. In the past, a “user” was a person and a “machine” was a single device, usually a computer or workstation. Today, a user can be an actual person, an application, a mobile device, an IoT device or anything else requiring access to or within a system. Machines may be applications, systems or devices of any type.

Cloud migration is part of what’s driving this change. By the end of 2019, half of all enterprise workloads will be in the cloud, and IAM services are also moving to cloud environments. This shifting landscape requires a new approach to access management, although not all businesses are on board. Some still handle and store identity information on premises and are either unwilling or not yet ready for a completely cloud-based solution.

However, on-premises security measures are no longer sufficient to address the concerns presented by complex modern systems. Businesses must go beyond the basics and consider adopting a more aggressive approach, such as zero-trust security. With so many endpoints to consider, the granular control offered by zero trust is becoming an essential part of cybersecurity protocols.

Over 80 Million Households Exposed in Latest Massive Data Breach

A database recently discovered by a team of Israeli data security experts highlights the critical importance of IAM for all types of organizations. As part of their work at vpnMentor, the team was performing a sweep of unsecured cloud databases with the intent of notifying owners of the need to protect the data.

The database contained information on more than 80 million U.S. households, and all individuals in the database were over age 40. At first, no one was sure where the data had come from or who had compiled it, but later reports showed it apparently belonged to company offering insurance, healthcare or mortgages. Only some of the data was encrypted; other information was readily accessible. Exposed information may have included names, addresses, genders, marital statuses and income levels.

Since the discovery of the database, which was hosted on a Microsoft server, Microsoft has removed the information and notified the owner. However, it’s unclear how long the database existed or whether any of the data was compromised by hackers.

Identity and access management certifications

Without dynamic, adaptive security systems equipped to detect subtle changes in user behavior and prevent unauthorized access, the risk of breaches in these types of situations remains high. Businesses and organizations need qualified cybersecurity specialists to develop robust protocols designed to protect systems from today’s sophisticated hackers.

Employees often fall victim to phishing and social engineering attacks which result in compromised system access and data breach. It is reported by some industry estimates that employee errors cause data breach incidents in over 90 percent of cyber security attacks. The problem is even worse when considering that some of the victimized employees are super users with highly privileged system access.

One of the easy and cheapest ways hackers target companies and their systems is through phishing emails which appear to come from trusted sources such as company executives or IT support personnel instructing the employees to click a link which then prompts employees to enter their ID and password to complete the task. These compromised accounts and passwords are then used to steal data or to target other potential victims.

Many companies continue to focus their cyber security attention elsewhere neglecting employee education. “Hackers know that employees present vulnerabilities that seldom exist in fortified systems which they can easily and cost-effectively exploit to achieve their goals’ according to Henry Bagdasarian. This is why children are better targets than adults because they are easily fooled with fraudulent emails while they use the home computer which is shared by the entire family where tax returns and other documents with valuable information are stored. Imagine a child clicking on a link and following through subsequent instructions that result in installing a spyware on the home computer. Anyone who uses that computer afterwards to access bank accounts and other online accounts is subject to their password and account information being compromised.

One of the main principles of security management is identifying and categorizing risks. The risk of an employee being the target of a hacker attack is hardly taken as seriously as an attack on a company’s system and technology infrastructure when in fact employees pose the greatest risk that cost a lot less to remediate than system vulnerabilities. Most companies do an excellent job at securing their systems while failing to recognize and resolve the greatest risk facing their organizations which happens to the common root cause of most data breach incidents.

According to Bagdasarian “other human errors that lead to data breach cases include:

  • account and password sharing,
  • management override of controls,
  • use of unchecked personal devices for business,
  • lack of data loss prevention (DLP) controls,
  • high number of exceptions to policies,
  • hiring criminals due to lack background check,
  • lack of system and user monitoring, and
  • ignoring inactive, orphan, and excessive number of privileged accounts for a long period of time”.
Identity and access management certifications

Resolving Employee Error Risk

Assuming that employees are the greatest risk to organizations, one of the best actions that companies can take to minimize the risk is to assess the level of access each employee has and determine whether that access is needed and appropriate. Once employees with highly privileged access are identified, they must be targeted for increased cybersecurity awareness and education. To further minimize the risk, on-boarding and off-boarding practices must be assessed to ensure excessive access is never granted unnecessarily and departed employees are taken off systems immediately upon their departures. Once this is done, plan to start the process again soon and audit the systems periodically to ensure nothing falls through the cracks.

Companies dealing directly with consumers face particular challenges in the area of identity management. In addition to handling the identities of internal users, these companies are also tasked with protecting the information of hundreds of thousands or even millions of customers. Successful customer identity and access management (CIAM) requires a balanced approach focused on both data security and user experience.

Facing customer identity challenges with customer identity and access management (CIAM) solutions.

IAM vs. CIAM: Unpacking the Differences

Traditional identity and access management (IAM) deals with a group of known users within a specific organization. The organization creates and manages identities, stores information in a central location and uses sets of roles or rules to control access to applications and information. Even in enterprises, the number of identities accessing a network at any given time remains relatively small, and IAM solutions deal mainly with providing accessibility and productivity.

CIAM, by contrast, involves a vast number of identities created and managed by users. These identities encompass all behaviors customers exhibit as they interact with a business or organization and may include public information or highly sensitive private data. Due to this level of detail, compliance is even more important than with traditional IAM, making consent management an essential element of any CIAM policy. Customers also expect a personalized experience with easy access and seamless transitions between devices and platforms.

IAM and CIAM do share some characteristics, including centralized information storage and multifactor authentication (MFA) methods. However, the tools and platforms for managing identities differ, requiring businesses to adopt a separate solution for CIAM. With over 3 billion records exposed through breaches in 2018, a clear need exists for an approach designed to meet the most pressing challenges of managing customer identities.

CIAM Challenges

The sheer volume of users is the core concern in CIAM. A greater number of users creates a much larger centralized database of identities, which can easily become a target for hackers. At the same time, regulatory bodies are updating compliance requirements in response to consumer demand for more control over the information companies store and share.

CIAM becomes even more complicated when considering the diversity of the devices people use to interact with businesses. In 2017, the average North American consumer owned 13 connected devices, and more internet-ready “things” continue to appear as a growing number of companies enter the IoT market. Most people move between devices throughout the day, and some devices contain multiple user profiles. CIAM must address the need for a seamless experience regardless of how users choose to log in at any given time. 

Behavioral monitoring to detect possible malicious activity takes on a much wider scope in CIAM. Having such a large number of unique preferences and behavior patterns requires a highly sensitive monitoring solution with the ability to learn, remember and recognize a huge volume of customer interactions and detect when something deviates from the norm. Integration with CRM is essential if businesses wish to leverage data for marketing, but monitoring for security purposes must take precedent to ensure customers are granted appropriate accessibility without putting sensitive data at risk.

Approaches and Solutions for Businesses

How can businesses and organizations strike a balance between maintaining security and providing the kind of experience customers demand? It helps to consider CIAM as part of an overall approach to customer service. Customers want both security and ease of use, and failing to deliver can have a negative effect on a company’s bottom line. 

An assessment of current data collection and storage practices is a good place to start. Companies should know:

• How customers share data
• The channels through which data comes in
• How data is stored once collected
• Who within the company has access to customer data

Combining this information with knowledge of how customers interact with the business provides guidance when choosing a CIAM solution. Platforms must be designed to scale to meet demands while providing the integrations businesses need to create the right combination of security and usability.

Single sign-on (SSO) and bring-your-own-identity (BYOI) options provide at least a partial solution by offering customers the option of signing in to multiple different accounts using one identity instead of creating separate profiles. Before investing in these third-party platforms, however, businesses need to know how providers handle security. Poor security measures can not only put companies at risk for noncompliance but also result in a potentially catastrophic loss of customers should a breach occur.

Identity and access management certifications


As an increasing number of users share information requiring various levels of security, businesses must now protect company data and assets along with all the information customers share through a diverse range of interactions spanning multiple channels and endpoints. Robust CIAM platforms providing seamless customer experiences are essential for meeting these diverse needs. IT professionals certified in relevant IAM disciplines can guide companies in creating and implementing customized solutions with the right tools to face tough security challenges.

In an age where over 20 billion devices are expected to be connected to the internet by 2020, identity theft is a major concern. Data breach notifications in the U.S. jumped from 12 percent to 30 percent between 2016 and 2017, and fraudulent use of identity information affected 16.7 million people, resulting in the loss of $16.8 billion in 2017. These statistics indicate the need for a better way to control access and protect identities.

One promising possibility is the use of blockchain technology to put control and ownership of identifying information back into the hands of users and eliminate some of the major risks associated with current identity management systems.

Decentralized Identity in the Blockchain

Many of the ways businesses and organizations manage identities are far from efficient and include multiple points of vulnerability. User information is often stored in centralized databases or connected to third-party authentication services, creating pools of data hackers can easily mine and exploit. Companies storing the data maintain the lion’s share of control, leaving users to rely on privacy regulations to ensure proper handling of their information.

Blockchain technology could change this whole picture by taking the centralized element out of identity creation and management. The nature of data creation and storage in the blockchain makes decentralized and self-sovereign identities possible for individuals, organizations and devices. Instead of multiple identifiers spread across platforms, decentralized identity involves a single, user-controlled set of identifiers integrated into the blockchain, which theoretically could allow universal access to platforms and services.

Each “block” of data in the blockchain has its own unique “hash” setting it apart from all others. New blocks are stored in a linear, chronological fashion, and each block contains the hash information from the one before it. The result is a database of information in which blocks are both independent and interconnected, making it incredibly difficult for hackers to tamper with data. Editing information in any one block causes the hash to change and requires adjusting the hashes of all subsequent blocks, a monumental task even for the most enterprising identity thieves.

Streamlining Transactions with Smart Contracts

Whether a user is making a purchase, accessing a service or switching between applications as part of a daily workflow, the decentralization of identity has the potential to simplify each transaction requiring authorization through the use of smart contracts.

A smart contract is “a computer program that directly controls the transfer of digital currencies or assets between parties under certain conditions.” Such contracts are self-executing and require no mediation by a third party. With smart contracts, a business or organization can set forth the terms of a specific transaction, such as accessing sensitive information, and rely on identities stored in the blockchain to validate users. This becomes particularly useful in zero-trust security models, as it eliminates reliance on third-party authentication services and has the potential to speed up workflows in a variety of use cases. 

Pros, Cons and Pitfalls

The biggest roadblock to universal implementation of decentralized identities is the current low adoption rate of blockchain technology. Only 1 percent of CFOs across the globe have already deployed blockchain in their organizations, and just 8 percent have short-term plans in the works. Thirty-four percent have no interest whatsoever, which could make global interoperability impossible if the outlook doesn’t change.

However, if decentralized identity does become a reality, it could benefit both organizations and individuals by:

• Putting control of identifying information back into users’ hands
• Minimizing the amount of data stored and transferred by organizations
• Simplifying compliance
• Allowing for the use of smart contracts to improve workflows
• Reducing or eliminating human error in transactions

Of course, every emerging technology also has its downsides. Identity verification using the blockchain is still too slow to be useful in instances where time is of the essence and lightning-fast authorization is required, and there’s always the risk of error during the initial coding of smart contracts. Hackers may still be able to undermine the security of decentralized identities if they’re able to infiltrate the blockchain at the moment a user authenticates identifying information. Once any type of error or malicious alteration becomes part of the blockchain, it’s almost impossible to correct the problem.

As more companies and organizations begin to look for better ways to address the problem of identity theft, there will be an increased demand for cybersecurity experts trained to recognize the warning signs indicative of compromised identities and create plans to mitigate risk. The Certified Red Flag Specialist certification prepares individuals to conduct risk assessments, understand the specific vulnerabilities of an organization and create a solid program for identity theft prevention. Blockchain technology and decentralized identity may prove to be an invaluable addition to such programs and could revolutionize the way businesses, organizations and individuals approach identity protection.