Every time organizations hire a new employee, he or she needs access to essential information, apps and processes to successfully perform daily tasks. With the cost of data breaches at $4 million per incident and businesses losing an average of $158 for every stolen record, it’s crucial that organizations grant and manage access with the utmost care.

Employee identities and the information to which associated credentials allow access must be carefully managed throughout each team member’s time at your organization. Defined by Techopedia as “the full life cycle of identity and access for a user on a given system,” identity lifecycle covers every aspect of identity and access management (IAM) from the moment a person is hired to the moment they leave the company.

With constant changes in technology and the dynamic nature of employees’ access needs in the modern workplace, it’s essential to follow these 6 IAM best practices throughout the employee lifecycle.

Cover the Basics

IAM should begin with the most straightforward steps for better security:

  • Enable multifactor authentication,
  • Create and enforce a Bring Your Own Device (BYOD) policy, or consider a Corporate-Owned, Personally Enabled (COPE) policy as an alternative,
  • Update all tools, platforms and apps regularly, and
  • Encrypt all data during sending and receiving.

Proper employee training also ensures all staff members understand policies and procedures, thereby minimizing the risk of error and reducing vulnerabilities resulting from ignorance.

Start with Smart Provisioning

Role- and attribute-based access control methods assign employee access based on the minimum levels necessary to complete tasks. This makes it easier to allocate privileges to new employees. Instead of guessing what access they’ll require and running the risk of being too liberal, your system can be set to automatically assign the right level of access at the time of hiring. Real-time provisioning ensures access is available to all employees from day one. Adding a single sign-on (SSO) process streamlines the procedure, allowing staff members to use multiple apps using just one set of credentials.

Use Automatic Updating

SSO also eases the burden on your IT department when paired with automatic updating. An increasing number of apps are required to manage modern businesses, and your IT team doesn’t have the time to update provisions across apps or create new rules every time you adopt another platform.

Look for a solution designed for adding apps centrally and creating the proper provisions across all of them at the same time. As the apps you use change, employees gain instant access based on existing permissions, preventing bottlenecks in essential workflows.

Prevent Privileges from Piling Up

Privileged accounts give specific employees access to the most sensitive data and processes within your system. However, employee responsibilities change over time, and it may not always be necessary for high-level permissions to remain in place. Privilege levels must be adjusted accordingly as part of regular automatic updates. By revoking access as soon as it’s no longer needed, you minimize vulnerabilities and shut the door on hackers who target these types of accounts.

Put Up a (Geo) Fence

If your company has a team of remote employees or otherwise allows remote access to data, geo-fencing can cut down on the risk of sensitive information being accessed from the wrong places. Many employees still use public Wi-Fi connections to perform business tasks, and logging into your system while sipping a latte at Starbucks can throw the door wide open for hackers.

Geo-fencing adds another layer of protection by preventing access outside of specific locations. If you choose to implement a “fence,” make sure your access rules don’t create situations so restrictive your remote staff members can’t do their jobs.

Have a Plan for Deprovisioning

Around 49 percent of former employees log into their accounts after leaving a job or being let go. Deprovisioning prevents this type of unauthorized access by completely revoking privileges as soon as a person no longer works for your company. Like provisioning and continuous certification, deprovisioning can be automated to offload your IT department from the tedious task of revoking permissions and removing roles. This is especially important in cases where an employee’s exit was less than cordial and your company could be at risk for a malicious attack if the account remains open.

Adopting a framework for proper identity lifecycle management gives you more control over the information to which you employees have access and decreases the likelihood your company will suffer a data breach. Even in a world where BYOD and remote work have become everyday realities, following best practices for managing identity and access keeps your company safe and ensures no accounts are left open to enterprising hackers. Working with a professional can make it easier to identify weaknesses in your current systems and implement the best fixes for your business model.

Learn about audit and certification of your IAM program.

With the increasing use of cloud computing and storage and interconnected Internet of Things, as well as the growing number of systems, remote users, and large volumes of data, today’s business  environment and security risks have changed enormously and require a shift in our security mindset and practices.

As the number of systems, users, and data grows, the need for a robust identity and access management solutions and experts becomes even more important to manage accounts and their access. Specifically, privileged accounts which offer the highest level of access to a system are prime hacking targets.

Most data breach incidents prove that privileged account passwords are compromised through social engineering techniques and other means to gain access to the most valuable functions and data of a system. Sometimes, user accounts with lower level permissions are escalated after account takeover to gain privileged access. When legitimate accounts are used to access systems, the intrusion often goes unnoticed for weeks allowing hackers to obtain as much information as necessary before taking action. To protect privileged accounts, owners of privileged accounts must be properly trained to protect their account passwords, use multi-factor authentication for access, and, monitor the accounts to detect any suspicious activity.

What are Privileged Accounts

Privileged accounts are accounts with elevated access permission that allow the account owners to access the most restricted areas of the system and execute highly privileged tasks. Just like typical user accounts, privileged accounts also require a password to access systems and perform tasks.

Typical Users of Privileged Accounts

A privileged account may be used by a human or a system. Privileged accounts such as administrative accounts are often used by IT professionals to manage software, hardware, and databases. Examples of non-human privileged accounts are system accounts with special permissions to run automated tasks. Privileged account users can perform tasks such as install a software, access restricted areas, reset passwords, and make other system changes.

Why Privileged Accounts Pose a Risk

The problem with admin and service accounts is that they are often shared, used across many systems, and may use weak or default passwords which make them great hacking targets given their ease of theft, widespread use across the organization, and highly elevated access permissions. In addition, the passwords of these accounts are often shared, weak, and not changed frequently which can be stolen with many specialized tools that hackers possess. Hijacking privileged accounts gives attackers the ability to access and download an organization’s most sensitive data, distribute malware, bypass existing security controls, and erase audit trails to hide their activity.

Industry analysts estimate that up to 80 percent of all security breaches involve the compromise of user and privileged account passwords and most compromised systems go undetected for over 200 days. A major reason for the ease of password theft is that more than 20 percent of companies fail to change well known default passwords such as “admin” and “12345.” And, to compound the problem, account owners use the same password for several different accounts.

Hackers exploit these weaknesses to elevate their existing permissions, access systems, data, and key administrative functions, and, conceal their activities.

Consequences of Compromised Privileged Accounts

Privileged accounts are powerful accounts that give full access to a system. Hackers can perform malicious activities, steal sensitive information, commit financial fraud, and often remain undetected for weeks or months at a time. After attackers compromise a system, they typically use the access to observe the system for a while and learn about the activities of users. Eventually the attacker can get an accurate picture of the target systems. Depending on the motive of the attackers, they can use privileged accounts to:

  • Change system functionality,
  • Disable access for some accounts,
  • Elevate access for some accounts,
  • Steal sensitive data for fraud, ransom, or revenge,
  • Poison data, and
  • Inject bad code or malware

How Privileged Account Passwords are Stolen

Up to 80 percent of breaches result from stolen passwords. Hackers’ most preferred pathway to privilege exploitation is to steal account credentials. Hackers may use malware or social engineering to steal account information for gaining unauthorized access. Employees are typically fooled by phishing scams that ask them to click on a link, download an attachment with malware hidden inside, or enter their passwords into fake website forms. In many cases, these scams appear to be legitimate requests from an employee’s manager, company executive, or another trusted source.

High Profile Security Incidents and Statistics

  • Most companies face the threat of a data breach by a criminal group in 51% of the cases vs. 18% by a state-sponsor actor.
  • Just over 60% of breaches involve hacking.
  • 81% of hacking-related breaches leverage stolen and/or weak passwords.
  • 43% of breaches involve social attacks (including phishing, pretexting, and spearphishing).
  • 14% of breaches involve employee errors, while another 14% involve privilege misuse.
  • 51% of breaches include malware, and 66% of that malware is delivered by malicious email attachments.
  • 27% of breaches are discovered by third parties.

In a high profile incident, JP Morgan Chase discovered in 2014 that hackers were reportedly able to gain “root” privileges on more than 90 of the bank’s servers, which meant they could take actions including transferring funds and closing accounts. Hackers stole names, addresses, phone numbers and email addresses as well as internal information about 76 million persons and 7 million small businesses.

Privileged Account Management (PAM) Tips

  • Identify privileged accounts,
  • Decide who needs or has privileged access,
  • Define when privileged accounts can be used,
  • Have an incident response plan,
  • Monitor privileged account activities, and
  • Select strong passwords and change them frequently. Privileged account passwords should be set to very large, complex values and stored securely. They should never be shared or used to access multiple systems.

Apply for a certification course in identity and access management.

Careful monitoring of credit reports can alert consumers to fraudulent activities or inaccuracies in records potentially indicating identity theft. The information included on a credit report, such as amounts owed, payment history and public records, affects the scores used by financial institutions and credit card issuers to assess the creditworthiness of applicants and decide whether to approve applications.

Credit reports also provide consumers with a total picture of their credit status at a particular point in time. Few consumers know exactly where they stand when it comes to total debt, thus seeing everything laid out in a report reveals not only where changes can be made to improve credit scores but also mistakes and incorrect information they must dispute and correct. Some of these inaccuracies may be red flags, warning of a breach of privacy or outright identity theft in need of investigation. In these cases, appropriate measures must be taken to correct all information and ensure the security of personal information.

Under the Fair Credit Reporting Act or FCRA, every consumer is entitled to one free copy of his or her credit report per year from the “big three” CRAs: Equifax, Experian and TransUnion. This law is enforced by the Federal Trade Commission and gives consumers the opportunity to keep a close eye on credit activities associated with their accounts.

It is reported that one in five consumers have at least one error on their credit reports. Because these errors can have negative effects on a person’s overall credit history and make it difficult to qualify for loans or obtain new credit cards, they should be addressed and fixed as soon as they’re discovered.

CRAs are required by law under the FCRA to correct inaccurate or incomplete credit report information and must investigate claims from consumers within 30 to 45 days of receipt. Although Equifax, Experian and TransUnion all offer online dispute options, it’s best to carry out communications by mail. Physical letters provide a paper trail consumers can file, track and refer back to as necessary.

The way a consumer handles his or her finances, including making purchases, payments and credit requests, will impact the total FICO score because of the influence such habits have on each of the five elements on which the score is based.

Any patterns indicating reckless spending could prevent consumers from qualifying for card promotions, special deals and higher credit limits. However, those with short credit histories may benefit from charging the majority of their purchases to their credit cards as long as balances are paid off on time. Rather than demonstrating poor spending habits, such a pattern helps to establish a stronger credit history, making other financial products more accessible.

Credit monitoring to detect unusual activity reported to any or all of the big three CRAs is an important part of the overall scope of identity theft protection. Consumers need to be alerted to fraudulent activity as soon as it appears so that appropriate measures can be taken before irrevocable damage is done to their credit histories. Helping consumers better understand the elements of their credit reports provides the knowledge they need to spot errors, empowers them to take corrective steps when necessary and gives potential identity thieves fewer opportunities to compromise credit records.

Identity Management Institute offers a video course to teach about how to obtain, review, and correct credit reports. This video is available for purchase and is offered to Certified Identity Protection Advisor (CIPA)  candidates who are valuable resources for helping consumers.

Visit our training page to learn more and access our video courses for preview and purchase.

The self driving vehicle is often hailed as the transportation of the future, and with tech giants from Apple to Google to Tesla throwing their considerable weight behind the venture, the future may come sooner than expected. Self-driving vehicles offer the promise of enhanced safety and improved convenience – not to mention the undeniably cool novelty of it all – but they also come with a darker side. Since they’re essentially internet cars, these high-tech autos are potentially vulnerable to a whole host of security issues. To get to the bottom of these security risks, and to find out what automakers are doing about them, let’s take a closer look at how the next generation of autonomous vehicles is preparing to hit the road.

The State of the Self Driving Vehicle

Fully autonomous cars may not be quite ready for primetime yet, but they’re getting closer to reality than ever before. More than 60 cities around the globe have driverless car testing programs either ongoing or in preparation, and nearly three dozen others have launched efforts exploring vehicle automation. A staggering $80 billion has already been invested in the technology, and virtually every modern automaker has dedicated resources to driver automation. While only about 130,000 vehicles per year are currently being sold with partial automation, about 98,000 are projected to be sold with full automation capabilities by 2020. That number is expected to rise to more than 96 million by 2040 – representing fully 95 percent of all vehicles sold.

As it currently stands, the undisputed leaders in self-driving vehicles are Tesla, Waymo, Apple and General Motors. Tesla has already made inroads with its semi-autonomous electric vehicles, and CEO Elon Musk remains resolute in his goal to take a cross-country trip with no human driver inputs before the end of 2018. If successful, this full automation technology is expected to be pushed out to consumers shortly thereafter. Waymo, the self-driving car project started by Google, can boast more than five million real-world miles driven by its stable of autonomous vehicles, along with pilot initiatives for autonomous ridesharing programs and other ventures. Apple has rapidly expanded to become one of the largest permit-holders for self-driving vehicle tests, while GM’s self-driving Cruise AV is waiting on approval to become the first self-driving commercial vehicle to do away with manual driver controls entirely. If approved, GM will put a fleet of 2,500 such vehicles into use as so-called “robo-taxis” in the next few years.

Self Driving Car Security

With self-driving capabilities becoming closer and closer to reality for private vehicles and public transit alike, it’s natural to wonder about the safety and security of these new technologies. Indeed, a recent report compiled by the FBI highlighted a number of security concerns associated with self-driving vehicles, concluding that equipping a vehicle with autonomous technologies could make it “more of a potential lethal weapon than it is today.” Terrorism is one concern, as terrorists could potentially pack a vehicle with explosives and turn it into a driverless bomb on wheels, controlling it from a safe, remote location.

Of greater concern for the average driver or passenger, however, is the risk of bad actors hacking into and seizing control of a car’s driving controls and other essential systems. This access could potentially be used to deliberately cause accidents or to drive a vehicle to a chop-shop or other unsavory destination, putting an all-new, technologically savvy spin on car theft. It could also enable criminals to lock passengers inside their vehicles, driving them somewhere against their will or holding them hostage for ransom money. Further complicating matters is the fact that, because self-driving technology is still in its early stages, the full scope of autonomous car security risks is not yet understood.

A Real-World Threat

This may all sound like much ado about nothing, but these concerns are more than just hypothetical. White-hat hackers have been demonstrating security flaws in connected vehicles for years, illustrating how easy it is to seize control over a variety of systems by exploiting even non-automated cars. The problems are only exacerbated with internet cars, where many – or all – of a vehicle’s systems are controlled by computers and therefore open to attack. Even Tesla’s advanced Autopilot system can be tricked fairly easily. A Chinese security firm recently showed how easy it is to spoof the car’s sensor systems, causing them to sense phantom objects or fail to detect real ones.

Grappling With Car Automation Risks

While hackers represent a clear and present threat to autonomous car security, they’ve also proven to be valuable allies. Automakers have been employing ethical hackers in recent years to test their control systems and expose vulnerabilities, allowing them to identify and patch security flaws before these systems hit the road. DEF CON, the world’s largest annual hacker convention, regularly hosts a feature called Car Hacking Village, wherein hackers from around the world compete to hack into a variety of vehicle technologies in an effort to improve cybersecurity efforts in the automotive industry.

The United States government, too, has moved to begin grappling with the reality of self-driving vehicles. A bipartisan SELF DRIVE Act laid out the basic groundwork for autonomous vehicle regulations in 2017, including provisions to support greater testing and innovation, simplify safety standards and mandate that carmakers put in place plans to protect against and respond to cybersecurity threats, secure their vehicle technologies and protect users’ personal data. Additional rule changes are likely to be needed in the coming years, but self driving car security has clearly become a priority for lawmakers and regulators.

Do Consumers Trust Self-Driving Cars?

The technology to enable fully autonomous self-driving vehicles is almost ready to hit the market, but is there a market for these cars in the first place? Resistance to autonomous technology has certainly been on the decrease – recent surveys have shown the number of people who would be afraid to ride in a self-driving car has fallen by 15 percent in just the last year – but many consumers are still not ready to put their trust in autonomous vehicles. Another survey revealed that 67 percent of Americans were concerned about potential cybersecurity threats.

It’s worth noting, however, that some of the resistance to self-driving cars may simply be due to a lack of familiarity on the part of consumers. About 65 percent of Americans know little or nothing about the development of autonomous vehicles, and those who are most informed also tend to show the fewest concerns and reservations. Recent trends suggest that consumers will become steadily more accepting of driverless vehicles as they become more familiar and widespread.

There’s little question that driverless vehicles will be the transportation of the future, but when that future will arrive remains an open question. There are plenty of serious security concerns to be addressed before self-driving cars can be widely adopted, and consumers remain rightfully skeptical of automakers’ ability to protect their vehicles from unauthorized access. Still, with the ever-evolving march of technology – and the assistance of unlikely hacker allies – it likely won’t be long before safer, smarter, more secure self-driving vehicles fill roads across the nation.

As the number of connected devices in homes, offices, public institutions and industrial frameworks increases, so does the need for better Internet of Things security. Each new IoT device and network introduces more points of vulnerability, and it’s time for cybersecurity experts to update their skills to meet and counter the latest threats.

Everything in industry and business today rests on data. Business-to-Consumer (B2C) companies want more information about their customers, and Business-to-Business (B2B) companies are always looking for ways to streamline operations. Business owners in general are interested in boosting productivity while slashing costs, and IoT devices can address all these concerns.

With millennials transitioning into becoming heads of households, the technology with which they grew up is becoming a fixture of daily life. Tech companies and retailers are responding with a variety of new IoT devices to meet the increasing demand for perpetual connectivity, instant gratification and personalized experiences.

Devices with the ability to monitor activities and carry out routines in response to behavior patterns are also becoming more common. These include smart refrigerators and trash cans designed to track which products are used most often and deliver reminders when stock runs low, and appliances with the ability to sense when maintenance is required.

Estimates regarding the number of connected devices expected to be in use in the near future vary widely and are in constant flux, but all predictions are staggering. In 2016, general estimates ranged from 6.4 billion to 17.6 billion devices by 2020. IoT devices reached 8.4 billion in 2017, thereby outnumbering the population of the world. Sometime during 2018, IoT device use will likely outpace smartphones.

Every point at which a device connects to a network is vulnerable to attacks from hackers. Because so many IoT devices are in operation and many have the ability to transition between networks as users move, IoT technology is particularly susceptible to new security threats. The diversity of the technology alone is enough to provide hackers multiple points of entry into networks. This means a single weak point in a connected IoT landscape can compromise the safety of all devices connected to and information transmitted over the network.

Hackers may infiltrate networks using direct physical attacks on hardware, by compromising software or by targeting the networks themselves.

In the coming years, IT professionals must be prepared to stay up to date on the latest threats, obtain the proper certifications to meet new security challenges and partner with other experts in the field to build the strongest, most comprehensive network of protection possible.

The full Internet of Things security white paper is available to IMI members. Join Identity Management Institute and become certified.

Access certification is the process of validating access rights within systems. This process is mandatory for compliance and security risk management; however, it can be a very daunting process for some organizations with dispersed systems

Identity theft certifications issued by Identity Management Institute offer professional credibility, knowledge, employment opportunity, and career advancement. Organizations which employ identity theft certified professionals invest in valuable defense against identity fraud which affects the enterprise and their customers or members.

Identity theft and data protection certifications by Identity Management Institute

An increasing number of companies and government agencies recognize the growing identity theft threats facing businesses and consumers as well as the need for well educated, trained and qualified professionals to mitigate identity theft risks. Employee error is a major root cause of many data breach incidents which contribute to the rising identity theft epidemic. Therefore, trained and certified professionals in identity theft management are needed to take the lead within organizations to minimize risks, educate their employees as well as their customers, and ensure compliance with regulations. Consequences of identity theft are enormous which include lawsuits, fines and penalties, public relations nightmare, high cost of identity theft resolution, damaged business reputation, lost customer loyalty, and low productivity to name a few.

There are specialized identity theft certifications from which professionals can choose to complement their overall expertise and knowledge. For example, the US government recognized a few years ago that consumers continue to be vulnerable to identity theft due to the business failure to prevent identity theft and protect their customers.

Assuming that businesses will continue to lose personal data and fail to prevent identity theft in their daily operations, the US government introduced the Red Flags Rule to provide specific guidelines for preventing identity theft and force companies to take the necessary measures to protect themselves and their customers against identity theft. “The Red Flags Rule fills the gap in the fight against identity theft whereby regardless of how or from where consumer data is stolen, criminals can not use that data to commit identity fraud at any business where identity fraud is possible” says Henry Bagdasarian, Founder of Identity management Institute. However, for businesses to be successful in their identity theft prevention efforts and comply with the regulations, they must hire experts with identity theft certifications who can design, implement, and maintain an identity theft prevention program. Many companies are now required to design and implement a comprehensive program to identify and detect identity theft red flags, and prevent fraud cases resulting from identity theft. However for the program to successful, key employees, consultants and auditors of companies must be educated, trained and certified in identity theft prevention techniques.

Identity Theft Certifications

Below is a list of three identity theft certifications offered by Identity Management Institute and a brief description for each to illustrate how they complement each other by targeting a specific  risk area in the identity theft cycle for a complete identity theft management coverage:

Certified Red Flag Specialist (CRFS) workplace identity theft prevention certification.The Certified Red Flag  Specialist (CRFS) is the leading workplace identity theft certification which is designed for professionals who help businesses prevent account fraud in connection with opening new accounts or existing account activities, complying with identity fraud prevention laws, and reducing fraud costs and related waste. CRFS is the recognized identity theft prevention training and certification which is designed in close alignment with the US government requirements set forth in the Red Flags Rule regulation.

Certified Identity Protection Advisor (CIPA) consumer identity theft certificationWhereas the CRFS professionals help businesses prevent account fraud resulting from identity theft without consumer involvement, the Certified Identity Protection Advisor (CIPA) is a consumer centric program designed for professionals who serve consumers and business customers to protect their identities through awareness and education, credit report management, and identity theft victim resolution services. Consumer identity theft laws define business obligations and consumer rights which are designed to protect consumers from identity theft which may affect their accounts, credit worthiness and ability to borrow money, and credit reports.

Lastly, the Certified in Data Protection (CDP) professionals aim to limit data breach incidents within their organizations which can lead to personal data disclosure, identity theft, and fraud. CDP experts are able to identify and secure Personally Identifiable Information or PII in their business environment. They are also capable of responding to data breach incidents, ensure compliance with data protection laws, and have knowledge about operational and system security controls. Data protection laws such as the General Data Protection Regulation or GDPR  in the EU are increasingly requiring data protection experts to also be familiar with system security controls in addition to the operational and reporting aspect of the privacy laws. CDP is an exceptional certification which consolidates privacy and security best practices.

Learn about all Identity Management Institute certifications.

Identity Management Institute offers an Identity Theft Prevention Program certification service as part of its global and independent solutions. Due to the rise in identity theft cases which affect businesses as well as their customers and partners, many businesses are required by law to have a formal Identity Theft Prevention Program (“Program”) to identify, detect, and prevent identity theft in their day to day business operations. By instituting and enforcing identity theft prevention laws, the regulators intend to protect consumers from the consequences of identity theft which mainly affect their credit score and credit worthiness for obtaining loans on a timely basis. In the United States (“US”), the law requiring businesses to design and implement an identity theft prevention program is the Red Flags Rule.

The Identity Theft Prevention Program certification and audit is designed to provide businesses a reasonable assurance that their Program is in place and operating effectively. The Program certification also allows businesses to display their readiness for protecting their customers from the rising risks of identity theft and compliance with regulatory requirements. Many organizations require their business partners and third party vendors to provide evidence of their compliance with identity theft laws. The independent certificate of compliance issued by Identity Management Institute can be used by businesses to provide the necessary compliance evidence to their customers, business partners, and regulators.

A complete and effective Program is designed to detect, prevent, and mitigate identity theft activity in connection with the opening of new accounts or with existing accounts. The Program must be consistent with various laws, rules, and regulations. In the US, rules and regulations covering identity theft include:

  • Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) of the Fair Credit Reporting Act (“FCRA”) – Sections 114 and 315
  • Provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (amended section 615(e) of the FACTA)
  • The Securities and Exchange Commission (“SEC”) [17 Code of Federal Regulations (“CFR”) – Part 248, subpart C “Regulation S-ID: Identity Theft Red Flags”].
  • Commodity Futures Trading Commission (“CFTC”) [17 CFR Part 162, subpart C “Identity Theft Red Flags”].
  • Section 326 of the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”) requiring verification of the identity of persons opening new accounts through a Customer Identification Program (“CIP”) [31 CFR Part 103.122].
  • Federal Financial Institutions Examination Council (FFIEC) guidance entitled
    Authentication in an Internet Banking Environment requiring financial institution offering Internet-based products and services to their customers to use effective methods to authenticate the identity of customers.

The Program certification process is an annual process which will validate an organization’s compliance with the regulations which include but are not limited to the following requirements:

  • A written and comprehensive Program which reflects changes in risk to customers or to the safety and soundness of the organization;
  • Program approval by the Board of Directors or its committee and senior management;
  • The designation of an Identity Theft Program Administrator;
  • Existence of a Customer Identification Program “CIP”;
  • Procedures for monitoring, detecting, and mitigating identity theft red flag during new account opening and ongoing account activities;
  • Authenticating account access and transactions for new and existing accounts;
  • Providing employee training concerning the Program and the procedures to review suspicious activities relevant to identity theft;
  • Providing customer identity theft awareness and education including techniques to help mitigate identity theft risks;
  • Oversight of service providers; and
  • Filing the necessary reports with governmental agencies.

Visit this page for additional information about identity theft prevention program services.

Self service identity and access management is increasingly embraced by users and companies and it is a matter of time before it’s widely adopted due to the many benefits it offers. Of all the expectations placed on the typical IT department, managing identity and access is perhaps the most challenging for a variety of reasons.

Self service identity and access management

People are often the root cause of the identity and access management challenges but not necessarily because they have bad intentions or are malicious. They change roles, leave their companies, fall victim to phishing scams that lead to the theft of their access credentials, share passwords, use the same passwords for multiple accounts, and most of all forget their passwords.

As users experience problems accessing their systems due to reasons that were listed above, they contact the help desk expecting a speedy solution. Gartner estimates that each call to the helpdesk to reset a forgotten or expired password costs the company $50. In an organization with thousands (or hundreds of thousands) of employees, those costs add up quickly.

The Self Service Solution

Many systems offer self service features to employees and customers to reduce the burden on the IT helpdesk and improve productivity as system users can quickly reset passwords online without the IT support involvement. Although the self service identity and access management concept is not new, many systems still lack self service IAM features.

Around the Y2K crisis, it became apparent that the old helpdesk model was not scaling well, especially with regards to password resets. Thus, self service identity management allowing users to reset passwords and change basic account info started to attract attention.

Back in those days, self service user identity management was sometimes web-based, but more frequently used automated call attendants because system users were familiar with the process of calling the helpdesk.

Ever since the Y2K crisis when users and companies panicked and prepared for the worst to come, self-service IAM has become commonplace, and is now often accessed via both voice and web based systems. Many years of experience and millions of transactions have provided some perspective on do’s and don’ts for implementing self service identity management.

Self-Service Pitfalls

The success of self service IAM for password resets has encouraged the delivery of automated services beyond password management. This has sometimes resulted in system security weaknesses and other issues.

Here are some pitfalls to avoid when implementing self service user identity management:

  • Validating the identity of the user is absolutely critical. In the days of password reset by human helpdesk, the technicians often acted on “hunches” they weren’t talking to a true account owner. Machines still don’t recognize hunches. Perhaps the self service IAM request is from the real user; or maybe it’s from vindictive ex-husband. Social security numbers and validation questions aren’t enough any longer. Instead, consider a two-factor authentication method to confirm an identity.
  • Contact information like cell phone numbers and physical addresses must be validated. Employees might neglect to update their personal contact records because thanks to direct deposit and email, people tend to be lazy or forgetful about updating their home addresses. To ensure data integrity, personal data must be validated upon updates and changes.
  • Keep expectations in check. Some self-service identity management solutions may offer short term savings, however,  chances are that any self-service IAM deployment won’t bring any immediate cost savings. However, the mid- and long-term prospects for cost savings on self-service IAM are excellent.

Choose Your Battles

When implementing a self service identity and access management tool, only parts of the self-service solution may be needed and benefit your organization, therefore, a requirements analysis must be made to better understand the organization’s needs and reduce the risks to the company without creating any unnecessary audit and compliance issues.

Perhaps the most important part of deploying a self service identity and access management solution is remembering that one size does not fit all.

Visit the list of identity and access management vendors for self service solutions.

Identity and Access Management solutions providers are increasingly in the cyber security spotlight as today’s IT environments consist of many heterogeneous systems and dispersed users which present access and security challenges. User needs to quickly access many systems on various platforms and instances with different technologies such as operating systems, databases, and servers make identity and access management tasks very challenging. In modern IT environments, some systems rely on social media platforms to authenticate users on their systems, yet this presents another set of security challenges. In addition, identity and access management is evolving to automate various workflows in the IAM lifecycle and improve security with advanced authentication or Artificial Intelligence (AI) as the majority of system intrusions are blamed on stolen identity information and weak identity and access management practices. Advanced automation and authentication along with AI will be key factors for best-in-class IAM workflow and security management in the coming years.

Why Companies Deploy Identity and Access Management Tools

Identity and access management tools are designed to streamline and secure the identity and access management processes by integrating various IAM components in the business model to make identity and access management efficient, seamless, and secure. The concepts of “one identity” and “device neutrality” are introduced and supported by identity and access management solutions vendors to allow users access all systems seamlessly from any device and help organizations manage the entire IAM lifecycle with increased security, process efficiency, reduced errors, and improved user satisfaction. In other words, no matter which authorized devices the users are using, they will be authenticated with the same identity to access multiple assigned systems. As BYOD (Bring Your Own Device) becomes a generally accepted concept, supporting user’s devices reliably and securely will become a necessity. Policies can be enforced on the devices that connect to the network and the identities that are authenticated through them.

Benefits of Identity and Access Management Technology Solutions

  • Federated Identity – Many companies require resources outside their immediate organization to have access to their internal systems including suppliers, customers, and consultants. With arrangements between organizations and sharing of subscriber access data, IAM solutions can increase productivity and reduce cost with identity federation.
  • Automation – IAM tools also allow the automation of many trivial and time-consuming tasks that drain administrators’ time. Many identity and access management vendors provide automated access provisioning and de-provisining workflow or auditing capabilities, and self-service features that allow users to reset their own passwords. Password resets can tie up helpdesk resources, not to mention be very frustrating for end users and cost conscious organizations. Just as the provisioning of resources across systems needs to be automated, so does the removal of those resources, when contractors finish their projects or employees leave or are terminated. This eliminates manual provisioning and de-provisioning by administrators, which can be very time-consuming and error-prone.
  • Regulatory compliance – Since all users are often authenticated with one system in Single-Sign-On (SSO) environments, that system becomes the system of record for all user activity. This makes it very easy to implement comprehensive policies with regard to auditing, security, and access. These policies ensure that the environment is kept in compliance with the requirements of the company. Compliance with regulatory and security standards such as Sarbanes-Oxley (SOX), PCI DSS, and HIPAA would be much more difficult to accomplish in a piecemeal fashion.
  • Remote Access – Many multi-national companies have globally dispersed employees and others allow their employees to work from home or remotely from other countries when work is outsourced. IAM solutions can facilitate remote access capabilities of an organization while maintaining an overall secure posture as they change their business processes.
  • Enhanced security – Using an IAM tools is more secure in several ways. Some identity and access management solution providers do not limit user authentication with just a password, but also integrate biometrics, multi-factor, and device authentication. Also, instead of using a password for authentication to websites and web services, access to these sites can be integrated into the IAM processes to authenticate users with access credentials on other systems with protocols such as OAuth (Open Authorization) which is an open standard for token-based authentication and authorization on the Internet. OAuth, which is pronounced “oh-auth,” allows an end user’s account information to be used by third-party services, such as Facebook, without exposing the user’s password.

Overview of Identity and Access Management Solutions Providers

The big players Like Microsoft, Oracle, and IBM offer comprehensive suites that can deliver IAM services including directory services, SSO, automated workflow, tracking, and auditing to name a few. Smaller IAM vendors are proving to be innovative and leading the way in introducing newer technologies such as biometric authentication. Crossmatch, for instance, claims to be the market leader in biometrics, and boasts multi-factor authentication as well as advanced biometric hardware capabilities.

Evolution of the Identity and Access Management Market Landscape

Response to Societal Change

Outsourcing and the increasing utilization of consultants can spread an enterprise across the entire world. Providing people on the outside the same access as people inside the organization is now a critical business requirement. Manual access provisioning while possible would be very cumbersome, time consuming, and expensive on a server by server, resource by resource basis. The simplification of creating identities, attaching them to resources, and giving them the appropriate access is a must.

BYOD initiatives represent a change in society’s view of technology. Companies are slowly adopting the use of their employee devices for business purpose while they apply the required security measures to maintain their overall security posture. This is a shift in the control mechanism from the device itself to the network, but is also a concession to the fact that our devices are personal and part of our lives. “By offering and accepting BOYD agreements, organizations want to reduce their operating costs without compromising their security posture, and employees also want reduced smartphone cost without compromising their privacy” says Henry Bagdasarian, Founder of Identity Management Institute.

Social media is becoming a bigger part, not only of our personal lives, but also of our businesses as well. Some enterprises require that certain employees have a social media presence. The proliferation of the cloud has also created a need to support this type of access for Internet sites and services. IAM tools now commonly support the integration of social media accounts into their IAM services. “It seems to be a win-win scenario but employees need to understand their privacy rights and company’s practices of device confiscation during investigations or remote data wipe when their device is lost or stolen before they embrace BYOD as the business has the upper hand”, Mr. Bagdasarian continues.

Response to Technological Change

In the early days of personal computing, many operating systems didn’t even have a concept of separate identities. Personal computers would gradually go from being toys for hobbyists to serious tools for work. As these systems became more critical and the exploits of hacking became more widely known, security became a much more recognizable issue. Similarly, as technology increases the scope of what systems can do, the risks of failing to secure them and the data they store and manage also increase. Identity and access management solutions providers continue to respond to these challenges with new features and more robust management capabilities.

Future Trends and Direction

As Artificial Intelligence (AI) becomes more sophisticated, so will the tasks which can be automated by computers. Identity and access management technology solutions will be part of this trend. In the future, IAM tools will be able to absorb and analyze huge amounts of data and be able to cluster similar strands of data that would be relevant to the users and what they want to accomplish with the data. IAM tools will also be able to recognize problems in the environment, and resolve these problems by reacting. IAM will be able to recognize access permissions that it believes makes no sense. The tools will then remove these anomalies of access, or request that a human attest that the defined access is legitimate.

Biometric authentication will become more common in the future. This technology uses metrics of some part of the body, which vary from person to person in such a way that they can be used as a form of identification. Currently, the error rate for biometrics is unacceptably high, leading to many false positives and negatives to be a reliable form of authentication. Biometrics come in two forms: physiological and behavioral. Facial recognition, fingerprint and iris/retina recognition are some of the more common forms of physiological biometric identification. Behavioral biometrics might measure your voice patterns or patterns in the way you make certain gestures with your hands. That said, biometric authentication may be proceeded by multi-factor authentication with the use of smartphones.

Click here to view the identity and access management vendor list