Privileged Account Management (PAM)

With the increasing use of cloud computing and storage and interconnected Internet of Things, as well as the growing number of systems, remote users, and large volumes of data, today’s business  environment and security risks have changed enormously and require a shift in our security mindset and practices.

As the number of systems, users, and data grows, the need for a robust identity and access management solutions and experts becomes even more important to manage accounts and their access. Specifically, privileged accounts which offer the highest level of access to a system are prime hacking targets.

Most data breach incidents prove that privileged account passwords are compromised through social engineering techniques and other means to gain access to the most valuable functions and data of a system. Sometimes, user accounts with lower level permissions are escalated after account takeover to gain privileged access. When legitimate accounts are used to access systems, the intrusion often goes unnoticed for weeks allowing hackers to obtain as much information as necessary before taking action. To protect privileged accounts, owners of privileged accounts must be properly trained to protect their account passwords, use multi-factor authentication for access, and, monitor the accounts to detect any suspicious activity.

What are Privileged Accounts

Privileged accounts are accounts with elevated access permission that allow the account owners to access the most restricted areas of the system and execute highly privileged tasks. Just like typical user accounts, privileged accounts also require a password to access systems and perform tasks.

Typical Users of Privileged Accounts

A privileged account may be used by a human or a system. Privileged accounts such as administrative accounts are often used by IT professionals to manage software, hardware, and databases. Examples of non-human privileged accounts are system accounts with special permissions to run automated tasks. Privileged account users can perform tasks such as install a software, access restricted areas, reset passwords, and make other system changes.

Why Privileged Accounts Pose a Risk

The problem with admin and service accounts is that they are often shared, used across many systems, and may use weak or default passwords which make them great hacking targets given their ease of theft, widespread use across the organization, and highly elevated access permissions. In addition, the passwords of these accounts are often shared, weak, and not changed frequently which can be stolen with many specialized tools that hackers possess. Hijacking privileged accounts gives attackers the ability to access and download an organization’s most sensitive data, distribute malware, bypass existing security controls, and erase audit trails to hide their activity.

Industry analysts estimate that up to 80 percent of all security breaches involve the compromise of user and privileged account passwords and most compromised systems go undetected for over 200 days. A major reason for the ease of password theft is that more than 20 percent of companies fail to change well known default passwords such as “admin” and “12345.” And, to compound the problem, account owners use the same password for several different accounts.

Hackers exploit these weaknesses to elevate their existing permissions, access systems, data, and key administrative functions, and, conceal their activities.

Consequences of Compromised Privileged Accounts

Privileged accounts are powerful accounts that give full access to a system. Hackers can perform malicious activities, steal sensitive information, commit financial fraud, and often remain undetected for weeks or months at a time. After attackers compromise a system, they typically use the access to observe the system for a while and learn about the activities of users. Eventually the attacker can get an accurate picture of the target systems. Depending on the motive of the attackers, they can use privileged accounts to:

  • Change system functionality,
  • Disable access for some accounts,
  • Elevate access for some accounts,
  • Steal sensitive data for fraud, ransom, or revenge,
  • Poison data, and
  • Inject bad code or malware

How Privileged Account Passwords are Stolen

Up to 80 percent of breaches result from stolen passwords. Hackers’ most preferred pathway to privilege exploitation is to steal account credentials. Hackers may use malware or social engineering to steal account information for gaining unauthorized access. Employees are typically fooled by phishing scams that ask them to click on a link, download an attachment with malware hidden inside, or enter their passwords into fake website forms. In many cases, these scams appear to be legitimate requests from an employee’s manager, company executive, or another trusted source.

High Profile Security Incidents and Statistics

  • Most companies face the threat of a data breach by a criminal group in 51% of the cases vs. 18% by a state-sponsor actor.
  • Just over 60% of breaches involve hacking.
  • 81% of hacking-related breaches leverage stolen and/or weak passwords.
  • 43% of breaches involve social attacks (including phishing, pretexting, and spearphishing).
  • 14% of breaches involve employee errors, while another 14% involve privilege misuse.
  • 51% of breaches include malware, and 66% of that malware is delivered by malicious email attachments.
  • 27% of breaches are discovered by third parties.

In a high profile incident, JP Morgan Chase discovered in 2014 that hackers were reportedly able to gain “root” privileges on more than 90 of the bank’s servers, which meant they could take actions including transferring funds and closing accounts. Hackers stole names, addresses, phone numbers and email addresses as well as internal information about 76 million persons and 7 million small businesses.

Privileged Account Management (PAM) Tips

  • Identify privileged accounts,
  • Decide who needs or has privileged access,
  • Define when privileged accounts can be used,
  • Have an incident response plan,
  • Monitor privileged account activities, and
  • Select strong passwords and change them frequently. Privileged account passwords should be set to very large, complex values and stored securely. They should never be shared or used to access multiple systems.

Apply for a certification course in identity and access management.

Credit Report Review Guide

Careful monitoring of credit reports can alert consumers to fraudulent activities or inaccuracies in records potentially indicating identity theft. The information included on a credit report, such as amounts owed, payment history and public records, affects the scores used by financial institutions and credit card issuers to assess the creditworthiness of applicants and decide whether to approve applications.

Credit reports also provide consumers with a total picture of their credit status at a particular point in time. Few consumers know exactly where they stand when it comes to total debt, thus seeing everything laid out in a report reveals not only where changes can be made to improve credit scores but also mistakes and incorrect information they must dispute and correct. Some of these inaccuracies may be red flags, warning of a breach of privacy or outright identity theft in need of investigation. In these cases, appropriate measures must be taken to correct all information and ensure the security of personal information.

Under the Fair Credit Reporting Act or FCRA, every consumer is entitled to one free copy of his or her credit report per year from the “big three” CRAs: Equifax, Experian and TransUnion. This law is enforced by the Federal Trade Commission and gives consumers the opportunity to keep a close eye on credit activities associated with their accounts.

It is reported that one in five consumers have at least one error on their credit reports. Because these errors can have negative effects on a person’s overall credit history and make it difficult to qualify for loans or obtain new credit cards, they should be addressed and fixed as soon as they’re discovered.

CRAs are required by law under the FCRA to correct inaccurate or incomplete credit report information and must investigate claims from consumers within 30 to 45 days of receipt. Although Equifax, Experian and TransUnion all offer online dispute options, it’s best to carry out communications by mail. Physical letters provide a paper trail consumers can file, track and refer back to as necessary.

The way a consumer handles his or her finances, including making purchases, payments and credit requests, will impact the total FICO score because of the influence such habits have on each of the five elements on which the score is based.

Any patterns indicating reckless spending could prevent consumers from qualifying for card promotions, special deals and higher credit limits. However, those with short credit histories may benefit from charging the majority of their purchases to their credit cards as long as balances are paid off on time. Rather than demonstrating poor spending habits, such a pattern helps to establish a stronger credit history, making other financial products more accessible.

Credit monitoring to detect unusual activity reported to any or all of the big three CRAs is an important part of the overall scope of identity theft protection. Consumers need to be alerted to fraudulent activity as soon as it appears so that appropriate measures can be taken before irrevocable damage is done to their credit histories. Helping consumers better understand the elements of their credit reports provides the knowledge they need to spot errors, empowers them to take corrective steps when necessary and gives potential identity thieves fewer opportunities to compromise credit records.

Identity Management Institute offers a video course to teach about how to obtain, review, and correct credit reports. This video is available for purchase and is offered to Certified Identity Protection Advisor (CIPA)  candidates who are valuable resources for helping consumers.

Visit our training page to learn more and access our video courses for preview and purchase.

Access Re-Certification

Access certification is the process of validating access rights within systems. This process is mandatory for compliance and security risk management; however, it can be a very daunting process for some organizations with dispersed systems

Read more

Identity Theft Certifications

Identity theft certifications issued by Identity Management Institute offer professional credibility, knowledge, employment opportunity, and career advancement. Organizations which employ identity theft certified professionals invest in valuable defense against identity fraud which affects the enterprise and their customers or members.

Identity theft and data protection certifications by Identity Management Institute

An increasing number of companies and government agencies recognize the growing identity theft threats facing businesses and consumers as well as the need for well educated, trained and qualified professionals to mitigate identity theft risks. Employee error is a major root cause of many data breach incidents which contribute to the rising identity theft epidemic. Therefore, trained and certified professionals in identity theft management are needed to take the lead within organizations to minimize risks, educate their employees as well as their customers, and ensure compliance with regulations. Consequences of identity theft are enormous which include lawsuits, fines and penalties, public relations nightmare, high cost of identity theft resolution, damaged business reputation, lost customer loyalty, and low productivity to name a few.

There are specialized identity theft certifications from which professionals can choose to complement their overall expertise and knowledge. For example, the US government recognized a few years ago that consumers continue to be vulnerable to identity theft due to the business failure to prevent identity theft and protect their customers.

Assuming that businesses will continue to lose personal data and fail to prevent identity theft in their daily operations, the US government introduced the Red Flags Rule to provide specific guidelines for preventing identity theft and force companies to take the necessary measures to protect themselves and their customers against identity theft. “The Red Flags Rule fills the gap in the fight against identity theft whereby regardless of how or from where consumer data is stolen, criminals can not use that data to commit identity fraud at any business where identity fraud is possible” says Henry Bagdasarian, Founder of Identity management Institute. However, for businesses to be successful in their identity theft prevention efforts and comply with the regulations, they must hire experts with identity theft certifications who can design, implement, and maintain an identity theft prevention program. Many companies are now required to design and implement a comprehensive program to identify and detect identity theft red flags, and prevent fraud cases resulting from identity theft. However for the program to successful, key employees, consultants and auditors of companies must be educated, trained and certified in identity theft prevention techniques.

Identity Theft Certifications

Below is a list of three identity theft certifications offered by Identity Management Institute and a brief description for each to illustrate how they complement each other by targeting a specific  risk area in the identity theft cycle for a complete identity theft management coverage:

Certified Red Flag Specialist (CRFS) workplace identity theft prevention certification.The Certified Red Flag  Specialist (CRFS) is the leading workplace identity theft certification which is designed for professionals who help businesses prevent account fraud in connection with opening new accounts or existing account activities, complying with identity fraud prevention laws, and reducing fraud costs and related waste. CRFS is the recognized identity theft prevention training and certification which is designed in close alignment with the US government requirements set forth in the Red Flags Rule regulation.

Certified Identity Protection Advisor (CIPA) consumer identity theft certificationWhereas the CRFS professionals help businesses prevent account fraud resulting from identity theft without consumer involvement, the Certified Identity Protection Advisor (CIPA) is a consumer centric program designed for professionals who serve consumers and business customers to protect their identities through awareness and education, credit report management, and identity theft victim resolution services. Consumer identity theft laws define business obligations and consumer rights which are designed to protect consumers from identity theft which may affect their accounts, credit worthiness and ability to borrow money, and credit reports.

Lastly, the Certified in Data Protection (CDP) professionals aim to limit data breach incidents within their organizations which can lead to personal data disclosure, identity theft, and fraud. CDP experts are able to identify and secure Personally Identifiable Information or PII in their business environment. They are also capable of responding to data breach incidents, ensure compliance with data protection laws, and have knowledge about operational and system security controls. Data protection laws such as the General Data Protection Regulation or GDPR  in the EU are increasingly requiring data protection experts to also be familiar with system security controls in addition to the operational and reporting aspect of the privacy laws. CDP is an exceptional certification which consolidates privacy and security best practices.

Learn about all Identity Management Institute certifications.

Identity Theft Prevention Program Certification

Identity Management Institute offers an Identity Theft Prevention Program certification service as part of its global and independent solutions. Due to the rise in identity theft cases which affect businesses as well as their customers and partners, many businesses are required by law to have a formal Identity Theft Prevention Program (“Program”) to identify, detect, and prevent identity theft in their day to day business operations. By instituting and enforcing identity theft prevention laws, the regulators intend to protect consumers from the consequences of identity theft which mainly affect their credit score and credit worthiness for obtaining loans on a timely basis. In the United States (“US”), the law requiring businesses to design and implement an identity theft prevention program is the Red Flags Rule.

The Identity Theft Prevention Program certification and audit is designed to provide businesses a reasonable assurance that their Program is in place and operating effectively. The Program certification also allows businesses to display their readiness for protecting their customers from the rising risks of identity theft and compliance with regulatory requirements. Many organizations require their business partners and third party vendors to provide evidence of their compliance with identity theft laws. The independent certificate of compliance issued by Identity Management Institute can be used by businesses to provide the necessary compliance evidence to their customers, business partners, and regulators.

A complete and effective Program is designed to detect, prevent, and mitigate identity theft activity in connection with the opening of new accounts or with existing accounts. The Program must be consistent with various laws, rules, and regulations. In the US, rules and regulations covering identity theft include:

  • Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) of the Fair Credit Reporting Act (“FCRA”) – Sections 114 and 315
  • Provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (amended section 615(e) of the FACTA)
  • The Securities and Exchange Commission (“SEC”) [17 Code of Federal Regulations (“CFR”) – Part 248, subpart C “Regulation S-ID: Identity Theft Red Flags”].
  • Commodity Futures Trading Commission (“CFTC”) [17 CFR Part 162, subpart C “Identity Theft Red Flags”].
  • Section 326 of the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”) requiring verification of the identity of persons opening new accounts through a Customer Identification Program (“CIP”) [31 CFR Part 103.122].
  • Federal Financial Institutions Examination Council (FFIEC) guidance entitled
    Authentication in an Internet Banking Environment requiring financial institution offering Internet-based products and services to their customers to use effective methods to authenticate the identity of customers.

The Program certification process is an annual process which will validate an organization’s compliance with the regulations which include but are not limited to the following requirements:

  • A written and comprehensive Program which reflects changes in risk to customers or to the safety and soundness of the organization;
  • Program approval by the Board of Directors or its committee and senior management;
  • The designation of an Identity Theft Program Administrator;
  • Existence of a Customer Identification Program “CIP”;
  • Procedures for monitoring, detecting, and mitigating identity theft red flag during new account opening and ongoing account activities;
  • Authenticating account access and transactions for new and existing accounts;
  • Providing employee training concerning the Program and the procedures to review suspicious activities relevant to identity theft;
  • Providing customer identity theft awareness and education including techniques to help mitigate identity theft risks;
  • Oversight of service providers; and
  • Filing the necessary reports with governmental agencies.

Visit this page for additional information about identity theft prevention program services.

Self Service Identity and Access Management

Self service identity and access management is increasingly embraced by users and companies and it is a matter of time before it’s widely adopted due to the many benefits it offers. Of all the expectations placed on the typical IT department, managing identity and access is perhaps the most challenging for a variety of reasons.

Self service identity and access management

People are often the root cause of the identity and access management challenges but not necessarily because they have bad intentions or are malicious. They change roles, leave their companies, fall victim to phishing scams that lead to the theft of their access credentials, share passwords, use the same passwords for multiple accounts, and most of all forget their passwords.

As users experience problems accessing their systems due to reasons that were listed above, they contact the help desk expecting a speedy solution. Gartner estimates that each call to the helpdesk to reset a forgotten or expired password costs the company $50. In an organization with thousands (or hundreds of thousands) of employees, those costs add up quickly.

The Self Service Solution

Many systems offer self service features to employees and customers to reduce the burden on the IT helpdesk and improve productivity as system users can quickly reset passwords online without the IT support involvement. Although the self service identity and access management concept is not new, many systems still lack self service IAM features.

Around the Y2K crisis, it became apparent that the old helpdesk model was not scaling well, especially with regards to password resets. Thus, self service identity management allowing users to reset passwords and change basic account info started to attract attention.

Back in those days, self service user identity management was sometimes web-based, but more frequently used automated call attendants because system users were familiar with the process of calling the helpdesk.

Ever since the Y2K crisis when users and companies panicked and prepared for the worst to come, self-service IAM has become commonplace, and is now often accessed via both voice and web based systems. Many years of experience and millions of transactions have provided some perspective on do’s and don’ts for implementing self service identity management.

Self-Service Pitfalls

The success of self service IAM for password resets has encouraged the delivery of automated services beyond password management. This has sometimes resulted in system security weaknesses and other issues.

Here are some pitfalls to avoid when implementing self service user identity management:

  • Validating the identity of the user is absolutely critical. In the days of password reset by human helpdesk, the technicians often acted on “hunches” they weren’t talking to a true account owner. Machines still don’t recognize hunches. Perhaps the self service IAM request is from the real user; or maybe it’s from vindictive ex-husband. Social security numbers and validation questions aren’t enough any longer. Instead, consider a two-factor authentication method to confirm an identity.
  • Contact information like cell phone numbers and physical addresses must be validated. Employees might neglect to update their personal contact records because thanks to direct deposit and email, people tend to be lazy or forgetful about updating their home addresses. To ensure data integrity, personal data must be validated upon updates and changes.
  • Keep expectations in check. Some self-service identity management solutions may offer short term savings, however,  chances are that any self-service IAM deployment won’t bring any immediate cost savings. However, the mid- and long-term prospects for cost savings on self-service IAM are excellent.

Choose Your Battles

When implementing a self service identity and access management tool, only parts of the self-service solution may be needed and benefit your organization, therefore, a requirements analysis must be made to better understand the organization’s needs and reduce the risks to the company without creating any unnecessary audit and compliance issues.

Perhaps the most important part of deploying a self service identity and access management solution is remembering that one size does not fit all.

Visit the list of identity and access management vendors for self service solutions.

Identity and Access Management Certifications

The fastest growing professional certifications in cyber security are the Identity and Access Management certifications and there are very good reasons why IAM certifications by Identity Management Institute have received enormous attention from the information security industry.

Identity and Access Management certifications -Identity Management Institute IAM certifications

As we explore and analyze the information security landscape, we can understand why Identity and Access Management (IAM) is one of the fastest growing and most dynamic segments of information security which in turn increases demand for certified IAM experts.

First, information security risks and focus have been shifting away from the traditional system security management practices to identity and access management because companies have discovered that information security threats are as much internal as they are external. Many user access credentials are increasingly under attack by hackers who see great value in weaknesses in identity and access management practices which they leverage to gain access to systems and data. It is reported in research reports that most system intrusions are executed using stolen IDs and passwords. As such, highly privileged accounts introduce even a greater risk because any unauthorized access with these accounts provides additional capabilities which can be used to inflict greater damage. Therefore, identity and access management is as much about processes and people as it is about technology.

Second, with the ever increasing number of mobile communication devices and Bring Your Own Device (BYOD) policies, identity and access management has expanded beyond the enterprise devices. Companies which allow employees to use their personal devices for business purposes to reduce costs and improve device management for employees and businesses need identity and access management experts to manage device identities and their access to enterprise resources for a greater security posture of the organization.

Third, due to the flood of drones and other Internet connected smart devices also known as the Internet of Things (IoT), identity and access management will become even more complicated and important to manage new and evolving risks. These devices will include self-driving cars and smart robots which self-teach with artificial intelligence and perform tasks on behalf of their owners. Today, we all have smart phones and many of us will own robots in the near future which will perform tasks on our behalf. Today, we are just worried about the security of our smart phones which if compromised will disclose some of our most private photos, emails, notes, and other information. In the future, we will also have to worry about the security of our smart robots and devices not just because of the private information they contain, but also the connectivity they will have to other devices or the transactions they can perform on our behalf.

“Identity theft committed by humans today will transition to identity theft committed by devices tomorrow which will initially be controlled and guided by humans. As automated devices are empowered with Artificial Intelligence to become independent, self-taught, and smarter, they will overtime have their own mind and potentially become corrupt” says Henry Bagdasarian, Founder of Identity Management Institute. “The rising deployment of the Internet of Things (IoT), and the arrival of automated cars, drones, and robots in all areas of personal and commercial markets as well as the increasing use of Artificial Intelligence validate this assessment”, he continues.

In addition, advancements in the areas of authentication technology, changes in identity services, and adoption of cloud services also require changes in today’s cyber security approach emphasizing the importance of identity and access management certifications. All of these evolving trends which are increasing risks for all organizations demand knowledgeable and qualified professionals who know how to assess risks and help manage human and device identities and their access.

In the future, information security managers must be much more proactive and fast in identifying risks before their organizations are impacted. This process requires very strong analytical skills to assess various security report data, open mindedness, and a vision to foresee the upcoming challenges and opportunities. These skills will not only help professionals identify risks but also propose innovative solutions in the form of new or improved products, services, and governance.

List of Identity and Access management Certifications

Identity Management Institute is the leading Identity and Access Management certification organization which offers global IAM certifications.

Below, you find a list of identity and access management certifications within IAM career categories and web page links for quick access to program details:

Certified Identity Governance Expert (CIGE)®

Certified Identity and Security Technologist (CIST)®

Certified Identity and Access Manager (CIAM)® 

Certified Identity Management Professional (CIMP)®

Certified Access Management Specialist (CAMS)®

Certified Identity Protection Advisor (CIPA)®

Certified Red Flag Specialist (CRFS)®

Certified in Data Protection (CDP)®

Download “Becoming a Cybersecurity Expert” from the IAM certification page for details about the IAM roles in cyber security career choices.

Identity and Access Management certification benefitsBenefits of Identity and Access Management Certification

Some people may not see the value of professional certification in the marketplace and others may question the benefits of pursuing identity and access management certifications. Below are some questions that some may ask themselves when considering a professional IAM certification:

  1. Is the certifying organization providing awareness and training with periodic articles, newsletters, blogs, social media posts, discussion groups, and other resources which serve the greater society?
  2. Is the IAM certification name a registered trademark to protect the organization and its certificate holders?
  3. Is a process in place to list criteria for IAM certification and ensure certificate holders are qualified?
  4. Does the organization and its certifications stand out as the leader in the field?
  5. What value do companies and the industry as a whole place on certification?

Let’s attempt to answer the above questions and further explore each area:

The image or perception of the certificate issuer is extremely important. The issuer must be a recognized leader, credible, and trustworthy with integrity. Certifying organizations must provide services and value to their members and respective industries by:

  1. Defining a scope of responsibility for the profession,
  2. Drafting articles, newsletters, analysis, and documentation to expand knowledge,
  3. Assessing member knowledge through exams and/or background assessments,
  4. Providing training for up to date knowledge,
  5. Helping members share information related to the profession and employment, and
  6. Connecting members to one another and companies.

Certifying organizations also provide services and value to companies by:

  1. Ensuring employees are certified through formal assessments such as examination and enforcement of completed and required continuing education, and
  2. Connecting companies to certified members.

Certification Limitations

The total value that a professional may provide can not be solely determined with a certification. Therefore, the certification can only provide assurance for some of the qualification factors that companies are looking for which include education, experience, personality, appearance, passion or enthusiasm, creativity, integrity, and hopefully proven credibility and track record. The value of a certificate is determined by a combination of factors, however, a designation only complements the assessment that companies must perform to hire the best. For example, a certification does not guarantee that a person has great personality or creativity, however, it might provide assurance that the certified person’s knowledge has been assessed through an examination or other means of evaluation, and to some extent an assurance that the person is enthusiastic or ambitious because he or she joined a professional organization. A professional designation means that certified professionals have passed a rigorous certification assessment, including education and experience verification by the certification organization, and that certified members continue to be involved in their chosen professional field and take the necessary training to maintain an up to date knowledge.

And lastly, in order to assess the importance of having certification, the view or perception of a hiring company and its management must also be considered. A certificate like every thing else in life has no value except the value we give to it, therefore, the degree by which a hiring company and its management value professional designations is important when evaluating a certificate’s true and overall value. If management strongly considers a certificate or even requires one from job applicants, then the certificate’s overall value increases accordingly. In general, there are some people who recognize and highly value the benefits of professional certifications, and there are others who have no respect for them. Interestingly, those who don’t respect certifications also lack professional designations.

It is commonly said that a professional certification increases the overall value of an employee, and those holding a professional designation earn higher salaries than their counterparts who do not have a professional certification. It’s somewhat true that certified professionals can demand higher salaries and find jobs much more quickly, especially in tough economic times when the job market is much more competitive. A person has nothing to lose but every thing to gain with a little investment to be involved in a professional organization and maintain a professional designation. It takes very few resources to gain a competitive advantage when looking for work, and a professional certification from a recognized organization offers that competitive advantage. The cost of professional certification and membership is well worth the investment for a long and prosperous career.

Even if some companies do not reimburse the cost of the certification such as membership, study guide, training and exam fees, it is still recommended to aim for the desired IAM certification in your chosen field since no one really cares about your career as much as you do. The resources that you allocate to a professional organization or certification program is never wasted given the value you receive in return such as networking, knowledge, and credibility.

On a final note, a certification which has been registered for trademark protection will ensure that the certification will maintain leadership in the marketplace and offer protection to the certifying organization as well as its members for many years to come.

Identity Management Institute has carefully designed IAM certification programs for the identity management field which evolve as the industry evolves. All the programs have been registered for trademark protection and continue to be recognized internationally as leading identity and access management certifications in the cyber security field.

Why Are Identity and Access Management Certifications Important

One of the questions in the certification applications is about why identity and access management certifications are important to the applicants. Below are a few samples from actual member applications:

  • Having certification will help greatly in my professional career. Most of the Federal clients prefer to have certified professionals.
  • I have been a thought leader in IAM for years. I have helped my company to significantly improve their programs with automation, self-service and most importantly governance and security. The CIAM designation would help me validate my expertise and accomplishments.
  • I intend to become a Certified Identity and Access Manager to expand on my IAM knowledge and skillset. In addition to my Information Assurance MS degree, it will support my contribution to society by allowing me to practice what I’ve learned about IAM and reinforce its importance in the systems and people I work with.
  • Protecting user identity in cyber and cloud environments utilizing various cybersecurity tools will require knowledge, certification, and credibility. CIST will give me the credibility to continue working and supporting the industry and the enterprises to build cyber resiliency technology to manage the identity of the users. Today’s enterprises and social media tools would need CIST experts to help enhance their security capabilities to provide better cyber protection and prevention against the adversaries.
  • The CAMS certification would validate my several years of experience serving on projects as a project manager/business analyst in the identity access management field, including extensive experience directing and leading user support teams with activities related to role-based access control, audit report reviews, and user identity validation. The CAMS designation would expose me to more career opportunities that could leverage my experience for complex and challenging projects.
  • Protection of IT systems is data driven as we have witnessed from recent breaches that resulted in huge fines and losses on many fronts. CDP designation will position me to support my organization and providing expert advice with cost effective solutions to protect data.
  • The CIGE will further demonstrate my commitment to identity governance and strategic planning across technology and security. It is my hope that this IAM certification and membership in the IMI will allow me to further grow and practice sound identity governance.
  • My current duties are specifically around Identity Management. The CIMP certification will validate my expertise in the field.

Identity Management Institute on LinkedIn

Visit the IAM certification page to learn more identity and access management certifications and select the best certification for your career.

AAA Identity and Access Management Framework Model

The AAA identity and access management model is a framework which is embedded into the digital identity and access management world to manage access to assets and maintain system security. AAA stands for Authentication, Authorization, and Accounting which we will cover in depth below.

AAA identity and access management framework model to authenticate, authorize, and audit

Authentication

Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users to provide proof of identity when they identify themselves. For example, you enter a guarded area and identify yourself as an employee or homeowner of the guarded area. Next, you must provide proof to authenticate the person that you claim to be. This concept along with the AAA identity and access management model will also apply to connected IoT devices.

There are primarily four types of authentication methods which use:

  1. Static passwords which remain active until they are changed or expired,
  2. One-time password (OTP) such as codes delivered thorough SMS texts or tokens used for each access session,
  3. Digital certificate, and
  4. Biometric credential.

Authentication types fall within one of the following forms:

  1. Something you know such as  a password;
  2. Something you have such as a key fob or cell phone; and
  3. Something you are such as your finger prints, voice, hand geometry, etc. also called “biometrics authentication”.

When we combine more than one of these categories, it’s called Multi-Factor Authentication (MFA) which makes it difficult for someone to authenticate as another person. For example, if a hacker steals a user’s password, he’d also have to steal the mobile phone to access the code sent by the SMS text or possess the key fob that displays the code which syncs with the rotating code inside the system being accessed. Using two passwords is not considered 2FA because both passwords fall under the category of “something you know”. It’s like placing two locks on a door at home that could be opened with the same key.

Most companies are moving toward Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) which leverages a static password and OTP or challenge question to strengthen cybersecurity. Biometric authentication is slowly being adopted as technology becomes more cost effective and errors associated with biometric authentication are reduced. However, biometric authentication presents a different set of privacy and security issues. For example, stolen finger print data can not be replaced such as in the case of passwords and can disclose personal data to unauthorized parties.

That’s why 2FA or MFA are considered the best near-future authentication mechanism which use a combination of password, OTP, and potentially biometric such as iris, retina, or hand geometry.

According to the National Institute of Standards and Technology (NIST), using two-factor authentication which includes text messages is not a good solution because NIST believes that text messages can be intercepted, however, companies have resisted the NIST argument and continue to use 2FA with a password and a code delivered by cell phone texts.

“The industry believes that using 2FA with two authentication methods is the best option for now to improve security and justify costs in case one method is compromised” says Henry Bagdasarian.

Authorization

Authorization is represented by the second A in the AAA identity and access management model which is the process of granting or denying a user access to system resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access depend on the user’s authorization level.

After the user identifies himself and is authenticated to prove his ownership of the identity, he must pass the authorization rule to access system services, programs and data. Authorization determines what the user can access and what he can not access.

The Principle of Least Privilege requires that users, processes, programs, and devices must only be granted sufficient access necessary to perform their required functions, and nothing more. Any authorization beyond normal job functions opens the door for either accidental or malicious violations of security objectives; Confidentiality, Integrity, and Availability. This is one of the main reasons why employees must not have administrator or root access to their employer provided devices but rather have an account with limited privileges consistent with their job requirements. One of the risks of granting employees admin access to company provided devices is that when the device is infected with a virus, the malware will run with the privileges of the user.

The principle of least privilege must be applied at all times until it is time to temporarily escalate access when warranted by business requirements.

Accounting

The third A in the AAA identity and access management model refers to Accounting which is the process of keeping track of a user’s activity while accessing the system resources, including the amount of time spent in the network, the services accessed while there, and the amount of data transferred during the session. Accounting data is used for trend analysis, discovering failed login attempts, data breach detection, forensics and investigations, capacity planning, billing, auditing and cost allocation.

Keeping track of users and their activities serves many purposes. For example, tracing back to events leading up to a cybersecurity incident can prove very valuable to a forensics analysis and investigation case.

Also, monitoring the activities of employees who might be somewhat disgruntled due to company events such as layoffs can help detect failed login attempts and predict what kind of malicious goal they might have.

In order to be effective in IAM accounting, generic and shared accounts must be avoided so that the actions of each individual can be accounted for.

To detect fraud and other malicious activities, companies may send employees on mandatory vacations letting the employee’s replacement to perform checks and balances on the employee who could have been hiding or covering up his actions such as log entries which could offer the company many clues about the malicious activities of their employees.

Identity and access management certifications

The Future of Identity and Access Management

Identity and Access Management (IAM) is bound to be increasingly an integral part of our personal and business lives as the technological and societal landscape continues to rapidly change. Although we can not fully and accurately predict anything beyond the near future, it is likely that technology will continue to change our lives in future years which will require a new approach to identity and access management.

“When considering that users’ inability to protect and manage passwords causes over 90% of cyber attacks, it is evident that our current IAM approach which mostly uses passwords for authentication can not support the security of the future state where many devices will be interconnected” says Henry Bagdasarian, Founder of Identity Management Institute and cybersecurity thought leader.

For example IAM will expand beyond humans, pets, and other living things to include identities of robots and smart devices. Anything that needs to be connected to something for data sharing and automated tasks will be connected to make human lives easier, collaborative, and more productive.

As distributed and interconnected systems increase in numbers, seamless, continuous, and accurate access to all resources with advanced authentication systems such as biometric and artificial intelligence technology will be prevalent. Password will be the thing of the past as user controlled access will be replaced by machine controlled access management. There will be no more passwords to access systems or badges to enter buildings. Smart systems will be able to recognize and greet us using some of our personal and distinct features when we use ATMs, enter stores and restaurants, visit online websites, enter office locations, drive cars, and access business systems.

Identity management and artificial intelligence will revolutionize security beyond people, places, and things that we manage today as increasing number of devices and systems will communicate with and learn from one another without human intervention. For example, household systems which will be a big part of the Internet of Things will communicate with each other to control and manage our lives. Refrigerators will order food items when the inventory goes down, fire detection systems will contact the fire department and other nearby households in case of fire, doctors will be notified when our vital signs show trouble and much more. Almost everything will have an identity which will change today’s definition of identity theft.

Form a business standpoint, distributed and trusted identity concept will be adopted by every object, service, and system.  A person may have multiple identities but still be recognized as the person and the identities of smart things will be linked to persons owning the objects. With the increasing number of highly potent identities, global identity service providers will register identities and maintain identity directories.

Biometric Authentication

Biometric authentication uses a person’s characteristics to identify and authenticate the person. Biometric technology is advancing rapidly and the market for biometric systems is estimated to increase from $10 billion in 2015 to about $40 Billion by 2022 according to various research reports. Artificial Intelligence embedded in the future IAM products will be able to learn about the user for access management and user activities will be analyzed and anomalies will be reported automatically.

The list of biometric authentication options includes:

  • Face recognition,
  • Finger print and geometry although it is easier to copy or steal a finger than other human parts,
  • Hand geometry,
  • Ear geometry by simply pressing it against the phone screen during a phone call. No two ears are alike even on the same person,
  • Eye iris or retina recognition,
  • Gait or behavioral biometric such as keystroke dynamics, mouse use, and walking patterns.
  • Heart rhythm can be used in wristbands and other devices for wireless identification to the computer, cars, house, and in stores for making payments,
  • Butt biometrics can be used to authenticate a user by the way they sit. This technology can be used in cars to start the car and adjust car preferences automatically,
  • Nose can be used to identify a person as it is a distinct human feature although it is often surgically modified and rendered useless for authentication,
  • Vein matching also uses a finger or a palm, but provides a few additional security benefits through vein analysis of only alive persons which makes it difficult to fake,
  • Sniff test although in early stages with 10% failure rate can filter out smells like hand cream or changes in odor caused by diet and disease with an artificial nose to identify a person.

Accuracy and affordability will determine which biometric technology will be the market leader. However regardless of product leadership, with increasing number of interconnected systems and devices, unauthorized parties must be kept out of systems and authorized parties must not be denied access to approved resources. Both scenarios present a big risk to the business whereby one leads to data breach with all sorts of consequences and the other leads to lost productivity and  inefficient operations. These challenges will be addressed by advanced identity and access management solutions which will shape the future of cybersecurity.

Future IAM Skills

Many of today’s identity and access management tasks will be automated whereby the work of access administrators will be handled by machines in which case robots will authorize and grant access to resources.

The rapid changes in technology and huge dump of data by robots will require future identity and access management professionals to have analytical and critical thinking skills to sort out useful data and make sense of all the machine reported  data. The work of identify and access management specialists will be to design the automated tasks performed by robots, override machine decisions, and act upon reported data.

Learn about professional IAM certifications and get certified to prepare your career for the future.

Identity and Access Management Market Analysis

This identity and access management market analysis is made possible by existing research reports and assessments made by Identity Management Institute based on publicly available information which indicate a fast growth in the Identity and Access Management (IAM) segment of information security.

Identity and Access Management Market Analysis

According to a recent study, IAM market is estimated to grow from about USD $10 Billion in 2019 to over $22 Billion by 2024. The identity and access management segments of the study included access provisioning, single sign-on, advanced authentication, audit, compliance, governance, directory services, and password management. The audit, compliance, and governance segment is expected to grow at the highest rate. The adoption of identity & access management solutions in the Asia-Pacific region is expected to grow at the fastest rate due to the significant growth in the industrial sector as well as rising demand for cloud-based solutions from manufacturing and other verticals.

Growth Drivers

Major growth drivers of the IAM market include compliance, process inefficiency and errors, increase in hacking incidents and data breach cases which concern global organizations, and, changes in technology, societal, and operating trends.

Below is a list of drivers that fuel the identity and access management growth:

  1. The identity and access management market growth is primarily driven by the increased demand in security governance, enforcement concerns, distributed systems and workforce, as well as lower quality of security services within organizations. Security policy enforcement challenges arise when  systems, people, and access management practices are distributed requiring single sign-on and federated identity management as well as older systems lacking the proper settings to be configured in accordance with the stated security policies and standards.
  2. Stolen employee access credentials is by far the leading cause of system hacking cases and data breach incidents which will cost businesses about $5 trillion by 2024. In fact, stolen employee password and human error are responsible for around 90% of data breaches according to leading industry and government reports.
  3.  Changes in technology and way of life are forcing organizations to seek identity and access management solutions. Consider the following:
    • The Internet of Things (IoT) will make almost every object connected to the Internet and each other including drones, cars, and household devices to name a few.
    • Bring Your Own Device (BYOD) policies by many organizations which slowly but increasingly allow users to use their personal devices for work purposes making security and privacy a real challenge. For example, device identification and authentication process must be effective and software installed by companies onto their employees’ personal phones or devices which can track non-business related data such as employee location, texts, photos, and almost everything else must follow policies that are well defined, communicated, and enforced.
    • Mobility and remote workforce make authentication and access management a real challenge.
    • Rise of cloud computing and storage due to lowered cost of maintaining a dedicated data center and improved system management present a new set of security risks which include reliance on third parties to maintain controls.
    • Online file sharing and collaboration for increased efficiency and productivity also present new security and privacy risks.
  4. Challenges related to on-boarding and off-boarding such as manual and slow processes for access provisioning and inappropriate approvals in decentralized environments in which system owners decide who can access which resources is also driving identity and access management market growth higher. Delayed access to resources results in lost productivity and potentially revenues, and, delayed removal of departed users from systems creates security risks.
  5. Approving and adjusting user access in accordance with their new job duties as they move across the enterprise is a real challenge to manage in larger organizations. This is another main area where IAM technology can support organizations to manage their security risks. “In the future, more important than technical skills, security professionals must have analytical and critical thinking skills to analyze data reported by security systems” says Henry Bagdasarian. “As the automated IAM systems generate reports and information about system access such as excess user access and privileged accounts, dormant or inactive accounts, system attacks, and active accounts belonging to departed users, security analysts must be able to quickly digest the data, analyze trends, and take swift actions to minimize the risks” he continues.
  6. The acknowledgement that a single-factor authentication is no longer acceptable in the expanding digital world and stronger authentication mechanisms are needed to improve security such as a multi-factor authentication or biometric authentication is another IAM growth driver.
  7. Regulatory compliance is another driver of the IAM market growth as many organizations must comply with a variety of regulations which are sometimes overlapping and can make compliance inefficient. Identity and access management solutions help compliance, measurement, and reporting more efficient as IAM solutions can eliminate redundancy and automate assessments, communication, and reporting.
  8. Fast changing, hostile, and competitive environments often force management to make quick decisions. The deployment of identity and access management solutions allow organizations to quickly identify issues and make decisions for mitigating risks.

Shortage in Cybersecurity Experts

This identity and access management market analysis also considers the global cybersecurity expert shortages and unfilled jobs to be a major risk.

Identity and Access Management certification

Professional Certifications

Identity and access management certifications are gaining popularity due to the growing IAM market and risks. Visit the certification page to learn about the IAM technology, governance, operations, and risk management certifications.

Identity and Access Management market report and predictions for 2021 and beyond.

Identity and Access Management Market Report and Predictions for 2021 and Beyond