Assess and Govern Identity Security

Strong identity security and governance are the keys to the zero-trust future.

Analyst Perspective

Effectively securing all managed identities

To ensure a significant improvement in identity security, organizations must be willing to take a step back and understand where the vulnerabilities lie and identify the threats that may take advantage of them.

Every organization likely juggles many different identity types. This results in a complex system of identity storage, ownership, and security requirements. The first step to improving anything related to identity security will be to fully understand all the different identities that exist, where they exist, who owns related processes, and what threats exist that might take advantage of a managed identity.

Only when an organization has successfully catalogued the information necessary to secure all their identities can they build an identity security architecture that describes an approach to identity security befitting the modern era.

Ian Mulholland
Research Director, Security, Risk, and Compliance Info-Tech Research Group

Executive Summary

Your Challenge

• Many security leaders are struggling to meet the recommendations of internal and external parties when it comes to identity and access management.
• A lot of identity and access management processes are known to be inefficient, and many known solutions are difficult to implement.

Common Obstacles

Improving identity security can be challenging:

• For most organizations, identity and access management has been allowed to grow organically, and it has become inflexible and difficult to control.
• In most cases, the number of identities and the items they access has increased with each passing year, necessitating more scalable processes and technology.

Info-Tech's Approach

Info-Tech has developed an effective approach to building an identity security architecture.

This unique approach includes tools for:

• Establishing governance for identity security.
• Creating an identity inventory.
• Modeling identity-based threats.
• Building an identity security architecture.

Info-Tech Insight

Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

Identity management and proper credential management are critical security factors

Key Findings:

+450%
Increase in Username/Password Breaches
Breaches containing usernames and passwords increased by 450% in 2020, totally 1.48 billion breached records.

$8.64 Million
The Average Cost of a Breach in the US
The average cost of a breach in the US was the highest in the world at $8.64 million, up 5% from the previous year.

2X
The Amount of Time Spent Online
The amount of time people spent online more than doubled in 2020, totaling more than seven hours per person per day.Source: ForgeRock

In 2020 the world saw a massive digital migration. However, the migration has not come with a secure transition. For the third year in a row, identity security has been one of the weakest links in any security program. The move to remote work has significantly contributed to increases in stolen data.

Weak identity controls have continually given bad actors an easy path to gaining access to enterprise data. Identity and access management practices have been a weak point for many organizations. Find out how to best manage and govern your identities with an identity-centric approach to your security program.

The average cost and frequency of malicious data breaches by root-cause vector

Compromised credentials is an expensive and common threat vector

Of the ten initial threat vectors in malicious breaches represented in a report by IBM, compromised credentials was the most frequently reoccurring attack vector, accounting for 20% of all malicious breaches.

Proper inventory of identities and their respective repositories is critical to ensuring the security of credentials and any of the access they may pertain to.

Preparing yourself properly can save you costs and headaches

Stolen or compromised credentials was one of the most expensive causes of malicious data breaches, according to a 2021 report conducted by IBM.

Unified endpoint management (UEM) and identity and access management (IAM) products and services can give security teams an edge by providing insight and deeper visibility into the internal network and potential suspicious activity.

20%
Of all breaches are through compromised credentials.

$5.33 million
Was the average total cost of a breach at enterprises of more than 25,000 employees, compared to $2.98 million for organizations with under 500 employees.

Identity Security & Governance Framework for Security Leaders

Security leaders view modernizing identity security as too big of a challenge and prefer to focus on narrower challenges that seem easily solvable using tools such as SSO/MFA/PAM. However, this limited focus is reactive rather than proactive and may end up being more expensive in the long run. Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

Info-Tech’s methodology to Assess and Govern Identity Security

Insight summary

Overarching insight

Security leaders view modernizing identity security as too big of a challenge and prefer to focus on narrower challenges that seem easily solvable using tools such as single sign-on, multifactor authentication, or privileged access management. However, this limited focus is reactive rather than proactive, and it may end up being more expensive in the long run. Building an identity security architecture is a high-value initiative that will drive the modernization of identity security.

Phase 1 Insights

• People using different taxonomies can create conflicts. Use any existing conflicts in understanding as an education opportunity once standard definitions are set.
• Work with other identity owners to ensure governance is clearly defined before making any large changes.

Tactical insight

To some extent, your identity processes are working, or else the business would not be able to function – your processes may just have more risk or cause more disruption than you would like. Use what exists today as a starting point instead of starting from scratch.

Phase 2 insight

Understanding the current and future threats to your identity program will be critical to modernizing your identity security. Use a structured approach to ensure you identify all identity-based threats that pose a risk for your organization.

Tactical insight

Modernization starts with understanding legacy components.

Use Info-Tech’s blueprint to know how prepared you are for every threat vector

IT Benefits

• IT can determine the capabilities of its current security structure to deal with various attack vectors.
• IT will no longer have to disallow certain applications and services because they are cloud based.
• Analyzing and threat modeling are no longer simply guessing what the most pressing concerns are. Know your vulnerabilities and remediate and plan proactively instead of reactively.

Business Benefits

• Line-of-business managers can understand which areas need improvement and which can be deprioritized.
• Gain an in-depth understanding of the management aspects of security and threat vectors and techniques.
• Know which mitigative and detective measures should be implemented to best protect your environment without additional guesswork.

Use Info-Tech’s blueprint to improve enterprise security posture

Threat preparedness can be used to effectively evaluate:

Organizational preparedness
Expose operational weak points and transition teams from a reactive approach to a more proactive security program.

Enhanced threat detection, prevention, analysis, and response
Enhance the collaboration and use of your security investments through the simulated evaluation of your threat collaboration environment.

Improve return on security investment
Evaluate core staff on their use of process and technology to defend the organization.

Identify blind spots and opportunities for continuous improvement
Provide increased visibility into current performance levels, and accurately identify opportunities for continuous improvement with a holistic measurement program.

Iterative benefit

Over time, experience incremental value from knowing the attack vectors through which you can be attacked. Through continual updates your security protocols will evolve with less associated effort, time, and costs.

Short-term benefits

• Ensure organizational preparedness.
• Identify effectiveness of the overall security program.
• Streamline the security management program.
• Identify people, process, and technology gaps.

Long-term benefits

• Reduce incident costs and remediation time.
• Increase operational collaboration between prevention, detection, analysis, and response efforts.
• Enhance security pressure posture.
• Improve communication with executives about relevant security risks to the business.
• Preserve reputation and brand equity.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.

Guided Implementation

Our team knows that we need to fix a process, but we need assistance to determine where to focus. some check-ins along the way would help keep us on track

Workshop

We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place

Consulting

Our team does not have the time or the knowledge to take this project on. we need assistance through the entirety of this project.

Diagnostics and consistent frameworks are used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

Phase 1:
Establish Identity Governance

Call #1: Scope requirements, objectives, and your specific challenges.

Call #2: Build an identity security RACI chart.

Phase 2:
Assess and Mitigate Identity Threats

Call #3: Identify and record existing identity types.

Call #4: Assess identity-based threats and mitigations.

Call #5: Create the identity security architecture.

A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 1 to 5 calls over the course of 1 to 5 months.

Workshop Overview

Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

Executive Brief Case Study

Industry: Advisory Services

Source: Cloud Security Alliance

Deloitte

Deloitte experienced a major data breach on September 25, 2017, in part due to weak identity, credential, and access management. The breach was a direct result of a poorly secured administrative email account the attacker used to achieve privileged unrestricted access to all areas of the company.
The account only had a single password, with no multifactor or additional verification processes. Even more concerning was that the attacker had access to the account for over a year without being detected, allowing them to store and monitor all emails that moved in and out of the company. Sensitive information, personally identifying information (PII), usernames, passwords, IP addresses, and architectural diagrams were all accessed, including the personal data of blue-chip clients.

Key Takeaways

1. Secure accounts, including two-factor authentication and limiting the use of root accounts.
2. Practice the strictest identity and access controls for cloud users and identities.
3. Segregate and segment accounts, virtual private cloud (VPCs), and identity groups based on business needs and the principles of least privilege.
4. Rotate keys, remove unused credentials or access privileges, and employ central, programmatic key management.

Impact Statement for Deloitte

Security incidents and data breaches can occur due to the following:

• Inadequate protection of credentials
• Lack of regular, automated rotation of cryptographic keys, passwords, and certificates
• Lack of scalable identity, credentials, and access management systems
• Failure to use multifactor authentication
• Failure to use strong passwords

• Read, exfiltrate, modify, or delete data
• Issue control plan and management functions
• Snoop on data in transit
• Release malicious software that appears to originate from a legitimate source

Phase 1

Establish Identity Governance

This phase will walk you through the following activities:

• Adopting a standard taxonomy to understand and discuss identity-related security risks.
• Establishing roles and responsibilities for identity governance and security.

This phase involves the following participants:

• Security team
• IT leadership
• Business stakeholders
• Legal
• Human resources

Assess and Govern Identity Security

1.1 Adopt a standard identity taxonomy

Estimated Time: 30 minutes

1.1.1 Review Info-Tech identity taxonomy: Review the terms and definitions related to identity security on the following slide.
1.1.2 Customize as required: As a group, discuss each term and its related definition. Modify the definitions as required to fit within your organization. The goal should be to arrive at a common taxonomy for identity security.

Input

• Current taxonomies
• Identity architecture material

Output

• Common, shared understanding of identity security terms and definitions

Materials

• Taxonomy slide

Participants

• Security team
• IT leadership
• Business stakeholders
• Legal
• Human resources

1.1 Identity concepts and definitions

A common identity taxonomy can foster mutual understanding

1.2 Establish roles and responsibilities for identity security

Estimated Time: 1-2 hours

1.2.1 List the tasks for your project: Begin building the RACI chart by defining a list of project tasks. Organize tasks into the following four categories: plan, execute, monitor, and measure. List tasks along the side of your RACI chart as row headers.

1.2.2 Allocate responsibility and ownership for each task: For each task in your RACI chart, determine which stakeholder groups are accountable (A), responsible (R), consulted (C), and/or informed (I). Stakeholder groups should be listed along the top of your RACI chart as column headers.

1.2.3 Analyze your RACI chart: To ensure you have a strong allocation of roles, watch out for common errors and red flags when building the RACI chart. These can include having too many people responsible for a task or not having assigned an accountable person/group. These are defined in more detail in a later slide.

Download the Identity Security RACI Chart Tool

Input

• List of tasks that must be completed as part of the identity security project
• List of stakeholder groups that will be involved in some capacity with the identity security project

Output

• A RACI chart that defines roles for stakeholder groups executing tasks for the identity security project

Materials

• Laptop
• Identity Security RACI Chart Tool

Participants

• Security team
• IT leadership
• Business stakeholders
• Legal
• Human resources

1.2.1 List the tasks for your project

To begin building the RACI chart for your identity security project, list out the project’s required tasks. Organize these tasks into four categories: plan, execute, monitor, and measure. To assist with the development of this task list, consider the sample tasks listed below:

PLAN

• Adopt a common identity security taxonomy.
• Build an identity and access management policy.
• Establish identity governance objectives.
• Inventory identities and assign data owners.
• Model identity-based threats.
• Identify identity security control requirements.
• Develop the identity security architecture.
• Define separation-of-duties constraints.
• Define authorization requirements and ensure systems support those requirements.

EXECUTE

• Create accounts with access that follows the principle of least privilege.
• Deprovision accounts.
• Track policy exceptions when assigning access.

MONITOR

• Monitor access requests (cloud access security broker/security information and event management).
• Report violations of policy or process.
• Review/audit access privileges to prevent privilege creep.

MEASURE

• Build a business case for architecture technology components.
• Measure efficiency and effectiveness of identity security processes.

If you are using Info-Tech’s Identity Security RACI Chart tool, enter your list of tasks into Column B of tab 2, Smart RACI Chart.

1.2.2 Allocate responsibility and ownership for each task

For each task in your RACI chart, determine which stakeholder groups are accountable, responsible, consulted, and/or informed. Each task should have one and only one person/group held accountable and at least one person/group given responsibility. The number of consulted and informed people/groups will differ for each organization.

Responsible (R): The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.

Accountable (A): The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.

Consulted (C): The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).

Informed (I): The person(s) who is updated on progress. These are resources who are affected by the outcome of the activities and need to be kept up to date.

If you are using Info-Tech’s Identity Security RACI Chart tool, complete the table on tab 2, Smart RACI Chart.