Did you miss a session from MetaBeat 2022? Head over to the on-demand library for all of our featured sessions here.
On the heels of Thoma Bravo’s news that it has acquired its third identity company this year — ForgeRock — security experts have said identity management should be a key area of focus for organizations — especially those with customer-facing or externally facing — apps and websites.
Identities and user accounts are one of the prime vectors for cyberattacks —especially for ransomware —in the workplace, according to Jack Poller, a senior analyst at ESG Global, an IT analyst, research, validation, and strategy firm
“Securing an organization’s identities with strong, phishing-resistant authentication such as multifactor authentication (MFA) or password-less authentication methods can prevent account takeover and other identity-related attacks and reduce the attack surface,” Poller told VentureBeat.
Yet, only 17% of CISOs are optimizing identity — even though they believe it is a cyber capability they need to advance, according toa PwCreport. Data breaches reached an all-time high of 1,862 in 2021, according to the Identity Theft Resource Center (ITRC), a 68% increase over 2020, with no signs of slowing
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Shrinking the attack surface
Identity management of users and devices is key for CISOs to manage the risks associated with unauthorized access to sensitive data and systems, according to Kayne McGladrey, IEEE senior member.
“From a control operations standpoint, the two most important capabilities are the ability to validate a user’s behavior when it deviates from the norm, and the ability to quickly de-provision access when it is no longer needed,’’ McGladrey told VentureBeat.
For example, if a user regularly logs in from Washington State using their Windows-powered computer to access a single program, there’s little reason to prompt them for a second authentication factor, he said.
“But when the device changes, perhaps a new Mac computer that’s not configured correctly, or their location suddenly changes to Australia, they should be prompted for multifactor authentication as part of identity validation before being allowed to access those data,” McGladrey said.
When a user leaves an organization, their identity access should be rapidly revoked across all platforms and devices. Otherwise, organizations run the risk of a threat actor using the older access and credentials, McGladrey added.
CISOs can further secure identities by applying the principle of least privilege access, which ensures that a worker has access only to the information they need to complete their job, and no access to other information, Poller said.
“This shrinks the attack surface and the blast radius in the event an attacker compromises an identity,” he added.
In industries like retail, account takeovers can result in fraud and theft, and can be incredibly damaging to financial institutions, Poller noted. In heavily regulated industries, especially those that are healthcare-related, “handle private data with a concomitant risk of exposure when identities are compromised,’’ he advised. “Like workforce identities, it is paramount to use strong authentication and closely manage and control access to customer identities and customer data.”
These systems help organizations manage all their workforce and customer identities and provide strong authentication techniques and the ability to control authorization and access, he said.
The converging IAM and CIAM market
Identity and access management (IAM) and customer identity and access management (CIAM) are now starting to overlap and integrate with related identity security tools such as single sign-on (SSO), identity governance (IGA), privileged access management (PAM), machine and workload identity management and more.
Referring to the Thoma Bravo news, Poller called ForgeRock “one of the major vendors” of IAM and CIAM systems.
“What’s interesting about Thoma Bravo’s acquisition of ForgeRock is both the overlap and adjacency of Thoma Bravo’s other recent identity security-related investments: SailPoint and Ping Identity, both of which are effectively competitors to ForgeRock, and Venafi (machine identities).”
Thoma Bravo also owns a minority stake in Delinea, he noted.
Although it’s not clear yet what Thoma Bravo’s long-term plans are for their identity security investments, “the integration of the four solutions could result in a comprehensive identity security platform and a formidable competitor to other identity security platforms such as CyberArk or JumpCloud,’’ Poller said.