Updated best practices for 2022
Identity Management Day is an opportunity to bring identity management awareness and information to organizations of all types, especially as the digital landscape expands.
Presented by the Identity Defined Security Alliance and the National Cybersecurity Alliance (NCSA), it is a much-needed opportunity to educate businesses and IT leaders on the importance of cybersecurity awareness and best practices.
What is identity management?
Identity Management (IdM) ensures that only authorized users have access to the technology resources they need to do their jobs.
It includes hardware, software, applications and permissions – everything that has to do with access controls in a relevant situation.
Why is it important now?
In cybersecurity conversations about IdM, there is a particular focus on the dangers of insufficiently securing identities and credentials. User-specific information is a common entry point for account takeovers, ransomware attacks, and other attack vectors.
IDSA research shows that 79% of organizations have experienced an identity breach in the past two years and 99% believe their identity breaches were preventable. According to Verizon’s 2020 DBIR report, up to 81% of hacking-related breaches use weak, stolen, or otherwise compromised credentials.
What’s the problem with passwords?
From one-time passwords to fingerprint scans, there are many authentication methods out there, but the reality is that passwords are still the backbone of almost everyone. They are by far the most widely used authentication method and the most familiar to the average user.
Credentials can be used across devices, operating systems, and applications without compatibility issues, making them incredibly useful. Passwords have inevitably become a layer of security that most organizations rely on but have little control over as users choose their own passwords.
While other authentication methods can be layered to strengthen IdM systems, we need to come full circle: secure the password with current best practices before investing in other areas.
What are the best practices for strengthening IT security?
1. Understand password vulnerabilities
Given the sheer prevalence of credential-related data breaches, it would be easy to assume that passwords themselves are somehow to blame for most security problems. But the nuance of the problem is that create individuals use weak passwords and then constantly reuse those passwords.
Once a user’s credentials are stolen from an account, they often leak onto the dark web and are sold to other cybercriminals. Login credentials are a useful and tempting target, as cybercriminals know that many people reuse passwords across personal and professional boundaries, making it easy for attackers to gain access to additional accounts.
While we cannot control user behavior, companies can understand the reality of what is happening, train their teams, and implement solutions.
2. Audit Passwords
An easy way to assess the severity of the problem is to examine the passwords used in your environment. There are several auditing tools that make it easier for organizations to get a snapshot of their domain’s password security status compared to the latest breaches and dictionary cracking.
3. Follow NIST guidelines
NIST’s standards for password policies are a great resource for organizations to refer to. The most important include:
- Free yourself from the demands of password complexity
Arbitrary requests for mixes of capital letters, symbols, and numbers have been shown to result in poorer passwords, reused passwords, and more IT helpdesk calls.
- Get rid of the maximum password length
Like complexity requirements, having maximum password length limits restricts users from creating more memorable, stronger, and unique passwords for themselves.
- Get rid of regular password resets
There are several studies that have shown that frequent password changes are counterproductive to good password security. Instead, it’s better for user security to have unique and memorable passwords.
4. Credentials leaked screen
This recommendation is also part of the NIST password guidelines, but deserves its own emphatic bullet point. One of the best ways to protect your organization and your users is to continually check all passwords (as they are newly created and actively used) against dynamic lists of dictionary words and known compromised passwords. Alerting users and IT teams when full sets of credentials have been compromised is extremely useful in protecting the organization from an attack, and has the added benefit of reducing friction for the user.
While cybersecurity issues and solutions should be discussed in all areas and levels of an organization, experts are still working to spread the information and suggestions. The benefits of a strong defensive stance are many; Following NIST guidelines allows organizations to maintain regulatory compliance and reduce IT costs overall. Identity Management Day is a perfect opportunity to bring these common security issues and solutions to the front page.
The Time to Lock Down Identity Management Strategies post appeared first on Enzoic.
*** This is a syndicated blog from Enzoic’s Security Bloggers Network, written by Enzoic. Read the original post at: https://www.enzoic.com/identity-management-strategies/