Why Identity Management Doesn’t Need a 'Day'

Jackson Shaw, CSO, Clear Skye

Last month, we celebrated Identity Management Day — a time to reflect on the importance of managing and securing identities in our increasingly digital business environments. Identity Management Day joins the ranks of several other cybersecurity holidays—Data Privacy Day, World Password Day, International Fraud Awareness Week, Cybersecurity Awareness Month, to name a few—that highlight the importance of strong security practices. And while it’s good to bring attention to these areas, taking a day, week, or even a month to talk about them and share best practices is simply not enough.

Identity management (IM), in particular, should extend far beyond one day, or even one singular component of the cybersecurity equation. Instead, it should be viewed as an important ingredient in a company’s overall security strategy that every organization should be factoring into their data governance plans. Identity management empowers businesses to better secure their information, breed a culture of compliance, and improve employee workflow in the process. Yet, many still let it fall to the wayside.

While IM is a crucial part of securing your network, it’s not the star of the show, which makes it easier to understand why we have so much catching up to do as an industry. When you look at recent cyber attacks, you can see why. Take the recent Colonial Pipeline hack. The ransomware attack shut down operations of the largest pipeline from the Gulf Coast to the Northeast, driving up gas prices and begging bigger questions about the safety of our country’s physical infrastructure and looming threats.

Events like this force our approach to be a reactionary one, dealing with the problem at hand for a quick resolution, and then looking ahead to future attacks. Rather, we need to take an introspective look into the preventative measures that can be taken to avoid attacks in the first place. Good security starts from the inside out, and that includes monitoring access and privileges from within with smart IM practices.

This, of course, has been a bigger challenge as cloud proliferation and the pandemic-driven hybrid and work from home mandates have changed IT environments, probably for the long-haul. Employees are using software and hardware not sanctioned by IT, logging into their work systems on unsecured coffee shop WiFi, sharing and storing company data on various apps and devices, and the list goes on. Essentially, it’s open season for bad actors, and they’re ready to attack whenever the opportunity presents itself.

One of the reasons IM is so challenging to address is because many organizations fail to strike the balance between implementing important tools and technologies, and ensuring day-to-day workflow and productivity aren’t disrupted. Take multifactor authentication, for example. It’s a great practice in theory, but if the second form of identification or token is hard to remember, people will get frustrated, IT teams will be inundated with service requests, and people will eventually find a way to bypass the system. On the other hand, if proper tools and protocols aren’t put into place, manual processes, such as monitoring access privilege through a spreadsheet that needs to be constantly updated, IM becomes burdensome and prone to human error. Even with the best intentions, in both scenarios, the safety and efficiency of your business is no better off.

Despite the complexities, overtime most UX issues can be worked out. Employees get used to new processes and protocols and leaders learn what works and what doesn’t. But the implementation hurdles that exist with integrating new IT systems and replacing legacy solutions is enough to send tech leaders running. When considering the cost—and not just financial, but human capital, time, internal and external resources, etc.— associated with adopting new technology, IM moves even further down the priority list. Think of business silos, onboarding headaches, the potential for service interruption and outages, and it’s clear why so many businesses are dragging their feet.

But, if we’re to overcome these barriers and others around making good IM hygiene a regular business practice, organizations need to start treating it as a non-negotiable. After all, security touches every aspect of a business, and it should be ingrained in every company, product, or service, no matter how challenging it is to get there. And fortunately, there  are steps every organization can take to do that, and it all starts with ease of use.

It’s a common misconception that if you don’t have a solid IM strategy in place, you have to start from scratch, which simply isn’t the case. It’s also not an all-or-nothing undertaking, and organizations shouldn’t be afraid to start small. They can do this by considering IM solutions that work with their existing systems. Whether it’s an app, add-on, or service available within your cloud provider, choose the path of least resistance over the best-of-breed option—or one that requires you to rethink your legacy systems.

Working with third parties and partners is another great way to get your IM strategy off the ground effectively, but be sure to choose your partners wisely. Even if your organization has the best security measures in place, it’s all for naught if you’re sharing data and other sensitive business information with third parties who aren’t doing the same. Always research and properly vet any business or person you’re doing business with, and make sure that conversation is ongoing. Are they sharing information with other parties? Do they adhere to proper regulations and guidelines in your industry? Are they certified or have a successful track record of keeping information safe? These are all smart questions to ask to protect your data.

IM has the power to keep your company safe from attack while streamlining data compliance and governance initiatives. Artificial intelligence (AI) and other automation tools have made IM even easier to use and more effective to businesses , but we still have a lot of work to do. Rome wasn’t built in a day, and either is a good IM strategy. It’s a work in progress, and rather than dedicate 24-hours to reflect on its importance, we should find ways to make it part of our daily cybersecurity practices.