Missed a session of MetaBeat 2022? Visit the on-demand library for all our recommended sessions here.
On the heels of Thoma Bravo’s news that they are third identity company this year – ForgeRock – security experts have said that identity management should be a key area of focus for organizations – especially those with customer-facing or external-facing apps and websites.
Identities and user accounts are one of the main vectors for cyberattacks — especially for ransomware — in the workplace, according to Jack Poller, senior analyst at ESG Global, an IT analyst, research, validation and strategy firm.
“Securing an organization’s identity with strong, phishing-resistant authentication such as multifactor authentication (MFA) or passwordless authentication methods can prevent account takeover and other identity-related attacks and reduce the attack surface,” Poller told VentureBeat.
Yet only 17% of CISOs optimize identity, even though they believe it’s a cyber capability they need to move forward, according to one PwCreport. Data breaches hit a record high of 1,862 in 2021, according to the Identity Theft Information Center (ITRC)up 68% from 2020, with no signs of slowing down
Event
Top with little code/no code
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Register here
Reduce the attack surface
Identity management of users and devices is essential for CISOs to manage the risks associated with unauthorized access to sensitive data and systems, said Kayne McGladrey, senior member of IEEE.
“From a control operations standpoint, the two most important capabilities are the ability to validate a user’s behavior when it deviates from the norm, and the ability to quickly de-provision access when it’s no longer needed,” McGladrey told VentureBeat .
For example, if a user regularly logs in from Washington state using their Windows computer to access a single program, there’s little reason to ask them for a second factor of authentication, he said.
“But when the device changes, maybe a new Mac computer that’s not configured correctly, or their location suddenly changes to Australia, they have to be asked for multi-factor authentication as part of identity validation before they can access that data,” McGladrey said. .
When a user leaves an organization, their identity access must be quickly revoked across all platforms and devices. Otherwise, organizations run the risk of a threat actor using the older access and credentials, McGladrey added.
CISOs can further secure identities by applying the principle of least privilege access, which ensures that an employee has access only to the information they need to complete their job, and no access to other information, Poller said.
“This reduces the attack surface and blast radius in the event that an attacker compromises an identity,” he added.
In industries such as retail, account takeovers can lead to fraud and theft and be incredibly damaging to financial institutions, Poller noted. In heavily regulated industries, especially those related to healthcare, “handling private data comes with an added risk of exposure when identities are compromised,” he advised. “As with employee identities, it is paramount to use strong authentication and closely manage and control access to customer identities and customer data.”
These systems help organizations manage all of their staff and customer identities and provide strong authentication techniques and the ability to control authorization and access, he said.
The Converging IAM and CIAM Market
Identity and access management (IAM) and customer identity and access management (CIAM) are now beginning to overlap and integrate with related identity security tools such as single sign-on (SSO), identity management (IGA), privileged access management (PAM), machine and workload identity management, and more.
Referring to the Thoma Bravo news, Poller called ForgeRock “one of the main suppliers” of IAM and CIAM systems.
“What’s interesting about Thoma Bravo’s acquisition of ForgeRock is both the overlap and proximity to Thoma Bravo’s other recent identity security investments: SailPoint and Ping Identity, both of which are effectively competitors to ForgeRock, and Venafi (machine identities). ”
Also Thoma Bravo possess a minority stake in Delinea, he noted.
While it is not yet clear what Thoma Bravo’s long-term plans are for their identity security investments, “the integration of the four solutions could result in a comprehensive identity security platform and a formidable competitor to other identity security platforms such as CyberArk or JumpCloud,” Poller said.
The mission of VentureBeat is a digital city square for tech decision makers to learn about transformative business technology and transactions. Discover our briefings.