Celebrating Identity Management Day 2022 with Nine IAM Best Practices from IDPro® Members
Welcome to Identity Management Day 2022!
Identity management is the term that describes how organizations maintain effective security to prevent unauthorized users from obtaining access to secure systems. Good identity management keeps systems and people secure, enhances privacy, and enables efficient digital experiences for both businesses and individuals.
Identity Management Day was first hosted on April 12, 2021 by the Identity Defined Security Alliance and the National Cybersecurity Alliance to spread awareness about the importance of proper identity management and the dangers of improperly managing digital identities.
We asked our members to share their best IAM practices for protecting digital identity. Learn from the best by following these 9 tips:
- Only collect the data you absolutely need to provide your product or service. The more data you have, the more attractive you become to attackers, and the more risk you take on.
- Bad data quality will kill every IAM approach. For example: people suddenly without managers, missing required data or having it disappear from a source overnight. Plan to keep the bad data out and when it creeps in (because it will) make sure you have tested the unhappy path before you accidentally fire the CEO.
- Follow the ‘principle of least privilege.’ Meaning, don’t assign too many privileges to those who don’t need them; instead only assign what is needed to do their jobs.
- Prune and clean your account list and remove your “leavers”. It should be a no-brainer, but is actually an often-neglected control measure.
- Any MFA is better than no MFA (Multi-Factor Authentication). (see #6)
- If you’re using MFA, use Adaptive MFA. Don’t carpet-bomb every transaction with laborious authentication requirements, because other parts of your business could suffer (e.g., signup funnels). Have clear policies when you require stronger authentication and only present those prompts when necessary.
- Encrypt personally identifiable information (PII) and personal data (PD) at rest and in transit. Things like emails and phone numbers should never be stored or sent in cleartext.
- Block the use of known breached passwords / credentials.
- Adopt SSO (Single Sign-on) as a default practice. Friends don’t let friends connect things directly to LDAP for sign-on or local user ID/password pairs — they adopt SSO. You don’t know who wrote and tested a given application, much less what they actually contain for code or their patching practices. They do NOT need to handle clear text user ID and password pairs. Local accounts pose the risk of ghosting credentials, jeopardizing them, or handling them without the same duty of care needed for good security hygiene. SSO is vastly more helpful than trying to remember all the touch points on local credentials when revoking them.
Now it’s YOUR turn to participate!
Identity practitioners are encouraged to share their best security practices during the 2022 Identity Management Day Virtual Conference, inspiring others to employ effective strategies for securing their digital identities and helping leadership understand the importance of a strong identity management team.
Want to learn more? Check out this 2022 RSAConference presentation by IDPro members – Vittorio Bertocci and Sarah Cecchetti – Securing Your Direct to Consumer Identity Strategy.
Register now for the @idsalliance and #IDPro joint webinar, “Helping Organizations Succeed in an Identity-Centric Security World” – Feb. 23 at 9:00am PT/12:00pm ET http://bit.ly/3HwTYmq
The sixth annual IDPro® Skills, Programs & Diversity Survey is open! It aims to measure the diversity, goals, interests, skills and trends among identity professionals and the enterprises that employ them. Take the survey: https://www.surveymonkey.com/r/IDPro_2023_Skills_Survey
To help solve the #IAM skills gap, #IDPro has created the #CIDPRO which can expand candidates' #digitalidentity knowledge and fill experience gaps. Learn more by reading our CIDPRO webinar recap blog: https://bit.ly/3Idk5jj
The Internet Identity Workshop (#IIW) XXXV took place from November 15-17 and provided an excellent opportunity for #digitalidentity experts to convene and discuss #IAM topics. Learn more about this recent event by reading our recap blog: https://bit.ly/3WtmGdd
The #IDPro webinar covering Issue 10 of the Body of Knowledge (#BoK), featuring an overview of the three new articles and six refreshed articles, is starting now. Join the webinar: http://bit.ly/3HbxY0c