The Chaos of Identity: Beyond IAM for Ransomware and Security Challenges

Bart Allan

January 4, 2022

Ransomware attacks are increasingly disruptive, sophisticated and continue to plague organizations across all industries, from gasoline suppliers to higher education institutions to state and local governments. The situation has left many CISOs considering an identity-based security strategy for the first time. 

The reason? C-suite and IT security and technology leaders don’t know who has access to what as identities multiply. The new hybrid environments create even more chaos and have these same decision-makers questioning the strength of their organizations’ privilege access management. 

Identity and  access management is the first step to gaining control of the contemporary chaos of identity and subsequent privilege challenges. Implementing it can go a long way toward reducing ransomware risk, but an identity and access management system is only the beginning. What are some other actions IAM practitioners and CISOs should be taking now in the vein of identity access management  to reduce their ransomware exposure?

 

Teach Cybersecurity 101

Your organization needs to remember that users are at the center of your identities and the specific security measures and education that you implement needs to meet them halfway.

Hackers have approached employees from nearly half (48%) of businesses to assist in ransomware attacks, according to our new survey with Pulse. 

Looking to gain more insight? Get actionable data on vulnerabilities, cyber education, and Zero Trust with our one-minute white paper: Employees from Nearly 50% of Businesses Have Been Approached to Assist in Ransomware Attacks, Hitachi ID Survey Reveals.

Download the One-Minute White Paper

It’s stats like this that emphasize the need for your business to take a proactive security stance to cybersecurity regardless of industry. Most leaders are increasing cybersecurity education to handle these heightened risks, teaching their employees about the actions they should take to:

  • Prevent phishing attacks
  • Create secure passwords
  • Keep passwords safe

Efforts to teach your employees about what to be on the lookout for can help mitigate the risk of an insider breach by making them less likely to  be an (unknowing) accomplice in a data incident. 

 

Tailor User Experience

Finding the right balance between user experience (UX) and security is often a challenging practice. How does your organization provide the best UX without sacrificing protection? Many IT leaders are moving towards Zero Trust and considering passwordless authentication technologies such as adaptive authentication because it eliminates reliance on passwords and delivers benefits such as better UX and  can reduce overheads in IT, as well as a more robust security stance. 

The market, however, isn’t quite ready for passwordless authentication because an overwhelming majority of applications, software, devices, and resources still use passwords. This means federation, where one commonly accepted system is responsible for authentication, is best when possible because users will already have an identity with an Identity Provider, reducing onboarding friction, applying a universal sign-on process, which provides more consistency and established security and reducing the number of Identity stores in your environment. 

As you tailor your user experience to conquer the chaos of identity, keep passwordless authentication, a core component of Zero Trust, on your radar. Since Zero Trust trusts no one in the directory, it creates a universal and equilateral experience for all users across your ecosystem, improving your UX greatly. The more you can eliminate the need for a user to make a password, the closer your organization can get to Zero Trust.

 

Address the Cloud(s)

Many organizations are taking a multi-cloud approach to infrastructure and services, which is contributing to this chaos of identity and leaving identity access management and information security teams scrambling to secure all the clouds at once. Even if security controls might be similar for each platform, the deployment approach, architecture, tools, and processes differ. In just one enterprise instance, a business may have accounts with Amazon Web Services (AWS), Microsoft Azure, Google Cloud, boutique clouds,  on-premise or data center infrastructure as well. 

With the popularity and growth of these cloud platforms, a software-as-a-service (SaaS) architecture is often not a choice — but a requirement — for many CISO and IT leaders to remain competitive in today’s climate. SaaS isn’t always simple. The dynamic nature of disparate clouds makes it difficult to obtain visibility into the state of your security and while the provider manages platform-layer security, it’s up to you to implement the right additional controls to secure the application and data. 

Leveraging the security postures built into the cloud infrastructures of Amazon, Microsoft, or Google is a great start. However, additional security measures are often necessary in these environments as the defaults can leave much to be desired, particularly if you have DevOps teams rapidly building products in the cloud and more.

 

Continue the Story

Implementing these practices into your identity access management strategy can help address the chaos of identity and your organization’s risk of a ransomware attack, but there’s more you can do to keep your organization’s identity-based security strategy in top shape. 

Explore this topic further by listening to the Identity at the Center podcast episode:

Identity Chaos is a Ladder (on Spotify and Apple Podcasts).

Hosts Jim McDonald and Jeff Steadman talk with Nicholas Brown, Interim CEO at Hitachi ID, about chaos in the identity space with elements like ransomware, user experience, multi cloud, and SaaS.