A European Journal of Engineering and Technology Research study considers Identity and Access Management (IAM) "an important cybersecurity activity that helps to organise different access management." Its ability to boost monitoring processes and security controls aids organisations and individuals in strengthening their cybersecurity posture compared to using passwords alone.
Unfortunately, malicious players still find a way to circumvent IAM tools. Stephanie Barnett, VP of presales, Asia-Pacific & Japan at Okta, shared the company's recent State of Secure Identity 2023 report, which reveals that customer identity and access management (CIAM) systems are increasingly under attack. Sign-up fraud, leaked credentials, credential stuffing, and bypassing multi-factor authentication (MFA) are among those she listed as common CIAM attacks.
"Fraudulent registration attempts represent 27.9% of total registration attempts on the Okta Customer Identity Cloud in Asia Pacific – which is almost three times higher than in other regions like the Americas (9.4%) and Europe, the Middle East and Africa (EMEA: 8.1%). In Japan, this figure rises to 43.6%, whereas for Southeast Asia, it is just 16.2%," reported Barnett.
Barnett posits that the concentration of threat actors operating and targeting parts of Asia Pacific and the higher fraudulent registration attempt figure show a less mature approach to identity security in the region than others. She also observed Okta's customers in the region enable fewer security products and features than others.
For Darren Guccione, the CEO and co-founder of Keeper Security, identity management has evolved to address emerging AI-powered threats, especially since data revealed that IT and security leaders feel ill-equipped to defeat deep fake technology (30%) and AI-powered attacks (35%).
"The traditional IT perimeter has vaporised in recent years, dramatically increasing the attack surface. The mass migration to distributed remote work environments has exponentially increased the number of endpoints, the number of remote locations such as home offices, and correspondingly, the sheer number of websites, applications, and systems that require identity verification, access, and full end-to-end encryption," Guccione added.
Moreover, he considers humans "the most error-prone element of the attack chain" and "far more difficult to protect."
Identity management solutions and practices
"As cyber threats continue to proliferate, IT leaders have recognised the importance of identity management solutions to safeguard their digital assets, with organisations investing in technologies such as Single Sign-On (SSO), Multi-Factor Authentication (MFA) and Privileged Access Management (PAM) to bolster their security posture," Guccione said.
The Keeper Security leader advises organisations to implement cybersecurity solutions that integrate with identity solutions for better visibility, security, reporting, and control.
Based on Okta's recent Secure Sign-in Trends Report, increasing identity and cybersecurity attacks are pushing workforce administrators to encourage the use of phishing-resistant authenticators.
"Our research shows that using passwordless, phishing-resistant authenticators leads to dramatically faster sign-in duration and fewer sign-in failures," Barnett said. The Okta executive explains that phishing-resistant authenticators prevent sophisticated phishing attacks by cryptographically binding credentials to a domain at enrolment.
Our research shows that using passwordless, phishing-resistant authenticators leads to dramatically faster sign-in duration and fewer sign-in failures
Stephanie Barnett
"Passkeys offer promising alternatives in customer identity flows, bringing phishing-resistant, passwordless authentication to the websites and apps organisations use every day," she added.
Zero-trust model
The emergence of hybrid work and the distributed nature of networks and devices make the traditional network security model no longer tenable, according to Barnett.
"As the legacy perimeter model continues to fail modern security needs and performance requirements, adoption of Zero Trust strategies is growing," she said.
Okta's State of Zero Trust Security 2023 report shows the increasing popularity of the zero-trust model and an exponential increase in its adoption in the last two years. The report revealed that over half (61%) of organisations have a defined Zero-Trust initiative, and 35% intend to implement one soon.
Guccione believes that a zero-trust architecture with least-privilege access is the only realistic way to navigate security in identity management in a cloud-based world.
"All humans and devices must prove that they are who they say they are before they can access the network, and they are strictly limited to the resources they need to perform their roles. This is known as least privilege access. Privileged access management software can help with privileged account and session management, secrets management, and enterprise password management," he posits.
All humans and devices must prove that they are who they say they are before they can access the network, and they are strictly limited to the resources they need to perform their roles.
Darren Guccione
He advises organisations to adopt a zero-trust model by adopting technologies such as micro-segmentation, least privilege access, and continuous authentication.
"By implementing granular access controls, organisations can minimise the risk of unauthorised access and reduce the impact of security breaches," he said.
Managing user identities, roles, and entitlements
"Perimeter-based security is fast becoming obsolete for today's dynamic, cloud-driven IT environments. As organisations realign their security strategies, it's essential to move on from stop-gap measures and invest in transformative security approaches that help protect IT assets in perimeter-less environments," explained Barnett.
She recommends organisations adopt an identity-first security strategy built on a Zero-Trust framework to ensure proper access controls and compliance, recognising that user and device identity is the foundation of securing access to the most critical organisational assets.
"Whether it's an employee, a contractor, an endpoint, or a server, every entity within an organisation needs to be authenticated into systems and gain authorisation to perform actions. Taking an Identity-first security approach — with focused IAM — marks a significant departure from security's traditional role as a cost centre and opens doors for security teams to act as business drivers within an organisation. This strategy, in turn, promotes rapid and agile adoption of technology across an organisation while reducing risk," she concludes.
Guccione recalls how organisations historically used a "castle and moat" model for network security. He explains that this straightforward concept means that all users and equipment, including servers and end-user devices located inside the network perimeter, are trusted by default and do not need authentication before they can access the network.
"This access model made sense when pretty much everyone and everything was located on-premises. Organisations had a very clear network perimeter: the walls of their offices," he explained.
However, the attack surfaces widened with a hybrid work setup as organisations needed a wider network to connect resources from different places and devices. Guccione said that organisations can improve their cloud/hybrid identity management efforts "by transitioning to a zero-trust security model, in conjunction with least-privilege access, Role-Based Access Controls (RBAC), a Single Sign-On (SSO) solution, and appropriate password security utilising an enterprise-grade password management solution and MFA."
He added that PAM solutions could establish a zero-trust framework, enforce the least privileged access, limit data breaches, and minimise their impact.
"An effective PAM programme will not only ensure that the right people and systems have access to the right data at the right times on the right devices, but also that there is a record of this activity to give total visibility to administrators," he said.
Robust identity management system
As cybercrime incidents increase in number and sophistication, organisations and individuals must create a robust identity management system to manage the digital identity life cycle and user access throughout their IT landscape.
A good identity management system helps strengthen organisations' cybersecurity posture, fosters trust among customers and shareholders, and shows a commitment to protecting valuable organisational data and assets.