Identity management is the practice of controlling and restricting access to sensitive data.
For businesses, the term is connected to cybersecurity. A properly managed enterprise network would be regularly analyzed for good identity and access management, making sure no one has more access to sensitive data than is absolutely necessary, and that each “identity” (be it for a person, program, or machine) is both tracked and documented.
“The vast majority of data breaches making headlines are the result of poor identity management. Twitter, Marriott, Nintendo…the list goes on. These breaches often leverage weak identity management, such as weak or previously compromised passwords, not leveraging multi-factor authentication and single sign-on or leaving standing privileges open,” said Julie Smith, Executive Director of the Identity Defined Security Alliance.
The Identity Defined Security Alliance recommends the following elements for good Identity Management.
- Clarify ownership of ALL identities: Employees, third parties, machines, and customers all have separate security considerations that can and should be identified and addressed.
- Establish unique identifiers: Having a system in place that can quickly identify a user and their role in a company helps with documentation and can prevent data breaches with regular security audits, and can help investigate security-related incidents by being able to leave a trail of activity in a network.
- Authoritative source of trusted identity data: Since Identity Management systems are so strongly reliant on being able to grant access to data, it is crucial that any means of securing their identities are equally reliable.
- Discovery of critical and non-critical assets and identity sources: With an organization’s security dependent on proper access to sensitive assets, it’s also vital to catalog these assets.
- Privilege access management: Coordinating who has access to which resource is essential. It is equally important that accounts with access to highly sensitive or confidential data maintain a high level of security.
- Automate provisioning/de-provisioning: Manual management of access to systems (e.g. for new or outgoing employees) can expose sensitive data to the wrong people. Automating the process to be as seamless as possible helps to secure an organization’s data and resources.
- Focus on identity-centered security outcomes: The entire point of Identity Management is to secure a system by controlling access. Thus, identity should be a key part of an organization’s security strategy.
- Establish governance processes and programs: A strong identity-based security posture requires regular upkeep and resources to ensure that an organization is fully in compliance via regular audits and revisiting policies as needed.