In an era of cloud-based technologies, managing the complexities of digital access is a fundamental challenge for security teams. Identity-based attacks, such as credential theft and account compromise, are responsible for more than half of all total data breaches, with hundreds of thousands of identities and accounts compromised every year.
Security teams are prioritizing tackling the identity challenge through investing in identity and access management (IAM) solutions that authenticate and verify users. This is a crucial pillar in the Zero Trust framework, designed to help organizations to better protect themselves against data breach by continuously authenticating and validating all users with access to company data.
However, despite the massive growth in the identity and access market globally, many organizations are still yet to deploy multi-factor authentication (MFA) to secure access to accounts. Research from leading identity provider Okta suggests that while adoption of MFA now extends to over 64% of users, this figure varies widely by industry. Surprisingly, some highly regulated industries (including government, healthcare, financial services, and energy) are lagging behind other sectors for MFA adoption.
In addition, only 4% of workforce users have implemented phishing-resistant authenticators – secure identity controls based on FIDO-standards, that cannot be breached by attacks that target MFA controls. While these are new technologies that will take time to achieve adoption, Okta has identified a record number of attacks targeting weak authentication controls, further highlighting the importance of a strategic approach to identity.
To discuss the challenges in the identity space, what’s holding organizations back from adoption of identity technologies, and what the future of identity may look like, Expert Insights recently interviewed James Richmond, Senior Solutions Engineer, Alliances at Okta.
Okta is a market leader in the identity and access management space, protecting over 14,000 organizations globally. What are the major identity risks and challenges that you are seeing organizations face in the IAM threat landscape today?
Challenges faced by organizations are often vast and significantly varying, however, there are three that I still see on a daily basis when talking to businesses. Businesses, that we would have all thought, would have been years ahead of the rest.
- Permissions and licenses – expensive to get wrong: The first challenge, and the biggest risk to organizations, is the incorrect assignment of permissions and licenses to end-users. I am always hearing about the spiraling cost of licenses from customers, often finding that licenses have been assigned to users that simply don’t require access to that resource and that this user most definitely doesn’t require elevated permissions.
- Orphaned accounts: The first problem often leads on to the second. This being the scenario of orphaned accounts, often with elevated permissions. Orphaned accounts are dormant accounts within your business belonging to users that are no longer with the company. It scares all involved when these accounts are found, even more so when the accounts have shown recent activity.
- Enforcement of resources: The third problem is unlinked to the first two, however is often seen as a higher priority – the enforcement of resources. I agree that multi-factor authentication (MFA) is incredibly important within organizations and can easily prevent external attacks from being successful. But what about the insider threat? If an end-user has too much access or elevated access to the wrong systems, a disgruntled employee soon becomes a big problem.
One thing for sure is that these three challenges aren’t issues that businesses need to be worrying about, and the prevention of each can be easily achieved with a strategic approach to identity access management.
Operating under the ethos of Zero Trust, and automating Joiners, Movers, Leavers through the use of the “one” source of truth in an organization, like an HR system, ensures access is always well defined and accurate. Automation ensures that when an employee joins your company, they can instantly crack on with their job, when/if they move roles, they have the correct access at all times. And when they leave, licenses are rescinded and orphaned accounts are the thing of the past.
We’re seeing a big push towards enterprise adoption of multi-factor authentication and passwordless authentication technologies- particularly around the move to Zero Trust – but research suggests adoption of MFA is still low in some industries. What are some of the roadblocks organizations are typically facing when it comes to deploying IAM solutions, and how is Okta addressing those challenges?
There are typically two main roadblocks that can put organizations off the journey of identity, in particular the deployment of MFA across the business. The first is the perceived impact to end-users. MFA in the past could be cumbersome and off-putting for employees who saw it as another hoop to jump through just to do their job. By introducing passwordless technologies, like Okta’s FastPass, MFA no longer impacts the experience provided to an employee. If anything, it makes their life easier at the same time as adding further protection to the business.
General Identity Access Management (IAM) can sometimes be feared by companies. This is primarily due to the worry that an enormous project will unfold, impacting the time of architects and engineers with concerns over the maintenance of a heavy solution. Okta’s platform defeats that concern with its lightweight maintenance and its ability to “just work” out of the box and deliver value to customers instantly. When discussing IAM with customers, varying ways of managing identities can be found, from completely manual processes, all the way through to scripts being deployed automating some activities.
It’s not until later that businesses realize the time and efforts to maintain such processes and scripts, as well as the errors these processes can include in the assignment of access and licenses to end-users. These solutions often far outweigh the costs of an IAM solution like Okta that can automate all manual processes and provide accurate security controls on resources within hours.
Finally, how do you see the identity and access management landscape evolving in the coming years, and what should organizations be doing now to prepare for those changes?
Threats are always evolving, and actors are getting more savvy with their approaches. Now we are seeing a new age of Artificial Intelligence (AI) and the dangers this can present to us all, not just organizations. These threats are able to take advantage of the weak process being followed by some businesses, targeting tenured employees that may have elevated controls from previous roles in the business, or looking for errors in access assignments.
Prevention of these threats can only be achieved through proper management of identities, and controls that protect resources without heavily impacting the experience given to employees. Ensuring a user has the correct access for their role, monitoring activities at all times, and initiating actions immediately upon a threat being detected is the only way you will deter threats from becoming incidents. A solid Zero Trust deployment with a strategic approach to identity at the center will protect companies from these threats by allowing vendors to collaborate and utilize the intelligence provided by each.
Learn more about Okta: https://www.okta.com
About Expert Insights
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.