{"id":21645,"date":"2022-04-13T12:52:21","date_gmt":"2022-04-13T16:52:21","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=480019"},"modified":"2022-04-13T14:06:33","modified_gmt":"2022-04-13T18:06:33","slug":"how-smbs-can-create-an-identity-management-strategy","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/how-smbs-can-create-an-identity-management-strategy\/","title":{"rendered":"How SMBs can create an identity management strategy"},"content":{"rendered":"

Identity management is crucial for an effective cybersecurity defence, but isn\u2019t as hard as some organizations believe, experts said at a webinar as part of Identity Management Day.<\/a><\/p>\n

In fact one speaker, Lawrence Cruciana, president of North Carolina-based managed security service provider Corporate Information Technologies<\/a>, reduced creating an identity management plan down to a phrase for small businesses: \u201cTWO STEPS.\u2019<\/p>\n

Each letter in the phrase stands for one of eight points, but Curciana hopes it will be easier to memorize:<\/p>\n

    \n
  1. T<\/strong>ake an inventory of the organization\u2019s data assets;<\/li>\n<\/ol>\n

    2. W<\/strong>rite down all the systems that require identity for access, and the systems (like Active Directory) responsible for identity;<\/p>\n

    3. O<\/strong>utline your regulatory or contractual requirements for identity. For example, a partner may require your firm to have multifactor authentication before connecting to its network;<\/p>\n

    4. S<\/strong>takeholder (business unit) alignment with the identity management program must be gained. For example, these employees have to use multifactor authentication, these people need a hardware token\/USB key for access;<\/p>\n

    5. Tr<\/strong>ust is ephemeral, meaning it can\u2019t be granted permanently to users. \u201cWe can\u2019t just say, \u2018Bob has access to this system\u2019 and never review it,\u201d he said;<\/p>\n

    6. E<\/strong>xisting IT systems have to be considered under the identity management program, not just new systems;<\/p>\n

    7. P<\/strong>rioritize the application of identity management based on systems that have the greatest value or impact to the business;<\/p>\n

    8. S<\/strong>trategic buy-in from senior executives is essential.<\/p>\n

    \u201cVery often we see identity is seen as something you implement, it\u2019s a technical step,\u201d he said. Identity management \u2014 especially in smaller organizations \u2014 needs to be elevated to the business process owners, the information system owner, and ultimately to the senior executive or board.<\/p>\n

    Cruciana was speaking during one of several sessions sponsored by the Identity Defined Security Alliance and the U.S. National Security Alliance.<\/p>\n

    Often for a small business the key application is email, he noted. \u201cHaving strong identity management and a robust multifactor authentication program applied to email can mitigate the broadest areas of risk we see in small organizations,\u201d he said.<\/p>\n

    Cruciana\u2019s session was aimed at SMBs. Also during that session, Harry Perper of the Mitre Corp. noted the Center for Internet Security\u2019s CIS cybersecurity controls<\/a> include guidelines for implementing identity management.<\/p>\n

    Multifactor authentication (MFA) may be the most important control an SMB can implement. \u201cMandate it everywhere possible,\u201d he said. Sending authentication codes by SMS text isn\u2019t the safest method, he added, but in some cases may be good enough. Using an authenticator app (such as from Google, Microsoft or Duo) is safer. Hardware tokens in the form of USB keys that generate authentication codes should be for employees who have privileged access to the most sensitive data and systems, he said.<\/p>\n

    In a separate session, Tom Sheffield, senior director of cybersecurity at retail chain Target said any MFA system is better than none. In some cases, SMS-based authentication may be acceptable for guests on your network. It\u2019s all about risk, he said. Discover your assets and map MFA against your risks.<\/p>\n

    MFA should be rolled out in phases, he added, first going after the systems with the highest risk.<\/p>\n

    Some organizations are hesitant about MFA, said Martin Kuppinger, principal analyst at KuppingerCole Analysts<\/a>, a German-based cybersecurity advisory firm. They worry it impedes system usability. This is a matter of education, he said. \u201cOur thinking must be not to balance security and convenience, but how do we combine security and convenience.\u201d<\/p>\n

    Manish Gupta, director of global cybersecurity services at Starbucks, talked about the coffee chain\u2019s efforts to abandon passwords and demand facial or fingerprint recognition for employee logins, as well as behavior-based authentication. This starts with an application establishing a user\u2019s baseline behavior \u2014 such as typing and mouse movement behavior \u2014 and then looking for anomalies. The technology depends on the strength of the analysis engine, he admitted.<\/p>\n

    Going passwordless can be a struggle in some countries, he added, where regulations may restrict the use of biometrics or the use of smartphones to receive authentication codes.<\/p>\n

    \u201cThe best thing we can do as identity leaders is be the voice of security,\u201d said Sheffield. \u201cWe need to speak to our cybersecurity partners, our business partners, our technology partners of the importance of all the foundational [cybersecurity] capabilities, and be the advocate for them and get [people] to understand why these are necessary.\u201d<\/p>\n

    The post How SMBs can create an identity management strategy<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

    At an identity management webinar experts offered advise for small and medium businesses<\/p>\n

    The post How SMBs can create an identity management strategy<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"author":17,"featured_media":20666,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[16,369],"tags":[391,475,396,388,393],"class_list":["post-21645","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-smb","tag-di","tag-identity-and-access-management","tag-postmedia","tag-privacy-security","tag-security-strategies"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/21645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=21645"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/21645\/revisions"}],"predecessor-version":[{"id":21648,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/21645\/revisions\/21648"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20666"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=21645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=21645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=21645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}