Identity, IAM Technologies, Data Security

Identity resilience: What it is and how to achieve it

For a recent CyberRisk Alliance webcast, Enterprise Security Weekly host Adrian Sanabria welcomed four guests to join him in discussing identity resilience: MightyID COO Chris Steinke; Ben Dimick, Director of Security Consulting Services at Tevora; Michael Farnum, Advisory CISO at Trace3; and Jeff Reich, Executive Director of the Identity Defined Security Alliance.

Sanabria began the discussion by pointing out that the cybersecurity industry as a whole has been shifting from prevention to resilience as American companies, battered by breaches, have realized that recovery is more important than 100% guarantees of protection.

Steinke offered this definition of identity resilience: "[an] organization's ability to not only protect and manage their digital identities but be able to absorb and recover and operate at degraded states when necessary."

Reich offered this notion of identity resilience: "the ability to have an identity with capabilities that can persist without compromise."

Finger-pointing and firefighters

Dimick pointed out that among many companies he had worked with, many felt that their identity systems were just fine and didn't need to be backed up or mirrored. Steinke added that there was a common misguided assumption among organizations with cloud instances who assumed that everything was being replicated there.

"The [cloud service] provider doesn't back up your configuration," Steinke said. "They provide you with the bucket to put your configuration in, but what's in that bucket isn't backed up."

Another issue is a lack of clarity in many organizations over exactly which team has responsibility for maintaining identity resilience.

Dimick, whose company provides information-technology consulting, said sometimes a security team will tell him the infrastructure team handled it, while the infrastructure team would point the finger back to the security team.

"It's just being able to have enough conversations with enough people so that you really find out who's taking responsibility for the matter overall," Dimick said. "There's a good chance that nobody is just yet."

Farnum said that in his experience, such situations often compel a few individuals to step forward and assume responsibility without being asked — volunteers that Farnum calls "firefighters."

That doesn't always happen, Farnum added, but when it does, "everybody kind of has this sense of relief that somebody's actually taking charge."

The truth is, Dimick said, is that identity is "not just an IT or security initiative. It's really a whole-organization initiative."

Unions and splits

When organizations merge, as in a merger or an acquisition, or split up, as in a divestiture, it can wreak havoc upon identity systems, Dimick and Farnum agreed.

"There's a lot of uncertainty during those times, whether it's a matter of the shifts in personnel, people taking on new responsibilities and so on, so forth," Dimick said. "And a lot of these things can quickly slip through the cracks."

"If somebody is spinning out another company," Farnum said, "that's a key area where we see orphaned accounts.”

“A lot of those accounts don't necessarily disappear,” he explained. “They stay within that organization, so now they've got a lot of accounts that could have access to all levels of things, and that's just an area that is ripe for having compromised identities that you didn't know were there in the first place, or you thought were in that other domain and were gone."

"Having orphaned accounts and having identity sprawl are the number one and two issues that organizations that responded [to a recent IDSA survey] say they have," Reich observed. "If you can't manage your identities, you're not going to have resilient identities, because you can't even make them work in a normal situation."

That's why Dimick said that when he has clients about to embark on a merger or acquisition, he brings in MightyID to back up their identity systems.

"We want to ensure that they have those direct capabilities right away," he said. "To get their current snapshot backed up, to ensure that they've got their data in place, and ultimately, MightyID can help them to move that, the configurations of data from one instance over to another."

Three steps to identity resilience

To make sure an organization has identity resilience, Dimick presented three components.

  1. Have an identity-resilience plan to recover from a security incident or data loss.
  2. Have a solution in place that can help you to back up and restore your identity, objects, users, groups, applications and settings.
  3. Have a good way to monitor what's really happening within your identity platform so that you can proactively respond as issues come up.

"Those three tend to be the trifecta to really achieving identity resilience," Dimick said.

To watch or listen to the entire archived webcast, register here.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.

You can skip this ad in 5 seconds