Identities are the keys to your digital kingdom. Once a hacker gets their hands on a set of credentials, they are limited only by their imagination and creativity for how to use them to their benefit. Hence, it’s crucial to make sure user identities don’t end up in the wrong hands. If this is the first time you’re learning of this or if you need some guidance on how to start protecting identities in your company, we’ve put together this identity security 101 post. Read on to learn more about why identity security matters and some simple steps you can take to protect them.
Why Identity Security Matters
Number One Attack Vector
The first step in protecting identities in your IT organization is understanding why identity security matters. Did you know that in the last year alone over 446 million records have been exposed due to data breaches? That’s enough for the entire U.S. population to have at least one set of records exposed and then some. Some of these exposed records included usernames and passwords for personal online accounts. Given that 61% of end users leverage the same or similar password across all online accounts, there’s a very good chance that a set of credentials used to access work resources in your organization has been compromised. If that’s not troubling enough, there’s also the fact that 92% of companies have credentials for sale on the Dark Web. All of this doom and gloom just goes to show that user identities are the number one attack vector, and as such, it’s crucial that IT organizations have a strategy to secure them.
Another reason it’s important for IT admins to have the responsibility of securing identities has to do with the human factor. If IT admins are not in charge of user credentials, then your end users are, and that’s not ideal because historically they haven’t always prioritized security. For example, a study on the psychology of password management found that most people will only choose a strong password if they are actually willing to sacrifice convenience. It doesn’t matter if it’s important for security purposes. On top of that, the same study also found that most people are only willing to make a sacrifice in convenience for accounts that if misused would seriously affect them personally. Coupled with a strong curious nature and the effects of information cascade, you really want to minimize the amount of control end users have over their identities. Ideally, IT admins need to have control because they have a personal stake in the security of their organization. If they don’t do a good job and their company gets breached, they’ll have a hard time getting another job. It’s essentially their mission to help keep the bad guys out. So what are some of the steps an IT admin can take to fortify identity security in their organization?
The Rundown on Identity Security 101
A solid start to an identity security strategy requires a two-pronged approach: security awareness training coupled with the right technology.
Security Awareness Training
Security awareness training is a powerful means of providing your end users with the knowledge they need to be able to perform their jobs in a secure manner. We’d recommend conducting it on a regular cadence and taking the time to remind employees how to protect their identities and how to securely utilize all of their IT resources (e.g., systems, WiFi, email, etc.). It’s also an opportune time to walk them through the kinds of attacks they could be targeted with, how to spot them, and what to do if they discover something phishy. If you need help with how to conduct security training in your organization, consider reading “Security Training 101: Employee Education Essentials.”
In addition to regular security awareness training, having the right technology in place can go a long way in safeguarding your digital kingdom.
First, a really powerful tool to secure identities with is multi-factor authentication (MFA). MFA means that a user can’t log in to a resource with just a password. Instead, they also need a time-based one-time password (TOTP token) that’s generated from an app, like Google Authenticator™. And that app is tied to their phone. Essentially, a hacker would need the user’s password and phone in order to access an MFA enabled account. Getting the user’s password may be easy, but obtaining their phone is a whole other story. It’s why MFA can be a really powerful step in boosting identity security.
Lastly, a modern identity management solution, like JumpCloud® Directory-as-a-Service®, is vital for protecting user credentials. This core IT management tool enables sysadmins to centrally manage user access and authentication to virtually all of the IT resources in their environment. This in turn allows IT admins to enforce identity security policies like complex passwords, MFA, and the use of SSH keys (where applicable) from a single pane of glass. Additionally, because JumpCloud supports IT resources regardless of protocol, platform, provider, and location, users gain one set of credentials to access everything they need to do their job. Essentially, you’re fighting their preference for convenience by making the secure option the more convenient one. In the end, IT admins get control and end users benefit from a seamless workflow. It’s a win for everyone.
Of course, securing identities is really just the start of creating a solid security foundation. Read “The Security Playbook for SaaS Startups” for more information on how JumpCloud can help you fortify networks, systems, data, and so much more. Prefer to take your knowledge beyond an identity security 101 post? Consider reading this more in depth white paper on why it’s time to take identity security seriously. You are also more than welcome to drop us a note if you would like to talk to more about identity security or the JumpCloud platform itself. Interested in trying out a modern cloud identity provider like JumpCloud? Sign up for a free account. You’ll be able to test all of our features, you don’t need a credit card, and your first ten users are on the house, forever.