Preventing Data Breaches with Identity and Access Management (IAM)

Data breaches are an ever evolving threat for many enterprises. IBM’s Cost of Data Breach 2021 report found that the average cost of a data breach incident was $4.24 million, with compromised credentials being the most common entry point. Hackers have many ways to obtain compromised credentials, including phishing attacks that trick users into sharing their account information.

Data breaches can also be the source of compromised credentials and personal identifiable information (PII), leading to information being sold on the dark web. Top data breaches in 2021 involving PII and/or credentials included Cognyte (5 billion records), LinkedIn (700 million users) and Facebook (533 million accounts). Given the number of users who reuse their passwords on multiple accounts or share them with others, these breaches have a ripple effect.

Ongoing cybersecurity threats are causing more organizations to move to a Zero Trust approach, where you trust no one and verify everything.

Read on to learn how identity and access management (IAM), a key component of the Zero Trust approach, works on multiple fronts to prevent data breaches.

Identity and access management (IAM) is a cybersecurity framework with numerous capabilities, including the ability to make sure users are who they claim to be, which prevents hackers with compromised credentials from accessing your network. IAM solutions are available for customers, employees and partners, which can also prevent rogue insiders from accessing and selling sensitive data. An IAM solution is key to connecting and integrating your business to people and resources which can be made even easier to accomplish with an identity orchestration service.

Watch this short video to learn more about IAM.

We’ll highlight several IAM capabilities below and their roles in preventing data breaches.

Authentication Authority

An authentication authority provides a centralized authentication service that covers all your digital assets, including on-premise, cloud and SaaS. Adaptive authentication can reduce your attack surface by automatically requiring a higher level of proof for users when certain risk signals are triggered like authenticating from suspicious IP addresses or geolocations. Users following their typical patterns have seamless sign-on experiences, while real-time assessments that may indicate an attempted data breach require additional forms of authentication.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) requires employees, partners and/or customers to provide proof of their identity from two or more authentication categories. A bad actor using compromised credentials would not be granted access without an additional form of proof from a different category, like a mobile device connected to the user or the user’s fingerprint. According to Microsoft, MFA can “prevent 99.9 percent of attacks on your accounts.”

Authentication factors include:

• Something you know.  Passwords, PINs and answers to security questions fall under this category. People openly share personal information on social media sites, making them less secure and easier for bad actors to figure out.

   

• Something you have. Smartphones, hard tokens, soft tokens, key fobs and smartcards in the user’s possession are all examples. Methods include sending a one-time password (OTP) to a smartphone or inserting a smartcard into a device.

   

• Something you are. Biometrics are being increasingly used to confirm a user’s real-life identity through fingerprint scans, voice or facial recognition, retinal scans and other methods.

   

Dynamic Authorization

Dynamic authorization gives you control over who has access to data and actions in your SaaS, mobile, web and enterprise applications. Using real-time context, fine-grained authorization decisions may allow, block, filter or obfuscate. Authorization also plays a role in regulatory compliance. Consumer data protection regulations vary by industry and region, with updates and new regulations being introduced on a regular basis. Compliance with regulations such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and Consumer Data Right (CDR) mean your customers have control and insight into their data.

Directory

Bad actors want your employee, partner and customer data. A directory that centralizes and encrypts identity data helps protect it from attacks. Rather than having several siloed directories, combining them into a single source of truth for your organization and trusted partners allows you to personalize the user journey while keeping data secure. The directory encrypts data in every state (at rest, in motion and in use) to help avoid data breaches and compliance issues. A centralized directory can also defend against insider attacks by allowing enterprises to limit access and send active and passive alerts when suspicious activity occurs.

API Security

Application programmable interfaces (APIs) are software intermediaries used to communicate between applications, and can be developed using a variety of methods. Because data flows through APIs, they are prime targets for bad actors. API security includes API access control and privacy, the detection and remediation of attacks on APIs through API reverse engineering, and the exploitation of API vulnerabilities described in Open Web Application Security Project (OWASP) API Security Top 10.

Watch this short video to learn more about API security.

Bad actors are constantly looking for new ways to breach your system, steal data or even worse, keep your data hostage as part of a ransomware attack. Zero Trust provides a holistic approach to securing your network. Download our white paper to learn more: The Journey to Zero Trust.