A survey of 625 IT and IT security professionals in the U.S. published today finds only half (50%) consider the investments made in identity and access management (IAM) tools to be effective.
Conducted by the Ponemon Institute on behalf of GuidePoint Security, a provider of cybersecurity services, the survey also finds only 44% have high confidence in their ability to prevent identity-based incidents.
In total, 50% of respondents report there has been an identity-based security incident in the past 12 months. The causes of those incidents were compromised or stolen credentials (34%), identity theft (25%) and phishing (23%), according to the survey.
Kevin Converse, vice president for IAM at GuidePoint Security, said that while the majority of cyberattacks today involve some type of compromise of an identity, the survey makes it apparent that most IAM efforts are still relatively immature. In fact, the survey finds that in nearly half of organizations (47%) investments in IAM technologies trail behind other security priorities.
Far too many organizations are also still dependent on manual processes involving spreadsheets and antiquated platforms that make managing and securing identities overly cumbersome, noted Converse. For example, the survey finds that a lack of appropriate technologies (54%), in-house expertise (52%) and resources (45%) are all top IAM challenges.
Additionally, while most organizations report having policies in place or in development (83%), only 28% have these policies integrated into their IAM platforms, the survey finds.
Much of the insecurity involving identities can be traced back to how access is provisioned. In most organizations, business units tell IT which applications and services an end user will need to access. There is, however, a tendency to overprovision access in case that individual might need to perform an occasional task involving a specific application. Cybersecurity teams need to address that issue by ensuring that access that is only occasionally needed is granted just in time rather than being always on, noted Converse.
Convincing organizations to address those issues, however, requires significant time and change management effort that is roughly equivalent to driving a digital transformation initiative, he added. On the plus side, however, when implemented correctly those IAM initiatives can create a superior user experience that is less dependent on end users trying to remember passwords. For example, 45% of respondents said the primary driver for IAM investments is to improve user experience.
Of course, there are other major challenges being created by a rapid expansion of the number of non-human identities that need to be secured. Each machine, software component, and soon, artificial intelligence (AI) agent has an identity that could be potentially compromised, noted Converse.
While securing all those different types of identities may be daunting, the more organizations focus on simple fundamentals, such as implementing two-factor authentication, the more rapidly overall security will improve, he added.
Of course, it’s unlikely there will ever be perfect security, but in the absence of even the most rudimentary IAM capabilities, most organizations today continue to rely on usernames and passwords that all too often can be easily discovered on the Dark Web.
