In late 2023, Omada conducted a survey of more than 550 IT security and business leaders to learn their assessments of their current identity governance strategies, what identity-related security threats present the greatest concern, and what functionality they look for when evaluating new identity governance and administration (IGA) solutions. Access The State of Identity Governance 2024 report here to read the complete findings.
The report data is both informative and provocative, and we asked Omada Vice President of Product Strategy Rod Simmons and Senior Solution Architect Craig Ramsey to facilitate a webinar that delves into the findings and helps explain what they mean to organizations as they look to reduce their risk of experiencing identity-related cybersecurity breaches.
This blog is the first of a series of posts based on Omada experts’ analysis of the data that will help you use the survey findings to drive your identity access and management (IAM) strategy in 2024 and beyond.
An IGA Solution Must Account for the Human Element in Identity-Related Security Risks
Survey data from The State of Identity Governance 2024 report reveals that over 90 percent of IT security and business leaders are very or somewhat concerned with the risk of identity-related cybersecurity threats. Simmons and Ramsey believe that while this is a healthy level of concern, they are surprised 100 percent of survey respondents are not at least somewhat concerned about this. They cite report findings from a recent ESG survey that supports this assertion. In that report, identity management professionals say that 74 percent of security breaches involve a human element such as error, user misuse, use of stolen credentials, or social engineering. They point out that user identity is the common thread running through these breakdowns. The ESG report also found that 64 percent of organizations had some kind of ransomware attack within the last year. Ramsey remarked that the ransomware kill chain trigger is typically identity-related as well. When you consider these data points, it is fair to say that typical organizations face a huge number of identity-related security breaches involving a human element. Given this prevailing environment, it is more reasonable for 100 percent of IT professionals and business leaders to be concerned. Ramsey cites the identity-related 2023 attack on MGM Resorts as an example of insufficient identity security. Hackers obtained personal information belonging to customers who transacted with the company over three years before the attack, and recovery from the breach cost MGM Resorts approximately 100 million US dollars. The approximately 10 percent of survey respondents in The State of Identity Governance 2024 that expressed so little concern about identity-related threats may have a mature zero-trust security model in place that provides robust identity controls and governance across the identity fabric. Even in those instances, however, Ramsey warns that identity-related risk is an issue that must concern or at least be visible to everyone in an organization right up to the C-suite, and there must be an organization-wide effort to ensure that appropriate identity controls are in place.
Enforcing Appropriate Permission Levels for Employees Is Not Enough
Simmons amplifies Ramsey’s points, citing the recent Verizon Data Breach Report in which the authors state that if a hacker compromises a user account in which the user has been assigned the permissions they need to do their job, the hacker can exfiltrate data to the point of negatively impacting the enterprise. Simmons warns that when a user account is compromised, the organization’s biggest concerns should be determining for how long the cybersecurity team did not have visibility into the threat and finding out if this is also an issue with other users across the organization. Any organization that wants to enforce the principle of least privilege, whether it be for privileged users or even for regular users, must ensure that the IGA solution cleans up all unnecessary access. If your organization is not doing that, you must be concerned with identity-related cyberattacks.
Simmons goes on to say that if you’ve been in an organization where you did have a compromise in which the attackers were in your environment, you got to see first-hand through forensic auditing over many months the amount of data the attackers were able to exfiltrate, and you wondered how did this breach go undetected for so long. Early detection functionality from your IGA solution enables you to avoid this gut-wrenching ordeal and eliminate the need to reckon with the overall negative impact of this type of attack.
Expert, Data-Driven Advice on Managing Your IGA Strategy
In Decoding the State of IGA 2024, Omada Vice President of Product Strategy Rod Simmons and senior solution architect Craig Ramsey break down the findings regarding enterprise perceptions of identity governance from The State of Identity Governance 2024, delve into the insights uncovered, and provide key takeaways to help shape your organization’s identity and access management strategy.