1. What are the biggest challenges organizations face in securing digital identities, and how can they overcome them ?
Unfortunately, I see digital identity as the most consequential attack vector. If it were a football team, I would say it only has 3 problems – Offense, defense, and special teams. Too many companies are still managing digital identities “the old fashioned way” and they aren’t thinking through the entire lifecycle of digital identities nor taking advantage of many of the technology advancements the identity market has delivered over the last several years. Too many companies are still relying on proven flawed practices of passwords, KBA (knowledge-based authentication), and archaic identity management processes.
My recommendation is to take a step back and assess your current approach across the entire digital identity lifecycle and identify and prioritize the improvement areas of greatest impact.
To do so, consider these 4 areas of the digital identity lifecycle
- Onboardingand Identity Verification – How do you establish that initial trust with a person or system when you first meet them? Showing your drivers license or passport to HR and even background checks when you first get hired is what most people may be familiar with but that model isn’t effective for non-employee relationships like 3rd party workers, remote workers, or for your customers and partners. There are plenty of advancements in identity verification and even decentralized identity technology and processes that can greatly improve your digital trust.
- Entitlement and access management is all about how we give users access to those things they need in our environment. Overprivileged identities is a common issue in many organizations and typically caused by poor entitlement management practices that don’t account for the entitlement changes needed when a user joins, changes their responsibilities or needs for access, or even leaves the company or terminates the digital relationship with our information and systems. Implementing RBAC (Role based access control) or ABAC (attribute-based access control) are common ways to standardize access but must be coupled with strong processes to handle the exceptional (or out of role) access that is commonly needed. Detecting ‘mover and leaver’ conditions in an identity lifecycle help prevent “entitlement sprawl” or having users with access that we no longer are associated with. Strong identity governance processes help identify gaps in these entitlement management processes and reduce the risk of inappropriate access.
- Identity Assurance and Authentication are the processes involved in ensuring someone is who they claim to be when we are (digitally) interacting with them. Despite advancements in password-less technologies, most companies are still reliant on the old “something you know” method of protection in the form of a password or even worse “KBA” or knowledge-based authentication. (What is your mother’s maiden name?). Most people are now familiar with biometric authentication thanks to the strong adoption by mobile device manufacturers with fingerprint or facial recognition, but many times these capabilities are simply convenience features sitting on top of the same old insecure password or God forbid – 4 digit pin. So companies should look at strong, password-less methods of authentication and/or combine their authentication solution with solutions to help detect comprised credentials or anomalous access behavior. Advancements in technology like risk-based authentication and ITDR (identity threat detection and response) and decentralized identity are great technology choices to help with these issues.
2. How can organizations ensure their employees stay up to date with the latest cybersecurity threats and best practices ?
Much like we remind our children to brush their teeth and to not leave their toys in the yard, we can help our employees with regular reminders and tips for keeping a good digital identity hygiene. Sharing the stories of how their identity may be stolen through phishing and spoofing and smishing can help them keep their guard up and be suspicious of unusual communications. A regular drumbeat of how they could fall victim and simple ways to maintain a good digital identity hygiene are critical to arm employees in the defense of our systems and data.
3. How has your experience in cybersecurity and identity management influenced your approach to digital transformation in enterprises ?
Identity is the new perimeter – the cloud has turned compute, network, workloads, services, and with the advancements in GenAI even data to be more and more ephemeral. Identity needs to be the foundation of trust and has become the easiest way to compromise systems and data.
4. How should companies approach zero-trust security models to protect their digital assets effectively ?
As I mentioned above, they need to think though the entire identity lifecycle from onboarding to identity and access management to governance. Adding a layer of continuous feedback based on user behavior and access patterns to inform and strengthen their controls is key to a zero-trust model.
5. How can organizations balance security with user convenience in an increasingly digital-first world ?
Too many security teams put the complexity of security on the end-user. The stronger they make security, the more “stupid human tricks” they seem to want to have their humans perform to ensure things are safe. From multi-factor authentication having me turn my head and cough, to setting my password to be at least 12 characters, never the same one twice, must have at least 2 Egyptian hieroglyphs, I have to change it every two weeks and then get yelled at if I use a password manager or write it down or laughed at by the help desk because I keep forgetting it or if I use the “I forgot my password” self-service I get asked “What was the color of your first car?” (Hint: 40% of all cars sold are white…) or “What’s your mother’s maiden name?” (I bet I could find that on Facebook since statistically 50% of our parent’s got divorced years ago) – why don’t you just make that my password then? The technology exists, and has for years, to implement authentication, identity verification, identity assurance, and even entitlement management that promote a positive and painless user experience without sacrificing security. Want proof? Go to Vegas – walk into a casino, there you will find some of the tightest security deployed to protect their money and spot the treat actors without ever frisking you down, making you show your ID when you enter, or making you turn your head and cough.
6. What lessons have you learned from your leadership roles in tech-driven organizations that apply to today’s evolving digital landscape ?
It takes a LOT more than great technology to solve a problem. People are resistant to change and need motivation to do more for security and user convenience. We all complain about “compliance” and regulations but time and again it’s proven that without them AND enforcement of non-compliance through fines or other penalties, companies will always find a way to not make security a priority over profitability. My hope is that there are other motivations for companies to improve their security than regulatory pressure and fines. While fines hit the bottom line of a company, it’s become simply too easy to mitigate that risk through cyber insurance or budgeting a calculated risk into the balance sheet. And breaches have become so commonplace that as a society we have become numb to the next one and they only get bigger so even reputational damage of a company during a breach has become more of a temporary inconvenience just as the common cold is to a person. And in a society that acts so enraged when our privacy is threatened yet we are willing to give up tons of personal information and privacy in exchange for a giftcard to our favorite coffee shop, I wonder if society really is that concerned about security and privacy? So when leading tech-driven organizations, I certainly want to see great technology, and there is plenty of it, but I also look for the motivation factors for adopting that technology in any meaningful scale.
- About Jim Ducharme
- About ClearDATA
Jim leads ClearDATA’s Engineering, Product Management, and IT teams. He has more than 25 years leading product organizations in the identity, integrated risk, and fraud management markets. Prior to joining ClearDATA, Jim served as Chief Operating Officer of Outseer, an RSA Company, where he served over 10 years in executive leadership roles. Prior to RSA in 2012, he served in executive leadership roles for Aveksa, CA and Netegrity. Ducharme frequently speaks at industry events and regularly contributes articles to trade publications.
Jim also holds several patents and a Bachelor of Science in Computer Science degree from the University of New Hampshire. He and his wife live in Maine in their dream log home, which was featured in Log and Timber Home Living magazine.
Unmatched Cloud Protection. Unrivaled Healthcare Focus.
Top healthcare leaders trust ClearDATA – the only provider of cloud security and compliance software and services exclusively for healthcare, enabled by the powerful CyberHealth™ Platform.
Our cloud security posture management (CSPM) solutions offer full visibility, protection, automation, remediation, and enforcement of security and compliance measures to protect PHI and other sensitive healthcare data across the public cloud. To learn more about our expert teams, managed and professional services, and our self-service platform, visit cleardata.com.
Techedge AI is a niche publication dedicated to keeping its audience at the forefront of the rapidly evolving AI technology landscape. With a sharp focus on emerging trends, groundbreaking innovations, and expert insights, we cover everything from C-suite interviews and industry news to in-depth articles, podcasts, press releases, and guest posts. Join us as we explore the AI technologies shaping tomorrow’s world.
