Alex Smith is Director of Security Products at Intermedia.
To say that today’s enterprises are up against a whole new world of security threats is an understatement.
Businesses across the globe have suffered massive data breaches affecting operations and customer trust. Oracle, for example, discovered malicious software on systems running its network of MICROS point-of-sale payment terminals—ultimately impacting hundreds of the company’s computers and its online support portal.
Oracle is not the only organization suffering from such attacks. It will not be the last. Things are only going to get worse as new threats grow in popularity among cybercriminals. But why is enterprise security in such disarray? The problem lies with the current state of security perimeters.
The uptick in cloud computing and mobility have rendered traditional enterprise security perimeters non-existent. Employees nowadays don’t just access corporate data through their desktop at the office but through multiple devices and web apps at any time and from any place. Each device and web app an employee uses is a potential weak point governed by one challenge: verifying that the right person is accessing the appropriate information on the right device.
So, how can organizations protect against sophisticated cyberthreats in this new landscape? The answer is to adopt an identity-first approach to security and access with an identity and access management (IAM) solution.
At its core, IAM separates two groups of users: those who have permission to do certain things and those who don’t. That may seem straightforward, but in this day and age where we can conduct work anywhere, over a range of devices and using a nearly infinite number of web apps, it’s an incredibly complex challenge. Next generation IAM, however, is evolving to keep ahead of these new realities. Deployed correctly, advanced IAM can significantly reduce exposure to security risks.
Below are key considerations for IT teams taking an identity-first approach.
Remove the Human Element in Password Management
According to the 2016 Verizon Data Breach Investigation Report, 63 percent of all breaches leveraged a weak or stolen password. This poor state of password hygiene shouldn't be a surprise. After all, the average enterprise, according to Netskope’s 2016 cloud report, uses 935 web apps.
Single Sign-On (SSO) emerged as a solution to address the growing burden of creating and managing passwords. SSO reduces the tendency to use weak or common passwords that are easily cracked. But SSO alone is not enough. Dynamic password management is the next step, keeping credentials secure by reducing the human element and ensuring strong passwords are created and automatically changed on a regular basis. This greatly improves security, while also preserving convenience for users who don’t have to constantly come up with, and then remember, new passwords.
Understand User Behavior
Context-based authentication and authorization helps balance the dual requirement for security and usability. By dynamically adapting authentication according to the level of risk posed by the user’s current context, organizations can provide flexibility without relinquishing control. This takes into consideration the conditions around a request to verify trust. For example, a context-based authentication and authorization solution can verify a user and grant access to sensitive data by considering their role, where they are through geolocation, the time of day, device type and health and what network they’re using.
Let’s say a known user typically accesses data remotely from a particular device during a certain time period and in a certain geographical area. Now let’s say that user falls out of their established pattern and attempts to access sensitive data on a new device from a new location after hours. Additionally, their location differs wildly from their previous login location that same day. A context-based authentication and authorization solution should be able to detect this discrepancy and escalate the authentication process, such as requiring an SMS code sent to the user’s verified phone number, to continue.
Maintain a Trail of Accountability
No security measure on earth is one-hundred percent effective at protecting against breaches, and often human error is to blame. According to an Intermedia 2015 Insider Risk Report, 93 percent of employees admitted to “engaging in at least one form of poor data security.” This includes sharing login credentials with multiple users (65 percent), deploying shadow IT solutions without consulting IT first (45 percent for tech-savvy users) and more.
Therefore, it is essential for IT teams taking an identity-centered approach to maintain an audit trail to capture user interactions with web applications. That way, when an attempted or actual breach occurs, IT or the security team can quickly investigate what happened, which employees were involved, who’s credentials were compromised and what data was targeted.
Such an audit trail is also beneficial in managing work with contractors, partners and vendors. Let’s say a business unit working on a new product needs to share data with contractors. Access is needed by a growing group of people, but controlling who has access to what data is difficult. By standardizing the access processes through a uniform, company-wide IAM policy, a business can provide contractors the right data with complete visibility without putting restricted data at risk. When the contract is over, access to the data can be revoked. And, when it comes time for an audit, the company can provide clear insights into what data was accessed, when it was accessed, by whom and why without overburdening IT or any other part of the organization.
Like many modern upgrades, any business considering an IAM-centered approach to security will need to consider what both their IT infrastructure and company will look like further down the road. Systems will need to scale, solutions need to be compatible, and the infrastructure will need to grow as the company grows. However, the investment – especially when safeguarding against rising security threats, suspicious activity and unpredictable employee behavior – is well worth it.
Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Penton.
