It seems data breaches and cyberattacks have become part of our hyperconnected world. This year alone, we have seen billions of data records compromised, and despite the growing number of threats and the increasing sophistication of attacks, not much has changed in the way businesses’ secure access to critical resources.
Identity has found its way back onto the front page as organisations come to realize that stolen identity is the number one security issue, and often the weakest link in security postures. To solve this problem, organisations must look across their businesses to ensure the three critical dimensions of identity risk are being addressed:
Jim Ducharme is the VP of Identity Products at RSA Security
- Identity assurance: are users who they claim to be?
- Access assurance: do we understand what users should be able to do and access?
- Activity assurance: are users behaving appropriately?
Identity and access assurance is the single most important control for managing digital risk. To truly detect and manage identity risks, organisations should consider a risk-based authentication solution that is able to analyse user access, devices, applications and behavior to provide businesses with the confidence that users are who they say they are based on previous history.
Additionally, organisations are facing two key challenges that come with managing today’s dynamic workforce:
- Workforce transformation: From remote employees, to gig workers, third-party partners and more, the user population is more dynamic than ever. Identities are scattered everywhere, and multiple points of access leave openings for cyber-attacks at a time when threats are becoming more sophisticated and harder to detect;
- The expanding attack surface: Applications have moved out of the relative safety of enterprise castle walls to the cloud. And as apps and data become more accessible than ever before through multiple public and private cloud infrastructures, organisations are simultaneously creating more and more islands of identities and increasing the attack surface.
What can happen if identity is badly managed?
With a seemingly endless stream of high-profile data breaches and malicious cyberattacks, we have seen what can happen when identity is not properly managed. Identity and access management can no longer be an afterthought, and organisations can no longer rely on old security postures in today’s ever-changing security landscape.
We are also seeing new and increased regulations like GDPR become an impetus for organisations to start having important conversations around data, privacy and compliance. With more at stake, including financial damages in the form of breach-related expenses, regulatory fines and the potentially irreparable loss of customer trust and reputation, organisations are now looking to adopt innovative and secure solutions to authenticate users seeking access to critical resources. Critical to this, is businesses taking the time to assess and understand where their crown jewels reside in order to protect them.
With many organisations now working with third parties, how does this affect how they manage identity?
In the era of digital transformation, success is a team sport. Today, most organisations are reliant on third parties to offer a host of benefits – including innovation, speed and efficiency. However, these benefits come with unpredictable and inherited risks; in fact, 59 percent of companies have experienced a third-party data breach.
As organisations expand their third-party ecosystems, they must simultaneously look to protect their critical internal systems, sensitive data and consumer-facing digital channels. To effectively manage identity and access management postures, organisations should employ a risk-based, automated approach that certifies identities, assigns appropriate levels of access based on users’ responsibilities, and scales to meet the unique demands of authenticating third-party users.
Organisations must also consider that third-party relationships are often managed in silos, across different business units or functions. Each function may have its own way of identifying, assessing and managing business partners. This not only leads to redundant activity, it also inhibits the executive management team’s ability to get a complete and accurate view of third-party risk and performance across the organisation.
And without a firm grasp of their company’s third-party risk exposure, leadership can’t make informed decisions on how much to invest – and where – to protect the business from these risks and effectively manage identities and access.
How can organisations better govern third-party access to critical applications and resources?
It’s now incredibly rare to find a business that is completely reliant on its own internal staff and technology, whether it’s for cloud computing or employing freelancers or temporary consultants. Third parties are changing the dynamics of identity as well as multiplying the number of identities that need to be managed.
Additionally, all of these different identities need varying degrees of access and some may even need privileged access to sensitive data, leaving IT teams to manage a constant flux of identities. Platforms like RSA Identity Governance & Lifecycle allow organisations to manage and govern third-party access to ensure appropriate access to critical systems and sensitive data.
Where are companies currently going wrong when it comes to managing access effectively?
The biggest mistake companies can make is not having a clear understanding of where their crown jewels live. In the wake of massive data breaches that have exposed customer data, trade secrets and more, it’s a sobering reminder that companies must take time to assess and understand where their sensitive and confidential data is housed. Without this it’s impossible to build a complete view of digital risk.
This includes being able to recognize when an identity changes; for example, if an employee’s role (and therefore access needs) changes, the IT team needs full visibility of the transition period between the user’s old and new access privileges to avoid the window of over-privileged access being abused.
End users are also a critical piece of the puzzle and many organisations do not realize how much friction can be caused by restrictive or arduous authentication and access measures. It should be on every IT team’s agenda to look at ways to make identity frictionless, otherwise users will simply find ways to bypass security, creating more blind spots for security teams in the process. Identity authentication solutions should always be coupled with additional security layers to properly manage digital risk and provide a higher level of identity assurance.
Is there a perfect authentication measure companies can use to secure their most critical assets?
In the world of identity, there is no silver bullet for authentication. The challenge for organisations often lies in determining the right authentication strategy. The user population is more dynamic than ever; identities are scattered everywhere, and organisations need a strategy that secures multiple points of access.
There are also more authentication options than ever, from USB keys to hardware tokens and mobile authenticators. As they continue to embrace digital transformation initiatives and consider regulations, organisations must also continue to assess authentication needs and not place the burden of bulletproof security on one authentication solution.
Finally, what are the future issues that will affect companies when it comes to identity risk management?
The notion of a dynamic workforce is only going to become more complex as organisations continue to look to smart devices (which are becoming even smarter) and autonomous processes to improve productivity in day-to-day business operations.
This explosion in the Internet Of Things (IoT) has made them a target for hacking, and this has reached a tipping point where the conversation around identity will take on a whole new dimension. The number of identities associated with things or autonomous processes will soon dwarf the number of real humans that these things act on the behalf of. Because of this, organisations will need to prepare to manage the evolving and unprecedented digital risk that come with the identity of things.
Equally, as organisations continue their digital transformation journeys and cybercriminals become savvier, businesses will need to constantly modernise their authentication measures. From USB security keys, to biometrics, to email and mobile, there will be more authentication solutions to assess than ever before.
That being said, there’s no single risk profile that applies to every organisation, big or small, which makes managing digital risk and cybersecurity particularly challenging. When determining the right strategy for identity risk management, organisations will need to take the time to understand how users and their business functions and align that with effective measures for identity and access assurance.
Jim Ducharme is the VP of Identity Products at RSA Security.