A truly strategic approach to security has never been more business critical

Organisations must make sure they have the right strategy in place for device and person-based identity and access management.

Whatever industry they operate in, in 2017 organisations are coming under transformational pressure from a multitude of different angles; from disruptive competitors driving the need for agile service delivery, through to regulatory pressure such as the EU’s General Data Protection Regulation (GDPR) or the Payment Service Directive 2 (PSD2). The modern end user is also more educated, informed and demanding than ever before, expecting seamless sign up and sign in services, coupled with the need for a personalised experience that is combines security with privacy.

In the face of these competing pressures, organisations must make sure they have the right strategy in place for device and person-based identity and access management, one that will enable them both improve the end user experience and give the right access, to the right people, at the right time.

Staying secure is tougher than ever

Today, cyber security attacks are more complex, frequent and difficult to detect and prevent than ever before. 2015 for example, saw a 55 per cent year on year increase in the number of spear phishing attacks experienced by both large and small organisations alike. 

The addition of IoT-led programmes in sectors such as the automotive, insurance and healthcare, introduce a new potential attack vector. The October 2016 attack on DNS infrastructure organisation Dyn, highlighted the damage an IoT powered botnet could inflict.  Dyn estimated that approximately 100,000 malicious endpoint devices were involved in the attack,  providing another clear sign that IoT security should be a key concern for every device manufacturer or service owner that interacts with devices.

Counting the cost 

The true impact of cyber security attacks is difficult to estimate.  IBM and The Ponemon Institute’s 2016 Cost of Data Breach Survey, estimated the consolidated total cost of a data breach grew from $3.8 million in 2014 to $4 million in 2015, with the average cost incurred for each lost or stolen record containing sensitive and confidential information increasing from $154 to $158.    

When you consider that Symantec’s 2016 report found that, in 2015, over half a billion identity records were lost or stolen the total cost of security failures are staggering.   Of course, Symantec’s figures do not account for unreported or unknown cases of identity theft.

Beyond these direct costs, the brand damage alone will often be considerable for businesses. This should in most cases be a big enough incentive for organisations to deliver secure, privacy preserving services across a multitude of devices.

Smart, simple & secure?

Information security initiatives continually face the age old challenge of how to provide secure login and access management services, without inhibiting the end user experience.  End users want a friction-free journey, for both public and private sector delivered services.


Many end users are literally one-click away from moving to a competitor, which means organisations must find a way not only deliver security but also simultaneously improve the user experience, without being seen as being overly protective or constrictive.

Modern end user login journeys should now encompass a multitude of different factors.  The dayswhen a simple username and password were sufficient for a secure authentication process are long gone.  End user chosen passwords are rarely complex enough to provide uniqueness, and many organisations still struggle to store password data securely - often using outdated encryption processes that can be easily reversed.  Password storage at a minimum, should leverage modern approaches such as scrypt or bcrypt, that significantly reduce the ability to brute force the underlying password values.

Nevertheless, authentication should no longer just rely on username and password, but instead look to focus upon a range of different data points.  The login process should involve data such as the time of day, geolocation, the device a request is coming from, the last time the user changed their password, or successfully logged in, as well as any other risk-related data.  This contextual approach to correctly identifying a user helps to increase the number of components that a malicious operative would need to compromise in order to gain access to a service or application.

If a high risk user is identified, secondary authentication mechanisms should be considered.  At the most basic that should rely on a one-time-password sent out-of-band, to a pre-registered mobile number or email address.  However, these methods too, are open to interception, with more modern secondary factors such as mobile push authentication, coupled with local fingerprint biometrics or local PIN entry are more suitable.

Once a user is authenticated, the security checking shouldn’t stop there.  Continual authorisation controls should also be used, verifying that the user session or cookie hasn’t been intercepted and replayed, by tying the session to the original device or performing geolocation checks.

Securing the Internet of Things

The attack on Dyn highlighted the need for organisations to have a clear strategy on IoT and browserless devices.  These devices need to be securely authenticated, to validate they are not fake or have had their operating system or firmware tampered with or “rooted”.  

A valid device, especially in the consumer world, should then be securely “paired” to a physical user, and receive only the necessary permissions needed to access cloud services or APIs on their owner's behalf.  There should also be a clear and simple method for a device owner to revoke any access previously given to a device, in the event of loss, theft or re-sale.

Many organisations need to expand their identity registration, authentication and authorisation services in order to facilitate the integration of IoT based devices to cover device onboarding, pairing and authorisation as a minimum.

The personalisation & privacy paradox

The infosec-versus-usability challenge is a paradox that has been around a long time. However, it must now also be considered in light of a renewed focus on end user privacy. Security and privacy are subtly different, but they are intrinsically related.  Consumers demand a greater level of personalisation when it comes to their application and service interaction.  Recommendations, preferences history and pro-active interactions are all now an expected part of the modern online experience.  

However, for service providers to deliver such personalisation, they require vast amounts of data.  The EU General Data Protection Regulation that comes into effect in May 2018, aims to provide more control and transparency for the end user to know exactly who has access to their personal data and why, with the option to revoke access at any time. 

GRPR will require more than just appointing a Data Privacy Officer - it will require comprehensive identity and access management services, in order to provide right to erasure, breach notification services, transparent consent models and more.

Security and privacy must be top priorities

Modern organisations are undoubtedly facing an increasingly complex array of competitive and transformative challenges.  If businesses are to thrive in this environment then they need to make sure that they are taking a strategic approach to combining agile applications and modern services, with robust security, smarter device integration, and strong personal data protection and privacy management.  

Simon Moffat, Senior Product Manager, ForgeRock
Image Credit: ESB Professional / Shutterstock