If we want to get something done, there is usually an application or online service that will help. From managing our bank accounts, to collaborating with colleagues, recovering from an illness, or adjusting the temperature in our office or smart home – we can do it through a web-based service.
No matter how different their applications may be, every service provider will want to offer two essential features to their users: access to everything they need without difficulty or frustration, and protection from anyone wishing to access data they shouldn’t see.
At one time, it was possible for an organisation’s IT team to provide this to their staff and customers independently. The IT team was once able to put firewalls in the right place, manage secure passwords well, and adjust access rights based on each user’s role to keep things secure. Today’s IT environments make that much more difficult to achieve.
So what’s changed, and how can organisations achieve the right balance in user experience and security in today’s changing IT landscape?
Applications or devices can be made up of multiple elements, with some provided by third parties. Those elements can be hosted on premise or in the public or private cloud. On the user’s end, services can be accessed from on any number of devices and apps, across desktop PCs, to smartphones and tablets.
There are many opportunities to be discussed here. In the financial sector for example, traditional high street banks are now able to integrate next generation services from innovative fintech companies into their services. This allows them to be more agile, and to improve user experience quickly without the need to develop cutting edge features in-house.
While this allows banks to focus on what they do best – providing financial products to their customers, it can also introduce a new layer of complexity. It is important for services to be user friendly, since customers will go elsewhere if the interface is difficult to use. They must be accessible through any platform – desktop or mobile, while keeping cyber criminals at bay with appropriate security.
Meanwhile, an increasing number of regulations governing how data should be secured are being introduced worldwide. Any organisation with customers in the EU was obliged to comply with the new data privacy regulation, GDPR by May 2018, but many are still confused about the new requirements. Recent research has highlighted that 28 per cent of organisations still do not feel compliant after the deadline.
Organisations will soon find themselves responsible for yet more requirements governing access to accounts and information. Banks, for example, will be forced to ensure strong customer authentication under PSD2, which will increase the number of services requiring users to take additional steps to authorise themselves such as providing biometric information or a one-time password.
Depending on their business activity, organisations may have to deal with a host of other requirements governing information security, such as NISD for digital service providers, HIPAA for health insurance providers and PCI-DSS for any company handling payment card information.
While it may bring further complexity for businesses obliged to comply, these regulations are being introduced for good reason. Requirements have been introduced to combat cyber criminals’ ability to stay one step ahead of security practices. Threat actors have found vulnerabilities and loopholes that have allowed them to steal the data of millions of customers at a time. The risk of data breaches continues, and it must be addressed on a large scale.
To demonstrate how easy it is to compromise login details, Santander taught an 86-year-old “computer novice” how to break in to online banking accounts in only 13 minutes during a scam avoidance event. Although the hack was just a demonstration and no real money or data was stolen, the stunt highlighted the need for stronger authentication methods.
Passwords are increasingly ineffective against intruders. The chances are, however strong your users’ passwords may be, they may already have been compromised and made available for sale on the dark web. Phishing attacks – where users are fooled into handing over their login credentials, target customers and employees alike. One survey by Wombat Security Technologies highlighted that 76 per cent of organisations experienced phishing in 2017.
It’s also worth remembering that not all threat actors come from the outside. A recent survey by Crowd Research Partners revealed that an overwhelming 90 per cent of organisations felt vulnerable to insider attacks. The top three risk factors enabling the insider threat vulnerability are excessive access privileges (37 per cent), endpoint access (36 per cent), and information technology complexity (35 per cent). Survey respondents are almost equally worried about malicious insiders (47 per cent) and accidental insiders (51 per cent).
Tools for trust
With the increasing presence and sophistication of cyber threats alongside the more complex IT landscape, organisations with large user bases are finding it difficult to manage user identity and access independently. They began to use IAM tools to make this easier, but initial offerings lacked the flexibility to adapt to changing virtual environments.
Organisations today increasingly operate across mixed environments. They may involve data held on premise, in public or private cloud environments. They may also include areas where data is shared with a partner providing part of the service. The workforce, meanwhile, is more mobile than ever with many more employees expected to start working remotely over the next few years.
To cut through the complexity while offering superior security, organisations should look to flexible next generation IAM tools. These tools will reduce the manual workload on the IT department, enabling them to gain control over the environment and enable simple, secure access to users.
Flexibility is fundamental
The best solutions will offer the flexibility to deal with any existing IT environment, while being adaptable enough to handle what the future could bring. The best way to enable this is with a policy-based IAM tool that allows access parameters to be reconfigured. Without extensive and expensive integration work each time adjustment is necessary, these tools will offer the greatest longevity and return on investment.
Once a next generation IAM tool is in place, the IT department can refine the organisation’s access policy. But what should this include? Of course, each business will have different requirements, but there are two strategies that can offer most organisations and their customers peace of mind over security.
Firstly, to counteract risks of cyber-attacks or internal intrusions – whether malicious or accidental, access permissions should be set according to each user’s role. Needless to say, a casual user should not be able to access the same areas that the CEO can. A zero-trust model, where each user can access no more than they need to perform their job or use the service is advisable but will not stop all possible threats.
Top level executives are increasingly targeted in social engineering attacks. There are many reasons why C-level executives are vulnerable to attack – they are the ones with the money, with access to all areas and their details are available publicly. For this reason, it is important to consider more factors than username and password alone before granting access.
Access policies should include dynamic authentication and authorisation, where the context behind a transaction is considered alongside their login details. If a user is in an unrecognised location, using an unrecognised device or is having difficulty proving that they are who they say they are, there’s cause for concern. As such, when these suspicious requests arise and a risk of intrusion is identified, users are further challenged with an extra authentication step.
Requirements for identity and access management will change as business, consumer and cyber criminal activity continues to evolve. Digital evolution shows no signs of stopping, and when new technology is introduced it will need to be compatible with legacy and new, cutting edge infrastructure. While this situation will continue to add complexity, a flexible and effective IAM solution will help organisations to strike the best balance between ease of use and superior security.
Marc Vanmaele, CEO, TrustBuilder
Image Credit: 8MAN