by Rebeca | Dec 21, 2021 | Customer
We are very happy to have participating in an ambitious identity and access management project for Barcelona by Serveis Municipals (B: SM), a project that places them at the forefront in terms of security, specifically in the areas of protection of the information and in identity management and access control.
Barcelona de Serveis Municipals (B: SM) is a company of the Barcelona City Council in charge of providing municipal services. The activities it manages include aspects related to mobility, or the management of facilities dedicated to culture, leisure and biodiversity.
It is an entity that handles a high volume of sensitive information and needed to protect efficiently, complying with the new RGPD (General Data Protection Regulation) and ENS (National Security Scheme), which are mandatory for administrations and companies. public. In addition, it required a solution for the precise and automated management of everything related to user administration, from provisioning or synchronization to identity consistency or authentication processes to avoid identity theft.
“B: SM needed a solution to delegate, manage, automate and secure access to Active Directory (AD) and ADFS (Active Directory Federation Services) among various administrator groups. Also, do it in a segmented way, with change control, protecting sensitive or critical data, and ensuring that corporate policies are effectively complied with ”.
We have offered the answer to these needs in the field of identity and access management with Soffid.
SOLUTION WE FOCUS ON FROM SOFFID
In March 2020, the on-premise deployment of Soffid began, something that has allowed them to develop a centralized management and orchestration of their identity and access management policies.With a maximum level of security, Soffid proposes a single convergent tool from where it is possible to carry out automated management of users and accesses in your Active Directory, your Exchange mail server – which is in the process of migration to Azure – and in Office 365 as a productivity environment. In addition, it also integrates with your HR management system: Meta4.
This is a very significant advance with respect to the starting situation, in which both the registration of users in Meta4 and the access management were carried out semi-automatically (in Active Directory and Exchange) or totally manually (in the case of applications).
Now, Soffid allows automated registration based on profiles. In this way, when a new user is created, accesses to their email account are automatically generated and their personal folder is also created, which is shared on the network so that it can be accessible from any point by activating a specific feature of Windows (Distributed File System or DFS). This is a crucial aspect in mobility and telework situations.In addition, you are also granted access permissions to the corresponding applications according to your profile and regardless of your domain.
This last point is important for the management of users and accesses of employees of companies in which B: SM has a stake, such as the Tibidabo Amusement Park (PATSA).This initiative, which reaches 1,200 B: SM employees, has not only simplified and streamlined the processes related to user and access management (additions, deletions and modifications), but also involves raising the guarantees of access to a maximum level. security and government, since everything is registered and audited in Soffid.
THE ROLE OF THE EMPLOYEE
One of the aspects that has been key in both projects has been to ensure the role that people play, even in the phases prior to implementation.Advances such as the use of Soffid’s role-mining function are contemplated in these possible phases, which, based on the accesses that users have in a certain position, creates an algorithm to define – automatically and intelligently – the permissions associated with that specific role.
On the other hand, and in order to gain agility and increase the level of user involvement in security, the implementation of a self-service portal is being considered.
This would allow them to self-manage their passwords or incorporate a strong two-factor authentication system, either via token, SMS, etc. The use of Soffid as a single sign-on solution is also being evaluated, which would allow B: SM to extend Microsoft’s federated authentication to other environments and applications.
by Rebeca | Dec 15, 2021 | cybersecurity, News, Resources, Single Sign On
The sheer number of tasks we do online grows every year as we create and discover new opportunities to digitize our world. This is true within the workplace as well, but as we find more processes to automate using cloud-based technology and new apps to improve efficiency, we add more risk to the organization. Each tool added to the technology toolbelt, each interface users enter a password on, each app that we connect to via different networks and devices — they all add to our existing attack surface and present bad actors with seemingly unlimited avenues to cause harm if left unchecked.
This is where a secure, single sign-on solution comes into play — using one reinforced set of credentials to access all of these tools and resources provides quite a few different benefits to modern organizations. SSO reduces the number of attack vectors your organization has, and SSO layered with multi-factor authentication (MFA) creates useful security and compliance controls. So, how do you find a solution that provides these capabilities and more? The answer is simple — look for an integrated, holistic directory platform that focuses on security and productivity.
Implementing an integrated directory solution provides organizations with a single source of truth for identity management and user authentication while providing built-in SSO and MFA capabilities and more. This is an important step to take to mitigate the risk that is inherent when users have to create and input different credentials across a wide variety of tools and resources, thus creating many unnecessary new attack vectors ripe for the taking.
How do businesses ensure they benefit from the convenience of single sign-on without compromising security?
The risk in SSO exists only if you see SSO as a means to gain access. But by recognizing the inherent security gaps that exist, and compensating by implementing additional controls in the form of multi-factor authentication, contextual access security and session management, you effectively reduce SSO risk, making it a source of elevated productivity and security.
Working in IT is a constant battle to find the perfect balance of security and productivity. This is no better personified than in the need for Active Directory (AD) users to access multiple systems through the use of Single Sign-On (SSO).
SSO solutions eliminate the need for users to remember a unique, complex password for each application and platform they access, replacing it with a single logon facilitating access to multiple systems and applications.
Offering faster access times to applications, with reduced password requirements (usually, one), it’s a no-brainer technology that reduces administrative overhead and support costs, while being a non-disruptive technology with a high adoption rate.
It also does come with some security benefits: Since SSO only utilizes a single credential it often equates to requiring a very complex single password. Additionally, the act of disabling access enterprise-wide becomes as simple as disabling the initial account. But, as with any technology designed to improve productivity, there are often losses on the security side. And in the case of SSO, there are some implied security risks.
Single sign-on is an authentication process that allows users to securely access multiple related applications or systems using just one set of credentials. Ideally, once SSO has been set up, employees or customers can sign on just once to gain access to all authorized apps, websites and data from an organization or a connected group of organizations.
SSO works based on a trust relationship established between the party that holds the identity information and can authenticate the user, called the identity provider (IdP), and the service or application the user wants to access, called the service provider (SP). Rather than sending sensitive passwords back and forth across the internet, the IdP passes an assertion to authenticate the user for the SP.
Your trust and data security are our priority
Our focus is on delivering value to our customers through high quality software which is robust, scalable, secure and ready for use 24/7. Soffid will never compromise on the privacy of our users and the security of our platform and product suite. Our team are technology purists who believe in strong encryption, tight and robust privacy controls. We believe in our software so much, we use it ourselves.
Single sign-on (SSO) has been prevalent in many organizations for years, but its importance is often overlooked and underappreciated. With many enterprises moving to the cloud and taking advantage of third-party services, seamless access to multiple applications from anywhere and on any device is essential for maintaining business efficiency and a seamless customer experience.
What is the Purpose of SSO?
Single sign-on’s main purpose is to give users the ability to log in to individual apps and resources within a trusted group using a single set of credentials. This makes it much easier for the user, who doesn’t have to sign on multiple times, and more secure for the business, since there are less opportunities for a password to be lost, stolen or reused.
What are the Benefits of SSO?
Your employees and customers probably don’t like memorizing many different credentials for multiple applications. And if your IT team has to support multiple apps, setting up, switching and resetting passwords for users requires countless hours, IT resources and money that could be spent elsewhere.
Increased Productivity
Single sign-on increases employee productivity by reducing the time they must spend signing on and dealing with passwords. Employees need access to many apps throughout their workday, and they have to spend time logging in to each of them, plus trying to remember which password goes to which, plus changing and resetting passwords when one is forgotten. The wasted time adds up.
Users with just one password to access all of their apps can skip all that extra time spent logging in. They also won’t need password support as often, and SSO solutions often give them access to a handy dock where all their apps are at their fingertips.
Improved Security
with good practices, SSO significantly decreases the likelihood of a password-related hack. Since users only need to remember one password for all their applications, they are more likely to create solid, complex and hard-to-guess passphrases. They are also less likely to reuse passwords or write them down, which reduces the risk of theft.
An excellent strategy to provide an additional layer of security is to combine SSO with multi-factor authentication (MFA). MFA requires that a user provide at least two pieces of evidence to prove their identity during sign-on, such as a password and a code delivered to their phone.
Risk-based authentication (RBA) is another good security feature, in which your security team uses tools to monitor user behavior and context to detect any unusual behavior that may indicate an unauthorized user or cyberattack. For example, if you notice multiple login failures or wrong IPs, you can require MFA or block the user completely.
Decreased IT Costs
A recent study by Gartner reveals over 50 percent of all help desk calls are due to password issues. Another study by Forrester reveals password resets cost organizations upward of $70 per fix. The more passwords a user has, the greater the chance of forgetting them, so SSO drives down help desk costs by reducing the number of required passwords to just one.
And some organizations have been implementing specific password requirements like length and special characters that may make passwords more difficult for users to remember—a trade off of more secure passwords for more password resets. SSO can help alleviate some of those costs.
Improved Job Satisfaction for Employees
Employees are using more and more apps at the workplace to get their jobs done, and each third-party service requires a separate username and password. This places a lot of burden on workers and can be frustrating. Notably, an average of 68 percent of employees have to switch between ten apps every hour. Only having to sign on once improves employee productivity, as discussed above, but it also enhances their job satisfaction by allowing them to work without interruption, quickly access everything they need, and take advantage of all the useful third-party apps that make their jobs easier. Easy access is particularly valuable for employees that are in the field or working from multiple devices.
Sources:
(1) Solution Review
(2) IT News
(3) GovInfoSecurity
Picture: <a href=’https://www.freepik.es/fotos/tecnologia’>Foto de Tecnología creado por DCStudio – www.freepik.es</a>
by Rebeca | Dec 8, 2021 | cybersecurity, News, soffid
There is no “one size fits all” when it comes to cybersecurity.
Over the last six months, we have seen an escalation in the number of reported cyberattacks, in their range, sophistication and in their long-lasting impact on businesses such as the Colonial Pipeline attack, and SolarWinds to name just two. These events obviously highlight the importance of having an effective cybersecurity strategy per organization, because even if an organization undergoes such an attack, there should be company processes in place to mitigate the severity of the consequences. To do that, companies must monitor and be aware of the main existing security risks and effectively respond to these types of incidents as they occur.
Still, each organization is different in its make-up, business needs, productivity measurements and workflows. Each organization has different network architectures and software. There is no “one size fits all” when it comes to cyber security.
CISOs and security teams are usually aware that they need to identify the cyber risks most likely to affect their own business’ smooth running and build a security infrastructure aligned with the company’s risk tolerance level. But that is easier said than done.
Even now, with everything that has occurred, many enterprises do not prioritize personnel and budgets for this purpose, often leaving the CIO or CISO and her/his team to “fend” for themselves. Without the appropriate resources and without full company involvement and support, that is a very tall order.
In addition to organizational support, with the plethora of different approaches and tools, identifying the optimal security path requires adopting proactive and scalable methods and the ability to prioritize the different types of cyber threats.
Whether you obsess about cybersecurity every day or you are completely new to the process, there are certain things that you should consider to make your company’s cybersecurity strategy successful. In this post, we’ll reveal five elements you should include in your strategy, regardless of whether you are the sole proprietor of a brand new business or looking to transform the security posture of a large, well-established organization.
-
- Understand the difference between compliance and security. In any instance where your company collects personal information or data as part of your relationship with your customers or vendors, you have an ethical if not legal obligation to be a responsible steward of that data. It is not enough to say “we won’t share your personal information” or be able to produce required audit reports if asked, because that’s not really security. The first step to creating a security strategy is knowing what data you collect, where it’s stored, who has access to it, and why. This enables you to establish what is “normal” data use for your organization and makes it much easier to see when someone is trying to steal it.
- Make data security everyone’s responsibility. Forrester Research recently reported that 80% of security breaches involve privileged credentials. That means an insider either unwittingly or with malicious intent exposed their credentials, and likely sensitive personal data, to a cyber-criminal. Another pillar of a cybersecurity strategy should be educating employees on the fundamentals of how to proactively limit exposing their credentials. This can be as simple as asking people to log out of sensitive databases when finished with them or helping them identify a likely phishing attack. An organization like the National Cyber Security Alliance offers great resources to get you started. It’s also important to consider data access control issues. With the right technology, organizations can apply role-based user privilege access control rules to align individuals’ privilege levels with the actual requirements of their job function. Not just once, but on a continuous basis.
- Account for the roles of your cloud vendors and ISPs. Organizations large and small share sensitive data with cloud-native architectures for a myriad of reasons. AWS’ very useful Shared Responsibility Model explains very well that cloud vendors provide secure architectures in which their customers can store data, but it’s the customer’s responsibility to apply their security policy to the data. This detail seems to be lost on the vast majority of organizations. Gartner reports that at least 95% of cloud security failures until 2022 are predicted to be the customer’s fault. Part of your security strategy should be working with all your cloud-native vendors to ensure that their environments are configured to enable full visibility into your data so you can apply your security policy to them. Many retail and services organizations use ISPs to host their websites. They depend on their ISPs to keep their websites up and running regardless of traffic levels. If your website were ever subject to a Distributed Denial of Service (DDoS) attack, an incident whose sole purpose is to make your website and servers unavailable to legitimate users, you could be facing an existential threat. In many instances, to ensure the other websites they host are not subject to diminished performance, an ISP will simply shut down a website under a DDoS attack until it stops. Part of your security strategy needs to account for DDoS attacks and have a solution in place to disperse illegitimate web traffic without shutting down your website and ensure real customer traffic reaches your organization.
- Have a plan for if you are breached. In spite of best efforts, breaches happen and your data security strategy needs to account for what happens next. You should have a disaster recovery plan in place to secure your network, prevent further damage and identify the breach source as well as inform stakeholders and law enforcement. The plan should turn the incident into a positive by ensuring knowledge gleaned during the breach is internalized so it can be used to prevent future incidents.
While these elements are essential, they are not all you need. We strongly recommend working with cybersecurity experts to accurately evaluate your specific threat landscape and help you build a sustainable data security strategy for today and the future.
Today’s hyperconnected and decentralized workforce maneuvers within dynamic network architectures and programs that have moved to the edge and the cloud. Therefore any effective cyber defense strategy must start with open communication between the CIO/CISO, security teams, and company executives.
This open line of communication is especially important since 2020. With the increased number of employees working remotely, security officers face the added challenge of providing remote workers with additional layers of security, as the organization is more exposed to cybercriminals. They are also tasked with improving the monitoring ability of workers with access to sensitive information to prevent internal breaches.
Integrating business operations with security personnel helps employees understand security better. It also allows cybersecurity professionals to consider the organization’s business strategy and priorities, while establishing cyber security policies and managing cyber risk solutions and monitoring.
Additionally, establishing the following core security principles and policies empowers the CIO/CISO to focus both on individual applications and the broader company infrastructure.
While CISOs are tasked with keeping an eye on cybersecurity threats, identifying key vulnerabilities and coming up with defensive and risk mitigation solutions, the organization’s management should be actively involved in improving the company’s cyber-resilience.
Sources:
(1) Security Boulevard
(2) CIO.com
(3) The World Economic Forum
Picture: <a href=’https://www.freepik.es/fotos/negocios’>Foto de Negocios creado por rawpixel.com – www.freepik.es</a>
by Rebeca | Dec 1, 2021 | cybersecurity, News, soffid
On November 30, the International Information Security Day. A celebration that arose in 1988, as a consequence of the first case of malware spreading over the network that was registered in the world, known under the name of “Morris worms”, which affected 10% of the machines connected to the Internet at that time, which was Aparnet.
As a result of this situation the Association for Computing Machinery (DHW), decree that every November 30, all people would be reminded of the obligation and need they have to protect their data from any type of corrupt action that may occur in the digital sphere.
Currently, most of the sensitive information of companies is on the Internet, more specifically in the different clouds. Workers are the first responsible for ensuring this data and not sharing it by any other means that could put the information at risk.
This is designed to create greater awareness of computer security issues and encourage people to secure the personal information stored on their comp.
In order to join the celebration, here we share 7 basic tips that every Internet user should follow.
How to protect your internet security
- Manage your passwords well: It is not only about putting a difficult password in terms of length, but also that it does not have as much relation to you, or at least not as obvious a relationship as your dog’s name or your date of birth. As well as avoiding words that appear in the dictionary. The second thing is to try to vary the password in the different portals, if you want you can have 5 main ones, but not just one for everything.
- Don’t trust the public Wifi: It’s not that you can’t use it to ask questions, watch a video while waiting for the train or read news, but don’t use it in high-risk spaces, such as enter the bank’s page and even enter your social networks or email.
- Always update the software: We all find it tedious that every so often the computer or our website says that we have to update a program or plugin, but normally these updates seek to create patches in gaps that the previous version has left free and that puts our data at risk.
- Don’t download everything from anywhere: A bad habit that netizens have, is that we love the free and that’s why without thinking much we give it to download. Same with emails that have an attachment that looks interesting. First make sure that the website or sender is safe and then download the content.
- The mobile phone is also a computer: You must manage your mobile, just as you do with your PC. That is, download an antivirus and take care of the sites you enter with it.
Cyber security is no longer enough: businesses need cyber resilience
Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire economies, governments, and our way of life.
Yet the way we think about securing our businesses and our data hasn’t really kept up. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of data. But these defenses are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it’s important to understand the difference.
Challenges in the use of maturity models
An assessment-focused framework based on a numerical score can lead to a box-checking culture. But cyber resilience is not about comparison, and there is no final destination. This measurement framework should scale for industry by focusing on the people, processes, and technology required to ensure entire value chains are resilient.
When the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cyber security was introduced there was a national call to action. Now, society and business is at another turning point. Both public and private organizations are working in entirely new, more digital, more distributed ways, which has further opened the floodgates to cyber risk. The May 2021 Presidential Executive Order states that: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” It calls for a public-private partnership to make the bold changes necessary to protect hybrid cloud infrastructures.
And like the NIST Framework, it’s important that a new, scalable cyber resilience framework is developed out of just such a partnership, fit for organizations to use across industries. So consider this an open call: can we come together to establish this framework? Can we make cyber resilience a part of business as usual? We need to work together, to make everyone stronger.
Sources:
(1) World Economic Forum
(2) Marketing Research Telecat
(3) Security Info Tech
Pictures: <a href=’https://www.freepik.es/fotos/personas’>Foto de Personas creado por rawpixel.com – www.freepik.es</a>
by Rebeca | Nov 25, 2021 | cybersecurity, News, soffid
We’ve all been targeted in phishing attacks — fake messages from a seemingly trusted or reputable source designed to convince you to click on a malicious link, reveal information, give unauthorized access to a system or execute a financial transaction.
It may come as at text message, a phone call, or an email.
Someone may warn you that an account is in arrears, your Social Security Number is being “suspended,” or that you may be arrested for “fraud.” They may even have a portion of your SSN as “proof,” and claim they are going to increase your benefit.
They may claim that your SSN is being used to commit fraud in another state and that you need to call “them” back as soon as possible, or warn of pending legal action. They may say that your “account” is being renewed on your pre-arranged credit card for some service you never subscribed to.
These are all examples of “phishing” attacks that are seeking your personal information in order to cheat or steal from you.
Fraud has become a multi-billion dollar industry, and despite warnings, hundreds of thousands of Americans fall victim to these attacks every year. Don’t be one of them.
It’s important to understand that the Internal Revenue Service, the Social Security Administration, and other government organizations will never call you on the phone. They will mail you needed information. If you log onto their sites online, be sure that the web address, or URL, clearly shows that you are connected to a .gov website.
You will never get a legitimate call from a “private investigator” who is working on a bank fraud case and asking for your help, another common scam. They may simply try to sell you an auto warranty. Just hang up.
If someone asks you for secrecy, it’s they who are trying to hide. Never give a credit or debit card number, or any other personal information to a caller, or anyone who says they need to “confirm your identity.” Never listen to anyone who tries to gain your trust by providing fake “documentation,” false “evidence,” or the name of a real government official
Many phishing attempts are easily recognizable, like Mark Zuckerberg contacting you personally about a prize you’ve won. If you’re ever in need of a laugh, this guy spent two years replying to phishing emails and then wrote an entire book on his hilarious exchanges with fraudsters.
At this point, phishing is widely accepted as a “given” — part of daily online life. However, attackers keep innovating, finding new ways to social engineer their victims by preying on their natural curiosity, trust and compassion for others. And today, there are plenty of phishing schemes that aren’t so obvious and can potentially dupe even the most cautious online user. For example, highly convincing COVID-19 scams, from Facebook messages from “friends” who’ve fallen on hard financial times to emails requesting proof of vaccination status, are rampant right now.
According to US-CERT, some of the most common — and seemingly legitimate — phishing emails include fake communications from online payment or internet service providers (claiming there is a “problem” with your account); false accusations from the FDIC on violating the Patriot Act (requesting that you to “verify” your identity); and phony communications from your employer’s IT department (seeking passwords or other sensitive information that somebody can use to gain access to corporate systems and data)
In today’s digital age, keeping your personal information personal is vital to ensuring that your assets are not put at risk. If your information is compromised, you’re vulnerable to fraud, hacking, and identity theft which can cost countless hours and significant amounts of money to correct or repair.
With online shopping trumping in-store retail this holiday season, cybercriminals will have no shortage of potential victims to target. And they’ve only gotten smarter and more nefarious over the past year.
Bad Actors Are Taking Advantage Of Pandemic-Related Shortages
“The pandemic has caused significant shortages in many items, especially electronics,” said Erich Kron, security awareness advocate at cybersecurity firm KnowBe4. “This season is already known for the stress related to finding that must-have gift, however, the continued emotional stress caused by the COVID-19 pandemic combined with the even more significant shortages is causing people to take bigger risks to get that perfect gift. This means turning to unknown online vendors or social media marketplaces as a desperate last resort. Unfortunately, these risky moves often result in disappointment as scammers take the money and run.”
Phishing attacks are on the rise.
In 2020, 93% of UK organisations were targeted by Covid-19-related malware. 88% of security professionals reported an increase in phishing attacks.
Typically, criminals behind phishing attacks aren’t attempting to steal money. They’re attempting to steal something potentially much more valuable: data.
When phishing attacks trigger data breaches, the consequences for businesses can be severe.
Reputational damage
Following the announcement of a data breach, a company’s reputation immediately takes a hit.
Headlines like “British Airways data breach: Russian hackers sell 245,000 credit card details” and “EasyJet admits data of nine million hacked” become mainstream news stories. It doesn’t matter how formidable a company’s PR department might be.
Such reports can take years to fade from memory. As long as they linger, they influence public opinion of a brand.
Loss of custom
Reputational damage is just the beginning of the backlash.
News of a data breach tends to make customers nervous. A 2019 survey revealed 44% of UK consumers will stop spending with a business for several months in the immediate aftermath of a data breach. 41% of consumers reported they would never return to a business that had experienced a breach.
After 157,000 TalkTalk customers had their data compromised in 2015, customers left in their thousands. The costs of the breach reached £60m in 2016 alone. In 2019, it was reported that the company failed to notify 4,545 customers affected by the breach at the time. The ramifications, it seems, will continue for years.
Phishing scams are the most commonly reported type of cybercrime, and hackers frequently target business emails to increase profit potential. Companies can help employees protect themselves from these common types of attacks by offering training and education on what to look out for when it comes to phishing schemes. Individuals need also be diligent when it comes to unexpected emails or communications.The same cautions should be applied to voice calls, text messages, and other digital interactions.
In general, businesses are at a high risk of fraud due to a variety of factors, including large amounts of operating cash, multiple online users, and regular patterns of electronic and check payments. These payments can be targeted by account takeover or business email compromise scams.
See how Soffid can help you stay ahead of the curve in a rapidly evolving digital world avoiding phishing or any attack to your company, shall we talk?
Source:
(1) consumer.ftc.gov
(2) Dark Reading
(3) TechNews
Picture: <a href=’https://www.freepik.es/fotos/personas’>Foto de Personas creado por rawpixel.com – www.freepik.es</a>
