by Rebeca | Jun 9, 2021 | cybersecurity, News, soffid
The 2020 Global State of Least Privilege Report shows that two-thirds of organizations now consider the implementation of least privilege a top priority in achieving a zero-trust security model.
Below, we take a look at some of the critical drivers for the adoption of least privilege. We also explore the failure of traditional systems and how modern solutions such as Software-Defined Perimeter, Secure Web Gateway and Risk-Based Authentication, among others, engender greater enterprise network security.
Access is Responsibility
According to an Identity Defined Security Alliance (IDSA) study published last year, 79% of enterprises experienced an identity-related security breach in the previous two years. Last year, just as the COVID-19 pandemic gathered momentum, another report revealed a rise in attacker access to privileged accounts, which puts businesses at a greater risk.
It is important to note that in this age where data is everything, access is equal to responsibility. Therefore, the greater access a person has at a given moment, the greater responsibility they have to protect the data that they have access to. According to the State of Security blog, author Anastasios Arampatzis states that the central goal of privilege access management, which he admits covers many strategies, is the enforcement of least privilege.
Privileged accounts are a liability precisely because the data they have access to makes them attractive targets to cyber attackers. The greater the level of access an account has, the more significant the impact of an attack would be. More so, the greater the number of privileged accounts on a network, the more catastrophic an account compromise could be. Basically, every additional privileged account multiplies the risks on a network. Therefore, it is crucial to keep the circle of privilege small in order to limit unnecessary data exposure.
Legacy Systems: The Failure of VPNs to Adequately Secure
Amidst the current challenges in privileged access management, organizations are beginning to explore alternative solutions to traditional VPN technology and other legacy security solutions which have failed in actively securing privileged accounts. One notable problem is the lack of remote user security on many VPN products, and they neither integrate well with identity providers nor properly implement user policies on identity access and authorization. The weakness of VPNs are made more apparent in this age of remote work.
At the turn of the pandemic, companies had to allow their employees to work from home. This led to a surge in VPN adoption. According to the Global VPN Adoption Index report, VPN downloads reached 277 million in 2020 based on data collected from 85 selected countries.
The cybersecurity landscape can be described as a kind of cat-and-mouse race. In response to this trend, cyber attackers shifted their focus to exploiting VPNs, amongst other techniques such as phishing. However, being a legacy technology that has somehow due to its ubiquity made its way to more modern times, VPNs have become quite weak. Based on the assertion that “VPNs are designed to secure data in transit, not necessarily to secure the endpoints,” it is easy to see why the ‘new normal’ in cybersecurity is the protection of endpoints in an age where data is gold.
Least Privilege Solutions and Technologies
The current overhauling of our approaches to access management and authentication has given birth to the rising adoption of the cybersecurity of least privilege. This principle is connected to another swelling trend in cybersecurity: the zero-trust model.
Zero trust cybersecurity entails the withholding of access to a protected network until legitimate authorization is established. Access control and identity management are part of the components of a zero trust security architecture.
True zero trust technologies adopt the principle of least privilege by default.
The need for privileged accounts is common to most information systems. These accounts are necessary to perform scheduled configuration and maintenance tasks, as well as supervening tasks such as the recovery of a hardware or software failure or the restoration of a backup. Due precisely to the need to use these accounts in an unplanned manner, their management must combine security, procedures and flexibility.
In order to effectively manage these accounts, the Soffid product has the necessary logic to Identify accounts, classify them according to the level of risk and its scheme of use, distribution and assignment to responsible users, automatic and planned password change process, passwords delivery process to authorized users and automatic injection of passwords, when this injection applies and makes sense.
Conclusion
The principle of least privilege in cybersecurity is not just an exciting fad that would go away soon. Rather, it is becoming a standard model and best practice for network protection in the new normal of cybersecurity.
Implementing least privilege works like buying insurance; the strength and impact of an attack can be measured by the level of privilege a compromised account has. This can put things into perspective in fighting data breaches.
Sources:
(1) Tripwire
(2) Security Tech
by Rebeca | Jun 2, 2021 | cybersecurity, soffid
A constantly changing regulatory environment has become the “new normal” for data privacy. Consumers are demanding more protection and accountability. And with the flood of all the new and changing privacy regulations, data has become the newest regulated asset class.
Today, risk, security and data protection officers are responsible for planning, deploying and managing enterprise-wide data privacy and security programs. However, without buy-in from executive management — as well as participation from multi-departmental data stakeholders — the security program will probably not be able to effectively preserve and secure private and sensitive data, inevitably leading to an organization in regulatory non-compliance or falling victim to a data breach.
A Good Data Policy Offers Protection And Assurance
An effective security policy is put into practice throughout the organization. The policy defines the standards to which the organization will adhere and strive to follow. Data privacy and security policies must denote clarity, inclusiveness and well-defined procedures, rules and methods for regulating access to corporate systems and applications. A good policy protects customer, employee and third-party data. These policies are also testimony to investors, business stakeholders and the public at large about the organization’s commitment to data protection and privacy.
There are two operational approaches to data privacy and security. The first builds policies for various types of data and then determines access-level permissions. With this method, you would then look for any data that fits that criterion. Conversely, the other approach looks at all data, analyzes and identifies the different types, classifies and makes policy decisions on what to do with the data.
1. The Policy-First Approach
Addressing regulatory and compliance requirements is straightforward and often easily conquered with a robust policy. The policy will genuinely address the key areas and define the controls to put in place. These controls are built to target the areas defined by the requirements.
The limitation of building a policy-first data privacy approach is that it can impede the organization’s ability to discover data that doesn’t match predefined policy. Creating policies before you know what data exists is like a doctor prescribing medicine to a patient they’ve not diagnosed. To compensate, policies may be overly broad and less accurate. Ultimately, it could require more time and money to build additional guidance for data that you didn’t know you had.
2. The Data-First Approach
A data-first privacy and security program will have detailed and documented knowledge of all the elements that comprise the organization’s data ecosystem. It also features an acute understanding of the who, what, why, where and how of data collection and security measures and when it’s appropriate to delete data.
Private consumer data and sensitive corporate secrets are captured and used by various stakeholders throughout an organization — from human resources, product development and engineering to sales and marketing. Unfortunately, because of the many data-flows, changing formats and ways data is applied and stored, most organizations have a far from a complete picture of the data they hold.
Finding all the personal and sensitive corporate data stored in myriad places within a large enterprise can be an overwhelming challenge. Efficiently gathering data within corporate systems spread across multiple divisions, departments, and on-premises and cloud locations requires an approach capable of examining all types of unstructured and structured data and diverse systems, no matter where they’re located.
Bringing It All Together
A much more effective and comprehensive result can be achieved by examining the data first, then building policy criteria based upon all the data. Cataloging and securing all data will make it easier to satisfy compliance requirements. Whereas, if you just fulfill privacy mandates, you still need to secure sensitive data that doesn’t fall under privacy regulations. This includes intellectual property, copyrights, patents, trademarks, trade secrets, sales and marketing plans, product plans, patentable inventions, competitive information, financial data and more.
The key to protecting data is understanding the information about your data. Identity management systems provide IT teams with tools and technologies to control access to customer and employee data, and corporate secrets. Identity is a meta-foundational layer for data. Knowing who created it, who has access to it and what people do with it can all be tied back into identity. Think of it this way: I trust company A with my data because I know the company, and they agreed to use my data in a certain way. However, I may not trust company B to that same degree. It’s the same data, but a different and lesser-known company is using it.
Lastly, finding and deleting sensitive data that is no longer needed is an essential form of business protection. Removing data that has become stale and aged beyond its retention period will help effectively avoid any audit or compliance violations.
Sources:
(1) Forbes
(2) Security Intelligence
by Rebeca | May 26, 2021 | News, soffid
Imagine this scenario – If you are the CEO of a mid-sized organization with branches in different continents and three thousand employees, how efficiently could you monitor logins?Perhaps, on a bad day, an employee would have lost their Smartphone or lost the paper in which they wrote the password.In such a case, would you identify that one illegal or criminal login from all the 3000 logins that day?
This is why Identity and Access Management (IAM) solutions are gaining increasing prominence in 2020 for businesses to protect their interests and sensitive data from theft and violation.While decentralized identity is yet to become a full-blown practice, passwords are still the prime source for protecting data, and IoT devices are continuously being hacked. In this scenario, we are yet to find a universal solution to manage online identities in both the government and the private sector.
Since the IAM space is continuously evolving, organizations identify new trends in Identity and Access Management to minimize data-breaches, meet regulatory requirements, and manage user identities to the utmost extent.
Years of data breaches stemming from credential theft, attacks targeting privileged user accounts and poor password practices have led to a major evolution in identity and access management technology designed to protect enterprise data.
Five IAM trends are addressing the need for greater user account and network protection. They are meant to mitigate the damage that could be done as network perimeters are erased, organizations move more applications to the cloud and enterprises increase overall complexity.
Identity and Access Management (IAM) has the attention of cybersecurity professionals around the world. The identity and access management market growth has roughly quadrupled over just the last three years, and shows no signs of slowing down any time soon.
The COVID-19 pandemic has raised the visibility of identity & access management (IAM) due to the high priority in getting remote access secured and the increased protection needed around digital transformation initiatives.
In an effort to make organizations more secure, agile and resilient, IAM leaders must improve governance and strengthen privileged access management (PAM) practices to prevent breaches, establish more robust and agile authentication and authorization, and enhance consumer IAM to prevent fraud and protect privacy.
In this rapidly changing business scenario, here are upcoming trends that promise to revolutionize the IAM sector:
1) Adapting Biometrics
As per Global Market Insights, the global biometric market would reach an estimated value of USD 50 billion by the end of 2024. Perhaps one of the rapidly emerging trends in the IAM sector, biometrics like retinal scans, facial recognition systems, and fingerprints, is highly preferred for ensuring authorized users in networked systems. While this might come across as a fool-proof strategy, there is a security risk involved with this technology.
With various types of cyber-attacks possible, biometric information can be stolen and used for fraudulent operations. While a regular password can be changed if compromised, a user’s biometrics can’t be changed and permanent.
To counterbalance this threat, the future trend would involve IAM, which relies on biometric data, to get an additional layer of security for protecting the biometric information.
2) Blockchain
An ideal solution to protect biometric data is that Blockchain has come a long way from being valued at USD 706 million to an estimated USD 60 million by 2024. Blockchain offers features like transparency, reliability, and integrity, making it a popular choice for ensuring data protection with both public and private sectors.
While talking about Blockchain in the context of IAM, the two aspects, the come into play are – Audit trail and self-sovereign identity. Self-sovereign identity is the concept of an individual protecting their entire identity as their personal property rather than let an organization or third-party provider manage it. By keeping the individual’s information protected by encryption in a permanent blockchain across a distributed network system, this concept offers complete individual control over their identity data.
Through the Self-sovereign identity system, the idea is to replace centralized identity providers and instead let each individual take control and decrypt the data only when required.
Audit trail, a user’s entire login history, access request, permission grants, changes performed, or engagement is recorded. This is helpful for an organization in monitoring activities, detecting fraud, and also meets compliance requirements.
3) Single Sign-On Systems and MFA
While MFA is one of the most popular IAM practices, there is still plenty of scope for its improvement as data breaches still occur and cause substantial revenue losses. Adaptive Authentication is the advanced version of MFA, which relies on machine learning capabilities to detect malicious user behavior or illegal entry.
Adaptive Authentication pulls in all the details of user login in terms of login time, device, location, browser, and other data, which helps analyze a login attempt’s authenticity. Based on the analysis, if a login attempt turns out to be fishy, the system will ask the user to fill in an MFA to be authenticated.
Another popular IAM industry trend is Single Sign-on (SSO System) usage with MFA that helps users leverage a unified, singular set of credentials to gain access to networks, data, applications, web, and the cloud.
4) IAM and the Internet of Things (IoT)
With the arrival of the Internet of Things (IoT), there is a massive requirement for Identity Access Management service. Whenever an IoT based device is added to a network, there increases the need to mitigate security risk. Based on a report developed by Microsoft, IoT is increasingly being used across all major sectors, and by 20201, 94% of businesses will use IoT.
Hence, the current priority is to ensure secure identity access management on these IoT devices for restricting the entry of hackers into the network. Devices that can pose a threat could feature smart TVs, security cameras, and smart bulbs.
Another technology that could prove to be a breakthrough is working on IAM systems, which require the system to authenticate a user’s access through numerous devices.
Also, in numerous cases, securing IoT devices would be achieved by embedding the device identities in the processing chip and being an integral part of the hardware.
5) Artificial Intelligence in IAM
An aspect of Identity Management, Context-based identity, is responsible for comparing data about a user who needs to be vetted to authenticate an identity. This data includes numerous behavioral patterns like physical location, IP address, usage, preferences, and machine address.
Leveraging AI programming algorithms for data mining helps discover data patterns that are extremely helpful in reducing fraud and identifying risks. This technique has been highly useful in banking systems across the globe.
6) Identity Access Management for Cloud Services
Since the cloud is in great demand, organizations have been shifting to cloud services to provide advantages such as efficiency, scalability, and flexibility. While the cloud brings many benefits, few security concerns should not be ignored.
Soffid approach to IAM services and solutions is built on core activities, namely, Access Management, Identity Management, Access Governance, and PAM. We help you elevate your organization’s goals towards digital transformation and help develop data strategies in line with revenue maximization and achieve customer satisfaction.
(1) Gartner
(2) Search Security
by Rebeca | May 19, 2021 | open source, soffid
Today’s business leaders face enormous pressure from markets, competition, and the current pandemic, which is radically changing the way we do business and engage with customers. Organizations need to adapt, imagine new revenue models, innovate as never before, and attract a new generation of talent to fuel this evolution and help the business stay relevant.
In the last few decades, organizations large and small have started leveraging the benefits of open source at unprecedented levels. One of the benefits of working with open source technologies or projects is the free sharing of ideas. Open source brings people together to brainstorm and develop a common piece of technology.
The open source web frameworks offer an alternative that shifts the company focus from the centralisation of resources – which has become of little significance – to the adoption of more internationally widespread technologies. The technological exclusive and the supposed guarantees of a private supplier are exchanged for a transparent shared standard.
In the past technology ownership guaranteed a competitive edge over the competition and money could also be made from licensing. The source code of the software in question was a company secret to be protected.
With the growth of the web and the spread of technologies to support the online services, the IT sector has experienced the formation of a very fragmented situation.
In this scenario the big digital service companies have played an important role, at times determining with their economic weight the growth of some of these technologies and the consequent decline of others. New international standards have been set.
At the same time, many cases of successful open source frameworks have emerged which have ridden the wave of the community-driven technologies, i.e. developed and maintained by international teams of independent developers.
The source code of this software is not secret in any way and any part it is composed of is accessible, encouraging ethical transparency and 360° customisation.
In light of the success obtained by these frameworks, today privatising the technologies on which to base their services and products means companies run the risk of reinventing the wheel, rather than concentrating on activities that create solid value. A similar argument could be made for companies that have old assets, spending energy on maintaining obsolete solutions that are going out of use rather than preparing for the migration to modern methodologies.
Compared to open source frameworks the owned ones are more expensive and risk becoming outdated more quickly in a world in constant evolution.
The value of ideas has increased
A shared technological standard on an international level, helped by an open source philosophy, has a superior value compared to the in-house alternatives. The ability to integrate programming languages and different tools effectively and using the resources already created by other developers increases the competitiveness of the web-based platforms.
Considering the rise of open source frameworks the question is not how to centralise control over technology, but how to adapt these resources to our advantage, participating in their progressive enhancement while developing components for company use.
Technology is the tool that allows us to drive value, but this comes from positive ideas to digitalise the company resources available.
With freemium solutions like Soffid, the customer get all the benefits from both sides, from the traditional product and from the open source product. They get a good support, they get a development roadmap and quick security fixes.
Soffid is one Single product, release like open source and including all the features about Identity and access management, priviledge account management and identity governance.
Shall we talk?
by Rebeca | May 13, 2021 | soffid
We have the pleasure to share with you Identity and Access Management Snacks by Soffid, our best topics in Identity and Access Management.ç
Come along to our new friendly “snacks” focused on the latest trends in digital identity
Learn how your users can securely take control over sharing their data and how identity can not just solve these challenges but be a business enabler too.
We’d love to hear your ideas for topics to discuss as well!
We’re always on the lookout for new trends in Identity and Access Management, so follow our Youtube channel and if you like this page, share it now!
