por Rebeca | Mar 31, 2021 | Recursos, Soffid
The COVID-19 pandemic has brought about drastic changes at a social level that would have been difficult to imagine a few weeks or months ago. The situation of confinement in which many countries find themselves, with most of the population unable to leave their homes, is something we were not prepared for and have had to quickly get used to.
Something similar has happened at the work and business level, however, the work does not stop: hospitals, logistics companies, medical material production services, etc. must continue working, and for the rest of the non-critical services in this situation, remote work or teleworking has been imposed at a fast pace.
Normally, establishing new architectures, information systems, tools, etc. is something that takes time, especially in large companies. In this case, many CIOs have been forced to implement remote architectures and work processes in record time.
Many corporate systems are not designed to work from home. Perhaps they are, since in most companies teleworking has been carried out more or less extensively: users take their work home, on weekends, etc. to carry out certain urgent tasks. The difference is that now telework has had to be implemented throughout the organization without exception.
The teleworking scenario represents a new way of doing business for organisations that had not previously implemented this system. This entails the emergence of new risks and threats in terms of personal data protection, as employees are working with different means and resources than usual.
Never in history has so much traffic and so much critical corporate data had to be managed from home. In many cases we are seeing how communication lines, VPN systems, etc. were not prepared for so many volumes of data.
Although in the first phase of the implementation of teleworking, agility and the possibility of giving remote access to the systems has been a priority, the CISOs have also had to establish procedures and tools to work safely.
Now more than ever we are seeing how it is not enough to protect the perimeter of the company. With information scattered in multiple locations, in the cloud, at employees’ homes, etc. it is now more critical than ever to have security that travels with the information.
Cloud storage applications such as Box, OneDrive, G-Drive, collaborative work applications such as Slack or Microsoft Teams, video conferencing tools such as Zoom or GoToMeeting allow critical work to continue and we can all enjoy certain services that are indispensable in this crisis, while on the other hand allow us to do our job.
Customers expect their suppliers to continue to maintain a high standard of security when processing their data, blocking possible threats and keeping them safe from possible security breaches.
One thing that is striking is that in crises, security or cyber security risks increase. The bad guys see a unique opportunity to act on the misdirection, chaos, and take advantage of it. A few weeks ago we watched in the press in astonishment as even hospitals were hit by cyber attacks in the middle of the covid crisis. In fact, unfortunately, phishing attacks have increased these days.
Soffid is providing the same user experience and securing the organisations data. Users can identify using their corporate passwords, they can change the passwords when the policy says that the password has been expired, they can recover the password when they have been forgotten they have all the end users user experience is expected to have without exposing the active directory. And on the other hand, the helpdesk team can track sessions, can label and configure the user’s desktop through scripting, through any other tool they are using with active directory and at the same time the administrator, the global administrators can connect any application they have, including active directory, sap or legacy applications with Soffid, so administrator can get a secure and reliable platform, but, at the same time, the end users are having the experience they are expecting to have.
por Rebeca | Mar 24, 2021 | Recursos, Soffid
As enterprises adopt cloud applications, users are plagued with password fatigue–the never-ending burden of creating and maintaining separate identities and passwords for the multiple cloud and web apps they need to access on a daily basis. Adding to the frustration and downtime, when accessing certain resources, users are also required to validate their identities with strong multi-factor authentication, slowing down the access journey even further.
To offer the most frictionless experience possible without sacrificing security, organizations can leverage cloud single sign-on (cloud SSO) combined with contextual information and step-up authentication. This lets users access all their cloud and web applications with a single identity and password, and lets IT require stronger access security only in high risk situations. In fact, cloud access management solutions have emerged, providing organizations with the ability to set flexible access policies that include:
- Single Sign On
- Granular access policies
- Context-based Authentication
- Session management
Cloud single sign-on enables users to access all their cloud and web applications using a single identity–a single username and password set. So instead of maintaining 10 or 20 passwords, users can maintain just one! Cloud SSO removes the need to re-authenticate separately to each cloud application, allowing users to easily move from one cloud app to another.
That said, cloud security is still inherently complex, so we would breakdown some simple steps to leverage the cloud safely and securely.
Multifactor Authentication
Multifactor authentication (MFA) is one of the most concrete guards against cloud-based security risks and, where supported by the cloud application provider, should be implemented immediately. While MFA is not a new technology, the simplicity and ubiquity of smartphones has made MFA a seamless extension of the user access protocol. Long gone are the days where a user has to carry a randomizing FOB that must be replaced, has battery challenges and requires server-side management to keep up to date and integrated with the company account management policy. Today, anyone with a smartphone has the MFA client and basically ready to comply with a fundamentally sound security and cloud access policy.
Ensure Internal Systems Management
Large cloud providers invest extraordinary resources to protect themselves and their clients from cybercriminals. The reality is that cyberattackers are not going to attack the most hardened resources when they are clearly aware that the easiest path of entry is through the small- to mid-size business. Consequently, it is just important that you are keeping a close watch on internal technology systems and controls as that is most likely the least secure point of entry on your way to the cloud. In addition, many cloud implementations still incorporate private VPNs to allow direct and controlled network access, so the importance of the following basic systems management disciplines are critical:
- 100 percent internal device management
- 100 percent patch management (PCs, servers, network devices, etc.)
- Storage management
- Network access control
- Managed security
- SIEM tool
- Web filtering
- DNS filtering
While this may seem like a daunting list of items, chances are you have some form of these for cloud security either in a managed services relationship or internal tool set you already own. The key is discipline in management and metrics/reporting of either the provider, or the internal IT team.
End Users
The velocity of technological change combined with the evolution of threat vectors simply forces us to train our users to keep a keen eye out for anomalies, particularly when dealing with external or cloud systems. User training is a simple, reasonably cost-effective way to breakdown and educate our workforce on modern security risks. While none of these items are silver bullets for eliminating cloud computing risk, they take large strides in mitigating the risk associated with the cloud. The cloud offers a wealth of benefits and when delivered and used appropriately, can offer the same or better security protections than a local computing environment. However, there are appropriate safeguards and measures that shou
(1) Security Boulevard
(2) Helpnetsecurity
por Rebeca | Mar 17, 2021 | Recursos, Soffid
The rapid digitisation across the world in 2020 has paved the way for companies to adopt new models in how they secure and manage the identity of their users.
As businesses move from largely reactive measures last year to now putting in place policies and processes to permanently adapt to the new normal, a modern identity and access management (IAM) system is critical to manage access across multiple operating systems, devices, locations and applications, based on what a user should be able to do and what they will need over time
IAM encompasses a complex set of functions that touch nearly every aspect of your business and have a measurable impact on your bottom line. Leaving an outdated IAM system in place — whether you’re managing the identities of employees, business partners, or end customers — is both costly and dangerous.
Modernising Identity Reduces Maintenance Costs
Businesses that are reluctant to invest in IAM are often unaware of how much money they’re already spending on it. Maintaining an outdated, decentralised IAM system is usually a full-time job for at least one developer. In addition, dealing with identity-related issues such as lost passwords takes up the majority of your support desk’s time.
The maintenance costs of in-house Identity are high even if we only define “maintenance” as keeping the existing system running so users can log in and access resources. When businesses improve their custom IAM systems, those costs skyrocket. Auth0 customers regularly report that if they attempted to build our features themselves, it would take an entire team of developers.
Identity Is Critical to Legal Compliance and Security
If you don’t invest in a sophisticated, secure identity solution, then you’re essentially budgeting for regulatory fines and the myriad costs associated with data breaches. Given the rise in global data privacy laws and cyberattacks, the chances that you will be impacted are only increasing.
Identity-based attacks are a pervasive threat. Today, hackers the world over use authentication as their preferred gateway to attack. Verizon’s 2020 Data Breach Report found that the most common forms of data breaches are identity-based: phishing and attacks using stolen credentials. These broken authentication attacks mean huge expenses for businesses, in the form of application downtime, lost customers, and IT costs. The Ponemon Institute reports that a company that falls victim to a credential stuffing attack stands to lose an annual average of US$6 million. Thwarting these attacks requires IAM features such as brute force protection, multi-factor authentication (MFA), and rigorous access control.
IAM Unleashes Innovation
For better or for worse, your company’s IAM platform will impact your ability to innovate. This happens in two ways. The first is simple: Every hour your developers spend on authentication is an hour they’re not improving your core product.
Most companies are familiar with this logic when making other decisions about building vs. buying microservices. For example, Auth0’s research found that when companies need to incorporate a payment tool in their app, only 26% build it themselves. The other 74% use a software-as-a-service SaaS solution like Stripe or Paypal. The same logic holds true for authentication.
Aside from freeing up resources, an IAM system can drive innovation. For example, consider the impact of centralised Identity on improving analytics and customer outreach. When a single IAM provider handles user authentication across devices and integrates seamlessly with every other system, it de-silos data to create a single source of truth about users. This idea is the heart of an omnichannel approach to retail and marketing.
Identity Is Central to Your Business
It’s always important to make sound investments in technology, and particularly in a moment of global uncertainty. But having a secure and extensible IAM solution is one of the best defenses against that uncertainty because it makes businesses more capable of adapting to change.
A modern IAM solution can provide both a quick business win and long-term value by decreasing costs, increasing revenue, and making businesses more adaptable in a shifting technological and legal landscape.
Shall we talk about your project? Soffid 3 is a more intuitive and user-friendly version that will fit your needs.
Sources:
(1) Digital Security Magazine
(2) Frontier Enterprise
por Rebeca | Mar 11, 2021 | Sin Categoria
A compliance audit is a comprehensive review and evaluation of a business or organization’s compliance with a voluntary compliance framework (e.g., SOC 2) or a regulatory requirement (e.g., GDPR). The scope of a compliance audit depends on which framework/regulation the auditor is evaluating against and, for some frameworks, what type of information the organization stores and how they utilize it.
Many companies still do not appreciate the interconnection of security and compliance. Both are often considered cost centers, and that paints a scowl on the face of many Chief Financial Officers. However, there is a different way of looking at compliance (or its negative counterpart, non-compliance).
We can divide compliance into the categories of obvious and not-so-obvious costs.
The obvious costs are easy to understand:
- Track – Keeping a close watch on the requirements to maintain compliance
- Mitigate – Correcting any deficiencies
- Fines – Monetary penalties for compliance failure
Some of the hidden costs include:
- Additional internal audits – To verify that everything is in order as well as the costs of reworking
- Business disruption – Due to a regulator lockdown of a business unit or the entire organization,
- Productivity loss – The time employees need to focus on remediation
- Brand loss – Due to bad media coverage, and this leads to customer erosion
These costs ensure that your organization is equipped with the correct resources that are required to maintain and confirm there are no compliance slips. The biggest hidden cost, though, is the loss that is not accounted for due to non-standardized operating procedures and a lack of standardized control.
In information technology, this is known as secure configuration management. An organization may be operating at lower efficiency without being noticed until regulatory compliance audits unravel the cracks in the IT ecosystem. This is the “close to broken” setting mentioned earlier.
Fortunately, the journey to compliance need not be a burdensome task. For example, in the banking industry, digital checking mechanisms enable institutions to track all the risks and ensure compliance by applying the appropriate controls. Comprehensive dashboards are used to ensure that banks can effectively monitor and mitigate compliance issues before they cross into non-compliant territory.
To reduce business risk by ensuring systems are properly configured or hardened to meet with your internal regulatory and legislative compliance standards, Secure Configuration Management is a must.
A secure configuration management tool combines network monitoring and Endpoint Protection methodology to compare monitored systems against an approved configuration baseline or a golden image. Deviation from this baseline, known as test failures, can usually be corrected with little or no human intervention. Secure configuration management is truly a need-to-have based solution.
Secure configuration management offers benefits to organizations, not only from the cost-avoidance standpoint of non-compliance but also from increased organizational efficiency and agility.
Attacks
It is important to note that while many vulnerabilities are “common,” there is a more critical aspect of maintaining compliance to protect your organization. The largest segments of attack types are targeted. This type of attack means your organization is singled out, and the attacker has a specific interest in your business or your intellectual property.
A targeted attack takes time and planning, sometimes months, to lay the groundwork and prepare. Attackers still use commodity techniques to probe the systems in your organization, looking for the best path to exploit, but their methods are specifically tailored to your infrastructure, your processes and your personnel. The main reason that targeted attacks are effective is because organizations struggle to follow basic security practices and properly institute measurable security policies.
Could you imagine how much less risk your organization would have if you could eliminate 99.99% of attacks?
How Soffid Can Help
Soffid makes compliance to security standard easier with the broadest set of compliance and security policies that accelerate securing your infrastructure and knowing where the weak points are. We update these policies as standards change and allow you to customize the test and assessment results to better meet your individual needs, as you get a giant head-start on your security policy and framework as well as the flexibility to make it your own.
Sources:
(1) Security Boulevard
(2) Forbes
por Rebeca | Mar 3, 2021 | Noticias, Recursos, Sin Categoria
Intranets offer more than just avenues for communication within your company. They also present employees with a treasure trove of content and services, enabling them to perform better and become more effective.
On the contrary, when employers are forced to deal with unwieldy intranets, be it for lack of features or a cluttered UI, to manage their daily tasks, the negative impact on the company’s bottom line can be huge.
As such, implementing a robust intranet solution can give companies a competitive advantage. In fact, Deloitte research shows that companies with strong internal social and work networks are 7% more productive.
Yet, not all intranets are created equal, and some might not give you as many benefits as other, more consolidated, options.
Intranets were created to increase productivity in the physical workplace, but 2020 showed us that the workplace isn’t tied to a single location. The workplace has now become a concept rather than a specific site.
Yet, there is still the need for a centralized hub where employees can access company information and improve their communication. When employees don’t have access to a neural center to find what they are looking for, the company suffers. Plus, without an intranet, employees will start using their own tools, resulting in data silos and incompatible technologies.
These are some of the features you need to look for in a modern intranet in 2021:
- Intuitive user experience: Intranets shouldn’t look different from other applications and software, and they need to be easy to use.
- Integration with third-party applications: Modern intranets need to integrate with both corporate and consumer applications of all kinds.
- Availability as a mobile application: Modern intranets need to be available as native apps or PWAs to reach employees truly.
- Support for cloud office solutions: Be it Microsoft 365 or Google G-Suite, an intranet needs to work with the office suite your company uses.
- Personalization-ready: Modern intranets need to be able to personalize messages for both departments and users at a granular level.
Intranets connect all of an organization’s teams, systems, and networks elevating your operations to a whole new level. But why open source? Simple, because you need a platform with flexible information architecture. A platform you can tweak as per your company’s needs and unique workflows.
The main benefits of an open source platform for intranets include:
- Lower costs: Open source platforms tend to be more cost-effective than proprietary software.
- Extensibility: An open source intranet can be built into and can be extended to maximize growth.
- Integrability: The open source architecture enables developers to integrate with other platforms without the constraints of a proprietary solution.
- Powerful search: A modern intranet needs powerful search capabilities to be able to sift through all the data enterprise businesses have.
Our new Soffid 3 provides the most intuitive and user-friendly interface, making the transition smooth and convenient and offering advantages for your team.
Shall we talk about your project?
