Four Ways to Reduce Identity and Data Risks in a Digital Economy
May 29, 2019
The use of stolen credentials ranks as one of the most commonly seen aspects of cybersecurity incidents, and loss of unencrypted data is one of the most damaging results for both the businesses involved and their customers. From this, it is plain to see that identity and data risk are two areas of cybersecurity that are intrinsically linked. As consumers and companies are conducting more business online, it has never been more important to ensure that all organisations take a strong stance on securing the data and identity information that our business partners and customers entrust us with.
The following four areas are just the tip of the iceberg when it comes to reducing identity and data risk.
Let’s Get Serious About Encryption
Developers aren’t security experts, let alone crypto experts. Most people understand that, but in the world of high-profile data breaches where tens of thousands of users’ information is either lost or stolen, not having security expertise is no longer a valid excuse. The best thing a company can do is create a position or team with the oversight and authority to enforce the secure processing, usage, and storage of data. For qualifying organisations in the EU, this oversight is mandated for by the General Data Protection Regulation (GDPR) under the role of a Data Protection Officer. Even for organisations for whom the GDPR does not necessarily apply, appointing a person or team with both technical and regulatory expertise with the ability to champion and educate on secure data usage throughout the company is just good corporate governance.
Encryption of data-in-transit has never been more accessible than it is today. With services like the non-profit Let’s Encrypt handing out free domain-validated certificates and helping to automate the whole process of renewal, there is no excuse for sending data between a web server and a user in the clear. As for data-at-rest and data-in-use, many of the major cloud hosting platforms that organisations use these days offer solutions for the former; where required, various technology vendors and developers can help with the latter. By no means does this information cover all of the applications or solutions for data encryption. There’s enough on that topic to fill a book or two! But with the help of knowledgeable staff and the backing of the business, organisations can — and should — make appropriate application of encryption technology a priority.
Know Your Applications — and Manage Shadow IT
Any corporate IT administrator will tell you that their users are always trying to get around the company’s internet filters. In a corporate setting, the act of getting around IT often goes well beyond the realm of social networking though. The explosion of cloud application offerings, and their innovative solutions, has increased productivity and led to a number of identity and data risks that most IT and security teams might not even be on the lookout for. File sharing services are an obvious risk with users going outside the corporate-mandated solutions to store data on the platform that they personally prefer. Code repositories being left open and exposing private encryption keys to the public have been well publicised, but other productivity tools, such as project and task trackers, can be just as dangerous for organisations. The potential is there for vital corporate data to be leaked and misused. The scary fact is that, unless already tracking it, cloud application usage at most organisations is vastly underestimated by IT and security teams. A good Cloud Access Security Broker (CASB) capability can go a long way to helping an organisation identify the cloud services and applications that its users are consuming, and in some cases can even enable an organisation to set risk-based controls on their usage.
Keep Up to Date on Managing Digital Identities
New guidance on best practice regarding digital identities has been released from both NIST and been mirrored by Open Web Application Security Project (OWASP). Everyone should familiarise themselves with these guidelines as they make fundamental changes to the traditional password guidance that we all know and loathe.
I imagine most people will particularly appreciate the move away from having to rotate passwords on a regular basis and the dropping of requirements for some specific mix of text, numbers and special characters as a requirement of a password. Most companies with a strong presence on the public internet have moved away from the former, but the latter is still quite pervasive. On the other hand, multi-factor authentication (MFA) is practically mandated now, but with the number of ways that attackers can fool users out of their passwords this should come as no surprise. The proliferation of mobile phones, and especially those with biometric fingerprint readers, has made MFA as simple as downloading an app these days.
Identity and Access Management (IAM) is also an area in which IT and security teams can truly shine for a company. IT and security, often seen as blockers to getting business done by many, can vastly improve the end-user experience for both internal and external users through the implementation of a smooth single sign-on (SSO) system. For internal users, the need to remember a plethora of different passwords for various business applications can be reduced or eliminated. For external customers, users can use an existing identity from one of the big players such as Google and Facebook, eliminating the need to create a new account for every website they visit.
MFA and SSO are merely the first steps to securing identity, though. Organisations looking to get serious about security are investing in privileged access management (PAM) and identity governance systems. Privileged accounts, by their very nature, are a huge security risk, the keys to the kingdom if you will. PAM systems help simplify their management in various ways from tracking account usage, to limiting privileged account access, to allowing window access to only the time necessary to carry out required work. Meanwhile, identity governance systems allow organisations to streamline processes like access recertification and help implement the principle of least privilege by validating users’ access based on factors such as job role. These capabilities only scratch the surface of what PAM and identity governance solutions can offer, so if your organisation has not yet explored the benefits these solutions can bring to an organisation, I would highly recommend having a look at the market.
Hold Your Organisation Accountable
A security team, a CISO, a CIO, whoever it is, can advise your organisation on all of the above and even write rock-solid policies and procedures for identity and data security. However, it will all be for naught if the organisation doesn’t educate staff and hold people accountable for following them. What accountability looks like at any organisation will vary. Some organisations in heavily regulated spaces may hold detailed internal audits, be subject to external audits and embed security team members in development teams. Other organisations may simply perform spot checks on an ad-hoc basis. No matter what methods an organisation chooses to adopt, it needs to be more than a tick-box exercise. Breaches of policy and procedure need to serve as teaching moments, and staff education should be evaluated. Some organisations take a hard-line stance around matters of identity and data security, but on the whole, a soft-touch approach is generally better in this regard.
Identity and data risks are real and pervasive, and an organisation that ignores this is putting its reputation at risk and doing their business partners and customers a disservice. There are plenty of places we can all start or improve upon, and hopefully, the suggestions above have given you some food for thought for how you too can help your organisation reduce identity and data risk.
Maximise the value of your identity programme and streamline operations in your business. Download our eGuide to learn more.