By Charles Cooper
Latest trends in securing employee identity
In early September, Equifax suffered a massive data breach affecting private information of more than 140 million people. Soon after, the company suffered a second public blow to its reputation when researchers discovered that scores of the company’s accounts were protected by the same generic username and password: admin.
The incident offered a pointed reminder of what can happen when an organization’s authentication routines fail to prevent unauthorized access to network data.
It’s especially important in an era of mobility and cloud computing, where data is seemingly everywhere – residing on handheld devices, tablets and laptops or clouds. Organizations must now be able to authenticate highly distributed identities from different sources.
But with so many potential points of entry, all it takes is sloppy cyberetiquette to enable malicious hackers to penetrate even the most sophisticated defenses.
That’s why many are reevaluating their approach to securing employee identity. The fact is that user identity – not the traditional firewall – has become the front line in the cyberstruggle to defend against network intruders. Here are a few new approaches to consider:
Ditch passwords altogether When the US National Institute for Standards and Technology (NIST) issued recommendations governing identity guidelines over the summer, it argued against constantly requiring users to update their passwords. The truth is that periodic password changes don’t prove effective in preventing breaches. So why maintain the pretense? Some would just as soon as trade manual passwords altogether for something more trustworthy and effective.
Adaptive authentication The basic idea is for the system to adapt to a user’s risk profile and tendencies, so that the authentication process recognizes their tendencies over time. Sometimes referred to as risk-based authentication, this approach comes up with a risk profile comprised of a mix of variables. These might include things like the time of the day or the originating IP address.
Identity-centric security Many companies are also embracing Identity-as-a-Service (IDaaS), using third-parties for identity authentication and governance, along with single sign on for the cloud. Identity-centric security uses context, behavioral analytics and predictive security approaches to see to it that the people trying to log in are indeed legitimate and authorized to access the network.
Device Attribution As identity flows outside of organizations thanks to the proliferation of mobility and remote access, one popular idea is to embrace device attribution as a verification method. To be sure, there’s also been debate how secure a proposition this is. After all, smartphones do occasionally get lost or stolen. One way to sidestep that concern, however, is through the deployment of two-step verification to reduce the risk of compromising a trusted device for authentication. The general approach involves treating devices in the same way the company might treat individuals – complete with their own identity in order to build a security system around those devices.
Whatever architecture enterprises settle on, one thing is clear: Organizations will need to make a choice. No longer can they depend solely on a traditional security model built on the notion that a firewall will protect their most important data. But leaders can rest assured that new ID authentication methods will keep pace with both developments in technology and the evolving threat landscape.
Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.
Stay tune for the new Cybersecurity Insights Report Vol 6, Mind the Gap: Cybersecurity’s Big Disconnect available on October 30, 2017. Meanwhile, catch up on past reports, vol. 1-5 to learn what you can do to help strengthen your defenses across your business.