Day: June 27, 2022

“What Identity and Access Management (IAM) means for businesses in today’s complex digital world “ Matthew Lewis Director of Product Marketing & Identity and Access Management, HID Global In today’s competitive and dynamic markets, organizations face numerous difficulties, such as adjusting to regulatory requirements, securing organizational needs, and implementing stronger security models. The expansive role of digitisation and rise of remote work has further pushed the need to adopt a holistic approach to securing identities while accessing data, infrastructure, and applications. This can range from zero-day threats bypassing conventional security models to the expansive role of digitization and rise of remote work. Propelled by COVID-19, the global workforce had to relook at how remote work models function, thereby normalising distant work and adding a new dimension to professional engagement. According to a Frost & Sullivan analysis, organizations will not return to pre-pandemic operating models and will continue to adjust the remote and hybrid work model over time. Organizations are facing an increased requirement to implement new rules for securing work resources and secure data access points as this technology proves to be a game changer. Several enterprises have seen a significant change in how they conduct business as a result of the global pandemic. In particular, technological implementations that were originally planned to take three to five years to complete are now commonly being adopted almost overnight. The cloud is one of the major factors responsible behind the developments, with businesses increasingly recognising its importance in its technology infrastructure. However, as more businesses move to the cloud, the danger of malware assaults and data leaks increases, as well as new difficulties in achieving compliance. The traditional security model has lost relevance over the past two year. Now, an organization’s security fence extends beyond on-premises networks with SaaS applications being leveraged for business, IoT devices being installed everywhere, and employees accessing corporate resources from various locations and networks. So, what does it take for a corporation to migrate to the cloud while maintaining a secure foundation? Perhaps the most serious threat to organizational security is related to identity, necessitating the establishment of policies governing user authentication and validation. This helps in cases where users with higher privileges or dormant accounts become easy targets for infiltrating or launching a malicious attack into an organization. Identity and Access Management (IAM), a critical component of a Zero Trust strategy, is designed to assist organizations in authenticating devices, technologies, and network infrastructure. This framework is based on features such as Multi-Factor Authentication (MFA), Single Sign-on (SSO), and granular permissions, which establishes data access privileges, secures access for cloud services, and protects critical login/entry points. One of the most significant challenges in establishing Zero Trust is putting it into practice. This is because legacy security models often impede the transition to supporting remote work, making it difficult to retain legacy IT security tools and architecture. To implement Zero Trust, organizations must assess workflows and business processes, as well as identify patterns in how users interact with those flows. This should lead to the implementation of appropriate controls in accordance with the identified risks to help secure the organization. As a result, it is critical to consider the user experience throughout the planning and implementation process. In today’s world, users expect quick, easy access to applications, whether on their mobile devices or work systems. Another important point to remember is that a mismatch between an employee and a company’s critical systems can result in compromised security due to neglect, wrongful behaviour, or violations. To determine implementation sequences and tools in line with the company’s risk profile, Zero Trust must be established based on organizational requirements and its industry. In 2022, cybersecurity will play a significant and growing role in boardroom agendas, with a focus on identity and authorization. Establishing identity-centric and minimal privilege access control, for example, may be preferable to micro-segmenting networks or enforcing Zero Trust network access across managed and unmanaged devices. Faced with the complexity of managing identities in globally distributed companies, Zero Trust remains a lofty goal. Creating a planned roadmap that takes into account the risks posed to your organization is a great first step. Partnership with vendors, whether for affiliating current technology with future goals or addressing multiple requirements at once, can also greatly simplify your journey. According to a Gartner report, 30% of large organizations will have publicly shared their environmental, social, and governance (ESG) goals with a focus on cybersecurity by 2026, up from less than 2 percent in 2021. The goal is to improve security, but ultimately, companies want to deliver better business results, and Identity and Access Management (IAM) planning and governance is a big step along the way.  

Alexey Parfentiev, Senior Business Analyst, SearchInform Once we’ve conducted a research, which aimed to obtain, if employees in various companies are acknowledged with information security rules. Among others, there was the following question – “would you share your login/ password with colleagues while you are on a vacation?” Only 6% of respondents answered in the affirmative. This number seems encouraging, but it’s important to understand, that usually people tend to give ‘correct’ answers in the test in order to seem a bit ‘better,’ than they are in the real life. So, what’s the situation like in real life? In fact, people often are not only ready to share their passwords, but they sometimes make notes, in which they write down all the information on a paper beforehand and leave these notes in places, where these papers will be definitely found. The reason for that is very simple and understandable: people just want to be left alone during a vacation. isky. On the contrary, this is believed to be a responsible approach – employee has thought about partners and clients in advance. But in fact, it’s only self-deception. There are lots of cases in our clients’ practice, when such kind of ‘generosity’ has lead to disclosure of information. What’s more, less frequently, but still not so rare, access to other peoples’ accounts is used for real ‘setups.’ In order to avoid such situations some information security specialists prefer to react in a radical manner. With the help of special software they block all processes on employee’s computer during the vacation time, in case the person, who logs into the account, isn’t the account owner. This method in modern business-circumstances is too strict, that’s why it’s better to control, than to block. The question arises, what is required to do, before employee may start a vacation? Case study Information security specialists detected suspicious activity on the computer of employee, who was on a vacation at that moment. It was found out that before the vacation, the employee gave access to his account to his colleague ‘just in case.’ According to company’s internal regulations such ‘password transmission’ was strictly prohibited. Some confidential data was stored on the employee’s computer, and in case of leakage, there was a high probability, that company would have experienced serious financial and reputational losses. Luckily, data leak incident didn’t occur, and the careless employee had to face a serious conversation. Make sure, that access system is configured appropriately ‘ Appropriately’ means, that some particular employee can obtain info only in his/ her part of information disk, CRM base and tasks, line manager – his/ her own and department employees,’ CEO – all employees.’ In this situation employee simply doesn’t have to share account info with colleagues. All employees, who may need this particular employee’s documents, and who, at the same time, have enough powers to work with them, have access to the documents. This piece of advice may seem obvious, but in fact, access hierarchy is not set up appropriately in many companies. This results into arise of emergency calls with the request to ‘urgently send login/ password.’ Make sure, that employee hasn’t ‘shared’ information in advance In order to be able to work remotely, many workaholics try to provide themselves with all necessary information and accesses. The tricky moment is that public cloud and free private email, as well as flash drives, which are the most popular storages of transferred information, don’t provide secure way of data retention. ‘Timely’ storages are usually forgotten quickly, and confidential data may be stored in the clouds for ages without real necessity and without appropriate level of security esurance. What’s more, users often even forget to block public access to them, don’t care about data encryption. This situation was depicted with the incident with massive leak from Google.docs, which took place last summer. Internal instructions, documents, containing passwords and reports (including ones of very well-known brands) were published on the Internet. So, any form of corporate posture in public services should be prohibited in the company, and info, addressing this forbiddance, should be explained to the staff. Facts of deliberate leaks are easily detected by well-developed DLP-systems. Ensure security, if employee has to work with corporate info using unverified Wi-Fi hotspots Some employees have to take a corporate laptop with them during a vacation. It’s crucial to ensure, that the employee won’t have to worry about internet-connection security. In order to deal with this task, use VPN. IT-service staff should be ready to set up VPN, thus, employee will have the opportunity to work outside the office without risk of exposing data to danger. Make sure, that no one logs into employee’s account This may be implemented in different ways. First of all, IT-specialists may block employee’s account during the vacation time in active directory. This way has one drawback – even legal access will be banned too. Some say, there are companies, which organize vacation for the whole team during the period of summer decrease in business activities. However, this is a really exotic situation. Most companies can hardly stand pause in business-processes for such a long term. Another option, which is more efficient, is to set two-factor authentication, when apart from usual ‘login + password’ system requires something else, for example, code from SMS. Nowadays, two-factor authentication function may be added to practically all modern services, including CRM. This measure helps to be more sure, that the account owner is the one who logins in the account. In case this employee has a temporary deputy (we mean that deputy is in charge during his chief’s vacation), deputy’s phone number may be added to the CRM-system. In case something suspicious or illegal happens, it will be possible to identify the violator by monitoring of ‘logs in.’ Still, it’s not a 100% guarantee, because employee may be very creative. In this relation, more advanced software product – DLP-system may help. This system may be configured the way it takes photoshoots…