Managing identity in the cloud is risky business
Digitisation has connected us. Businesses are now able to interact quickly, with thousands, if not millions of customers and partners every day. But as digitisation forces organisations into the cloud, the situation is becoming complicated. There are many services for organisations’ employees and customers to log in to, hosted over multiple platforms that include the business premises, the public cloud, private cloud and third-party systems.
While this means that data and applications can be accessed wherever users may be, it has also opened doors for cyber criminals. According to Verizon’s 2018 Data Breach Investigations report, 73 per cent of threats come from outside intruders, and insider threats are another serious concern. And according to a 2017 survey by Cybersecurity Insiders, 52 per cent of organisations surveyed experienced attacks by insiders. It’s becoming clear that traditional defences such as firewalls alone are no longer enough to protect the company’s data – or their customers’.
If user experience isn’t as slick and secure as it can be, it can result in loss of employee productivity and loss of customers. There is a clear need to bridge these environments to provide the best experience for users while keeping sensitive information secure. Let’s explore how organisations can achieve this.
Before the clouds came
At one time, businesses’ IT departments could manage ID and access for their users. Apps were hosted on-premise, and businesses were protected from cyber criminals if their endpoints were protected by firewalls. It wasn’t exactly simple, but it was manageable.
But as internet connections grew, becoming more reliable, fast and widespread, apps started moving to the cloud. While this meant business applications and data could be accessed conveniently from any location, it also expanded organisations’ attack surface beyond the IT department’s reach. With so many applications to access, and so many being managed offsite by third parties, the landscape became complicated. Trying to give all employees, partners and customers access to what they need without putting security at risk became difficult – particularly as apps could be accessed offsite.
The evolution hasn’t stopped. The digital revolution continues to rapidly change the way we work. We need to adapt our thinking, our services and how we do business. Still, the business world can’t change overnight. There are now thousands of elements in the IT environment that organisations must be bought together to provide a simple, seamless and secure customer journey. Meanwhile, cyber criminals are keeping pace with this complex and rapidly changing environment – so keeping user access simple and secure will be of paramount importance for the foreseeable future.
CIOs are looking to manage user identity and access while balancing the convenience of secure, single sign on for all apps and data – whether hosted online or on premises. Meanwhile, they must also protect users’ data and credentials. This combination is complex to manage, so IT departments are finding it more difficult to manage ID and access alone. Those with large user bases are using Identity and Access Management (IAM) solutions to help simplify access while enabling security across mixed environments. Some of these solutions are based in the cloud, but those looking to marry simplified access with superior security should be aware of the risks involved.
CIOs are often reluctant to put sensitive data in a cloud environment. Once it’s there, it’s no longer under the control of the company responsible for looking after it. It feels less secure than if it’s kept under your own control, and for good reason. Verizon confirmed that the top action involved in breaches was the use of stolen credentials in 2017, and web apps were the top target for threat actors. For now, keeping credential data off the cloud sounds like a safe bet.
CIOs aren’t the only ones concerned about storing credential data in the cloud. Gartner financial fraud analyst Avivah Litan discouraged companies from using single sign-on services based in the cloud, stating “It’s just such a massive single point of failure.” She commented that the remediation work necessary for the service provider and its customers after a breach would be a significant inconvenience compounding the significant risk.
It's important then that CIO’s keep sensitive data within an environment that they can control, but they must still find a way to navigate the cloud. So what’s the most simple, secure and flexible way to do so?
Considering user context
User context is a significant factor. With an increasing number of employees working remotely, they may be inadvertently making it easy for cyber criminals to steal information. Therefore, users should only have access to enough information to do their job if it’s safe to do so. In that changing environment, an antivirus/firewall solution alone is not enough to enable simplicity and flexibility for user access. Equally, a pure IAM solution cannot secure an organisation’s environments on its own. To achieve the most secure result, an IAM solution should be used in combination with an organisation’s antivirus, firewall and other security architecture.
Meanwhile, it’s important to bear in mind that registered users don’t always have pure intentions. Intruders can come from within - according to Verizon, 28 per cent of data breaches involved internal actors, rather than external figures in disguise. Organisations must take care to manage access effectively, so users can only see as much as they need to perform legitimate actions.
While security is of paramount importance, genuine users should not be held back by overly complex authentication. It’s well known that customers will abandon transactions if the journey is too difficult. According to research by American Express, 78 per cent of online shoppers have bailed on a transaction because of a poor service experience. The right balance between security and simplicity can be found by identifying users dynamically, considering not just who they are, but also the context in which the transaction or session is taking place. IAM solutions can help you understand as much user context as necessary to provide simple, secure access in a seamless user experience.
For the safest result the IAM solution should enable you to consider the following factors:
- The location of the user - Where in the world is the user? Are they within the business’ offices or remotely? Are they at home, or in a public place?
- The location of the application or date they’re requesting - Is it in an internal location, or held externally in the cloud? Is it federated with a third party?
- The device they are working from – is it a recognised device or is it one they haven’t used before to access the assets they’re requesting?
- Who the user is – Are they the right age, for example?
These multi-factors can make a lot of difference to the decision on how to validate that user, what they should be given access to, and what type of access to provide.
This may all sound rather complex, and for organisations with large user bases, it is. Indeed, it is now too complex for those organisations’ IT departments to manage identity and access independently. What’s required is a flexible IAM solution that bridges multiple environments and enables a simple, secure customer journey, while keeping sensitive data where the IT department can control it.
Validating all of these aspects of user context requires robust management. Policies must be created to enable the good guys through the gates. Meanwhile, digital evolution will not stand still. The way that we use systems will change as we integrate new technology and enable users to interface in different ways, so policies will need to be altered to adapt.
For example, there will soon be a greater focus on multi-factor authentication throughout Europe, when the second payment services directive (PSD2) is introduced. As outlined by Visa in its report, Securing Internet Payments: The current regulatory state of play, PSD2 along with guidelines from the European Banking Authority will mandate “strong customer authentication” for certain online payment transactions. This will mean that banks will begin to ask their customers to prove their identity using additional authentication factors when PSD2 is enforced from September 2019. They may choose to ask for biometric information such as a fingerprint, or a one-time-password sent to the customer’s mobile device.
Some organisations have already started to introduce this, even beyond banking and financial services. Google, Facebook, Twitter and Dropbox and others now allow their customers to use certain additional factors when logging in. At present, this is an optional extra to provide users with a sense of security, but it may become mandatory and more commonplace in future. Another challenge for businesses will be to adapt to these changes without spending inordinate time and investment changing existing architecture.
Changes such as these make it important for organisations looking to introduce IAM solutions to choose one that allows the CIO to adapt without complex integration at each stage. The best way is to find an IAM solution that enables you to manage your identity and access policies without the need to alter or abandon existing systems. Flexible IAM solutions enable the CIO to define access policies without significant recoding or systemic change, so the organisation can keep up with the ongoing technological revolution without significant effort and investment.
Marc Vanmaele, CEO and Founder, Trustbuilder
Image Credit: Dom J / Pexels