About the Author
Jim Ducharme is vice president of identity products at RSA Security.
It seems that data breaches and cyber attacks are part of our hyper-connected world. This year alone, billions of data records have been compromised. Despite the growing number of threats and the increasing sophistication of attacks, the way companies secure access to critical resources has not changed much.
Identity has regained its importance as businesses realize that stolen identity is the number one security problem and often the weak link in the security system. To solve this problem, companies must analyze their activities to ensure that the three essential dimensions of identity risk are taken into account:
Identity and access assurance is the most important control for digital risk management. To truly detect and manage identity risks, organizations should consider a risk-based authentication solution that can analyze access, devices, applications, and user behavior to ensure users are who they claim to be based on. in your background.
In addition, organizations face two main challenges in managing today's dynamic workforce:
What can happen if identity is mismanaged?
With an endless stream of high-level data breaches and malicious cyberattacks, we've seen what can happen when identity isn't handled properly. Identity and access management can no longer be an afterthought, and businesses can no longer rely on old security postures in the ever-changing security landscape.
We also found that new and more stringent regulations like PMPs are encouraging organizations to start having important conversations around data, privacy, and compliance. With more and more at stake, including financial damage in the form of non-compliance expense, regulatory fines, and the potentially irreparable loss of customer trust and reputation, companies are now looking for innovative and secure solutions to authenticate users seeking access to critical resources. It is essential that companies take the time to assess and understand where their jewelry is in order to protect it.
With many organizations now working with third parties, how does this affect your identity management?
In the age of digital transformation, success is a team sport. Today, most companies rely on third parties to deliver many benefits, including innovation, speed, and efficiency. However, these benefits come with unpredictable and inherited risks; In fact, 59% of businesses have been the victim of a data breach by a third party.
As companies build out their third-party ecosystems, they must simultaneously seek to protect their critical internal systems, sensitive data, and consumer digital channels. To effectively manage identity and access management postures, organizations should use an automated, risk-based approach that certifies identities, assigns appropriate access levels based on user responsibilities, and accommodates unique user authentication requests. of third parties.
Organizations must also consider that third-party relationships are often managed silos, within different functional units or functions. Each role may have its own way of identifying, evaluating, and managing trading partners. Not only does this lead to redundant activities, but it also prevents the management team from gaining a complete and accurate view of the risks and performance of third parties within the organization.
And without a good understanding of their company's exposure to third-party risk, executives can't make an informed decision about how much to invest, and where, to protect the business from these risks and effectively manage identities and risks. the access.
How can organizations better regulate third-party access to critical applications and resources?
It is now extremely rare to find a company totally dependent on its in-house staff and technology, whether for cloud computing or the employment of freelancers or temporary consultants. Third parties change the identity dynamics and multiply the number of identities to manage.
Additionally, all of these identities require more or less access, and some may even require privileged access to sensitive data, leaving IT teams managing a constant stream of identities. Platforms like RSA Identity Governance & Lifecycle allow organizations to manage and manage third-party access to ensure proper access to critical systems and sensitive data.
Where are companies currently going wrong in effective access management?
The biggest mistake companies can make is not understanding where their gems live. As a result of massive data breaches exposing customer data, trade secrets, etc., this is a reminder that businesses need to take the time to assess and understand where their sensitive and sensitive data is. Without this, it is impossible to build a comprehensive view of digital risk.
This includes the ability to recognize identity change; For example, if an employee's role (and therefore access requirements) changes, the IT team needs complete visibility into the transition period between the user's old and new access privileges, to prevent abuse.
End users are also an essential part of the puzzle, and many organizations don't realize the friction that can be caused by restrictive or arduous authentication and access measures. All IT teams aim to find ways to create frictionless identity, otherwise users will simply find ways to bypass security, creating new blind spots for security teams. Identity authentication solutions should always be associated with additional layers of security to properly manage digital risks and provide a higher level of identity assurance.
Is there a perfect authentication measure that companies can use to secure their most critical assets?
In the world of identity, there is no quick fix for authentication. The challenge for organizations often lies in determining the correct authentication strategy. The user population is more dynamic than ever; identities are scattered everywhere and businesses need a strategy that secures multiple access points.
There are also more authentication options than ever before, from USB sticks to hardware tokens and mobile authenticators. While continuing to embrace digital transformation initiatives and regulatory considerations, enterprises must also continue to assess authentication requirements and not place the burden of security on an authentication solution. foolproof.
Finally, what are the future issues that will affect companies in terms of identity risk management?
The notion of a dynamic workforce is only going to get more complex as companies continue to look to smart devices (which are getting smarter) and stand-alone processes to improve productivity in day-to-day business operations.
This explosion of the Internet of Things (IoT) has made it a target for hacking, which has reached a tipping point in that the conversation about identity will take on a whole new dimension. The number of identities associated with autonomous things or processes will soon reduce the number of actual humans for whom these things are acting. For this reason, organizations will need to prepare to manage the unprecedented and evolving digital risk that accompanies the identity of things.
Similarly, as businesses continue their digital transformation and cybercriminals become more efficient, companies will need to continually modernize their authentication measures. From USB security keys to biometrics, email and mobile devices, there will be more authentication solutions to evaluate than ever before.
However, no single risk profile applies to all organizations large or small, making digital risk management and cybersecurity particularly challenging. When determining the right identity risk management strategy, companies will need to take the time to understand user behavior and activities and align it with effective security measures. of identity and access.
Jim Ducharme is vice president of identity products at RSA Security.