The security world has endured one scandal after another since Edward Snowden’s leaks hit the news. Recently, investigators revealed that Snowden used an NSA employee’s personal credentials to log into the system. It’s truly amazing how one unsuspecting employee’s mistake led to such a chain of events. The employee resigned in January, taking responsibility for his actions and it’s likely that others who may have been involved will follow. However, the one question no one seems to be asking is – should we put so much power in the hands of users, or are there other security measures we need to take?
I think that all this talk about educating end users is nonsense – organizations need to also take responsibility and realize that they need to protect users, rather than expecting users to protect themselves.
Up the ante on your identity
Many companies are asking themselves, “Is there really anything we can do to stop hackers?” We all know that hackers are constantly looking for the newest approach to cracking systems and stealing information. The truth is that many companies are still using legacy identity technology, the bare bones approach to dealing with today’s modern day cybercriminal. Considering the damage a highly publicized breach has on a firm’s brand and reputation, the lack of initiative is indeed surprising. In particular, there are a few security options that companies continuously overlook, including federation.
Federation is a simple approach to granting access to users without exposing their profiles and personal information – an approach that could have helped prevent the Target breach, where hackers got user information through the company’s partner. The way this works is easy – you form a trusted relationship with your partner, the partner application accepts a token and then the user is authenticated anonymously. With federation, there is no reason why companies need to share user information with their partners – a huge step forward in protecting end-users.
But, federation is not the only answer. Yes, with federation, the data you share with partners is protected, but that is only one step. Organizations must also make sure that their own security system is strong enough to keep hackers out. As mentioned, most companies are still relying on their legacy systems. They have a mentality that “it won’t happen to us,” and they don’t take the time to invest resources in a solution built for today’s modern Web. As hackers advance their cyber-skills, many companies are like lame ducks, just sitting and waiting to see if their system is the next to get attacked.
Step away from legacy
While companies sit back with a false sense of security, their business is evolving and how they engage with employees, partners and customers is fundamentally changing. To cope with the change in landscape, companies need to ensure that their identity management is adaptable and tailored to meet ubiquitous access and Internet scale – something that legacy security solutions, including identity, are not built to handle.
In the world of hackers and security breaches, it is very important for companies to arm themselves with the most up to date technologies and processes. Legacy identity management software is far behind the times and puts the end-users at risk. This has real implications for the company, as we’ve seen with Target. With the number of hacks on the rise, it’s time for companies to re-evaluate their foundation – identity – and make sure that it’s ready to deal with the onslaught of threats.
Daniel Raskin | www.forgerock.com | @raskindp
Bio: Daniel is currently VP of marketing at ForgeRock and has more than 15 years of experience building brands and driving product leadership. Prior to joining ForgeRock, he served as chief identity strategist at Sun Microsystems. Daniel has also held leadership positions at McGraw-Hill, NComputing, Barnes & Noble and Agari. He holds a master’s degree in international management from Thunderbird School of Global Management and a master’s degree in publishing from Pace University.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.