These days, the shock of one mega data breach barely has time to fade before news of another arrives. Target. Michaels. Neiman Marcus. High-profile resignations are happening, data security is making headlines in the mainstream press, and consumers are anxiously recalling credit-card purchases they made months ago. But this is only the beginning. For too long, organizations have been collecting identity information without implementing stringent security precautions to protect customers. The consequences are only just starting to hit home—and they’re hitting hard.
In any breach, there’s damage to the brand and loss of customer confidence, both of which are extremely hard to calculate but which can at their worst cripple future growth. And there are fines, too. Target and Neiman Marcus both disclosed their breaches promptly, but when Kaiser Foundation Health Plan lost a hard drive with information on more than 20,000 Kaiser employees and their families, it waited three months to notify affected individuals—and found itself in court. The state of California requires companies disclose breaches in a timely way, and it is now suing Kaiser for $2,500 per each violation, a lawsuit which adds up to a fine of $51.3 million. Companies operating in other states could soon be subject to similar standards: the White House is proposing the creation of a consistent national standard for promptly notifying consumers in the event of a breach.
Featured Download: CISO Data Breach Guide
Such security issues are the logical outcome of pervasive connectivity: if everything is connected, everything is vulnerable. Still, many organizations have been caught by surprise. They’re suddenly realizing they are vulnerable, and this is driving a new awareness of how critical security processes and technologies are tied to customer engagement, revenue, and brand equity.
Every business, nonprofit, or other organization that holds personal data needs to reevaluate the security of its IT infrastructure and start asking itself the following questions: “How can we mitigate risk?”; “How can we make sure the right users have access to only what they need?”; and most importantly, “How can technology advancement help manage identities so that we can continue to benefit from wider connection and sharing of personal data without running the risk of exposure?”
Firewalls and perimeter defenses are largely irrelevant when so many systems have to be accessible to huge numbers of users from outside the organization. Instead, many organizations are attracted to an approach that Brad Maiorino, recently hired as Target’s chief information security officer, calls “attack surface reduction.”
“You don’t need military-grade defense capabilities to figure out that you have too many connections,” Mr. Maiorino said. “You have to simplify and consolidate those as much as possible.”
In addition to reducing the number of connection points, companies are making it more complicated to log in. Weak user-selected passwords are the Achilles heel of many systems, so more organizations are implementing multi-factor authentication to make it harder for unauthorized people to guess passwords or log in with stolen credentials.
But while tightening up access makes sense to a point, customers and business partners demand ease of access and will therefore take their business elsewhere if they feel like access is too complicated. Instead of getting more restrictive, organizations need to add more contextual intelligence to their access processes. Today’s single sign on (SSO) must be more than a simple yes/no decision. Access systems should capture and act on context for each transaction.
Context includes multiple factors and so requires security teams to ask themselves a variety of questions. Which systems does this particular user need to access in order to complete their legitimate tasks? When does this user need access? Where is this user located? With a tightly defined context of the norm for each user, security systems can accurately spot and respond to deviations from the norm. If someone logs in from a new device or a different country, for example, systems should ask for additional authentication.
[wp_ad_camp_4]
Such contextual intelligence could have protected Target. Why would an HVAC vendor need access to POS systems? Why would they be logging on in the middle of the night, when they typically do their maintenance during business hours? And why were they logging in from a remote location when usually they logged in from one of their offices or a Target location? Any one of these contextual clues could have raised a red flag and potentially prevented the breach.
The increasing size and number of breaches prove that the era of traditional Identity and Access Management (IAM) is over. IAM was internally focused and designed to support thousands of employees on their corporate laptops. It just can’t interact securely with external users, potentially numbering in the millions, all of whom are logging in from multiple mobile devices, tablets, web browsers, and the Internet of Things at any time, from anywhere. In today’s digital world, the ability to manage a multitude of external users is becoming increasingly important.
That’s why the industry as a whole has begun to shift to Identity Relationship Management (IRM), which ties users to digital identities that an organization can identify and interact with so that they can deploy seamless and secure services to these customers across applications, devices, and things. IRM can support multiple devices per user, react to context, and scale up to accommodate millions of users at a time. It links devices—laptops, phones, touchpads, and even cars—and new mobile and social apps to a single security platform that enables identity synchronization and SSO anytime, anywhere.
IRM offers organizations a dynamic, proven security system that handily outclasses anything that came before it. At the same time, because it provides much greater insight into who accesses which systems from which devices and when, its benefits go far beyond security. This new data helps companies to understand their customers, not just protect them. It opens up new revenue opportunities for cross-selling, upselling, and delivering personalized services to customers. Given the potent combination of iron-clad, adaptive security and a personalized customer experience, IRM is a technology every organization should be evaluating now—preferably before the next big breach hits the headlines, and certainly before the next big breach hits them.
By Daniel Raskin, Vice President of Marketing, ForgeRock
About ForgeRock
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.