The world has changed. With more users accessing data outside the corporate firewall and from mobile devices, businesses can now allow for more flexible work environments. But this increased access has also brought an upsurge in the risk of data breaches and threats from hackers.
Recent high-profile breaches have heightened overall market awareness of security, not just within the CSO community, but among CEOs and boards of directors as well.
Protecting the sensitive data within an organisation’s work systems is no longer just about building an impenetrable network perimeter; it is also about securing users against phishing and social engineering attacks and data breaches, and protecting data in cloud applications and on mobile devices. This requires a contextual, risk-based approach based on user identity, historical patterns of behaviours, and the request itself.
Identity is the new boundary
Before cloud, organisations secured their data within virtual network perimeters protected by firewalls, data loss prevention systems, virtual private networks (VPNs) and intrusion detection/prevention systems. However, as enterprises make the transition towards the cloud, and with IT no longer controlling every application or device that accesses corporate data, managing access is becoming increasingly challenging.
The network perimeter is now a field of constantly changing variables, context and policy, defined by each user, and more specifically, by their identity. It’s up to each organisation to protect those identities in a user-centric way, regardless of the user’s location or the device they are using.
As a result, rather than just focusing on devices and infrastructure, organisations like Gatwick Airport and Peterborough City Council are concentrating on the user. By using contextual data about users, devices, and patterns of behaviour, they can more accurately detect unauthorised attempts to access corporate information, and better mitigate the risk of a security breach.
Passwords are becoming a thing of the past
According to Okta’s latest Businesses @ Work Report, organisations use anywhere between 10 and 16 apps – an increase of about 20 percent in just one year. Because most people use dozens of applications, there’s a natural tendency to reuse passwords across all personal and professional channels, or leave them written on pieces of paper for all to see. “Password fatigue” inherently makes every application less secure, so a stolen Financial Times password might compromise a user’s Salesforce.com or Active Directory account. It also means that users themselves have become a potential threat to organisations’ data security. In fact, according to IBM, insiders are responsible for more than half of data breaches worldwide.
In response, in order to protect themselves against the range of attacks that rely on stealing user credentials, many organisations are adopting multi-factor authentication (MFA). MFA improves security by using single-use, expiring token to exchange authentication and authorisation data between a trusted identity provider and an application. It involves the use of two or more different types of authentication — such as a password plus a temporary key which is sent to a user’s phone, dongle, email address, or app — to secure corporate data and avoid highly targeted social engineering attacks, such as phishing or pretexting. That way, businesses can ensure the right people have the right access to sensitive information, and reduce the risk of unauthorised access.
While traditional forms of MFA have depended on cumbersome hard tokens or easily discoverable security questions, a new generation of MFA technology now enables IT and security teams to take a user-centric approach to application security. Okta’s data reveals that businesses are moving away from the traditional security questions — such as “What’s your mother’s maiden name?” or “What was the name of your first pet?”— as a second form of verification, and choosing more modern forms of MFA to secure their environments, like push authentication, which enables users to verify their identity with a single tap on their mobile device without the need to type a code.
Protecting data with automated provisioning
Organisations around the world have suffered consequences when they don’t properly manage user identities. In addition to MFA, more and more businesses are implementing solutions that provide a simple way for them to protect sensitive information, by giving IT more control over the different applications, access points and user types that will be connected to its cloud systems.
In order to ensure that users have the right amount of access, and that access is given and taken away at the right time, organisations are managing access with single sign-on (SSO) and provisioning. Provisioning enables IT to make real-time updates as employees and contractors come and go, and gives them visibility into users’ behaviour to detect when something is not right. With automated deprovisioning tools, the IT team can deactivate a corporate identity across all enterprise resources within seconds, so that once an employee or freelancer has left the company, crucial data cannot leave with them.
Staying in control of the network
With almost any technology at their fingertips, employees will use whatever they need to get their work done — even if that means using tools or practices that could unintentionally create a security risk for the organisation through a simple error. Therefore, the real security issue that businesses need to address is not how secure the cloud is, but rather how to improve visibility and control across on-prem and cloud systems, while also enabling the business to grow through simplifying user access to cloud and mobile technology.
In order to quickly reduce concerns over visibility of users, devices and applications, organisations must adapt to the ever-changing environment. By implementing a user-centric security strategy based on identity, they can empower users to access any application they need, easily and securely.
