Employees often fall victim to phishing and social engineering attacks which result in compromised system access and data breach. It is reported by some industry estimates that employee errors cause data breach incidents in over 90 percent of cyber security attacks. The problem is even worse when considering that some of the victimized employees are super users with highly privileged system access.

One of the easy and cheapest ways hackers target companies and their systems is through phishing emails which appear to come from trusted sources such as company executives or IT support personnel instructing the employees to click a link which then prompts employees to enter their ID and password to complete the task. These compromised accounts and passwords are then used to steal data or to target other potential victims.

Many companies continue to focus their cyber security attention elsewhere neglecting employee education. “Hackers know that employees present vulnerabilities that seldom exist in fortified systems which they can easily and cost-effectively exploit to achieve their goals’ according to Henry Bagdasarian. This is why children are better targets than adults because they are easily fooled with fraudulent emails while they use the home computer which is shared by the entire family where tax returns and other documents with valuable information are stored. Imagine a child clicking on a link and following through subsequent instructions that result in installing a spyware on the home computer. Anyone who uses that computer afterwards to access bank accounts and other online accounts is subject to their password and account information being compromised.

One of the main principles of security management is identifying and categorizing risks. The risk of an employee being the target of a hacker attack is hardly taken as seriously as an attack on a company’s system and technology infrastructure when in fact employees pose the greatest risk that cost a lot less to remediate than system vulnerabilities. Most companies do an excellent job at securing their systems while failing to recognize and resolve the greatest risk facing their organizations which happens to the common root cause of most data breach incidents.

According to Bagdasarian “other human errors that lead to data breach cases include:

  • account and password sharing,
  • management override of controls,
  • use of unchecked personal devices for business,
  • lack of data loss prevention (DLP) controls,
  • high number of exceptions to policies,
  • hiring criminals due to lack background check,
  • lack of system and user monitoring, and
  • ignoring inactive, orphan, and excessive number of privileged accounts for a long period of time”.
Identity and access management certifications

Resolving Employee Error Risk

Assuming that employees are the greatest risk to organizations, one of the best actions that companies can take to minimize the risk is to assess the level of access each employee has and determine whether that access is needed and appropriate. Once employees with highly privileged access are identified, they must be targeted for increased cybersecurity awareness and education. To further minimize the risk, on-boarding and off-boarding practices must be assessed to ensure excessive access is never granted unnecessarily and departed employees are taken off systems immediately upon their departures. Once this is done, plan to start the process again soon and audit the systems periodically to ensure nothing falls through the cracks.

Companies dealing directly with consumers face particular challenges in the area of identity management. In addition to handling the identities of internal users, these companies are also tasked with protecting the information of hundreds of thousands or even millions of customers. Successful customer identity and access management (CIAM) requires a balanced approach focused on both data security and user experience.

Facing customer identity challenges with customer identity and access management (CIAM) solutions.

IAM vs. CIAM: Unpacking the Differences

Traditional identity and access management (IAM) deals with a group of known users within a specific organization. The organization creates and manages identities, stores information in a central location and uses sets of roles or rules to control access to applications and information. Even in enterprises, the number of identities accessing a network at any given time remains relatively small, and IAM solutions deal mainly with providing accessibility and productivity.

CIAM, by contrast, involves a vast number of identities created and managed by users. These identities encompass all behaviors customers exhibit as they interact with a business or organization and may include public information or highly sensitive private data. Due to this level of detail, compliance is even more important than with traditional IAM, making consent management an essential element of any CIAM policy. Customers also expect a personalized experience with easy access and seamless transitions between devices and platforms.

IAM and CIAM do share some characteristics, including centralized information storage and multifactor authentication (MFA) methods. However, the tools and platforms for managing identities differ, requiring businesses to adopt a separate solution for CIAM. With over 3 billion records exposed through breaches in 2018, a clear need exists for an approach designed to meet the most pressing challenges of managing customer identities.

CIAM Challenges

The sheer volume of users is the core concern in CIAM. A greater number of users creates a much larger centralized database of identities, which can easily become a target for hackers. At the same time, regulatory bodies are updating compliance requirements in response to consumer demand for more control over the information companies store and share.

CIAM becomes even more complicated when considering the diversity of the devices people use to interact with businesses. In 2017, the average North American consumer owned 13 connected devices, and more internet-ready “things” continue to appear as a growing number of companies enter the IoT market. Most people move between devices throughout the day, and some devices contain multiple user profiles. CIAM must address the need for a seamless experience regardless of how users choose to log in at any given time. 

Behavioral monitoring to detect possible malicious activity takes on a much wider scope in CIAM. Having such a large number of unique preferences and behavior patterns requires a highly sensitive monitoring solution with the ability to learn, remember and recognize a huge volume of customer interactions and detect when something deviates from the norm. Integration with CRM is essential if businesses wish to leverage data for marketing, but monitoring for security purposes must take precedent to ensure customers are granted appropriate accessibility without putting sensitive data at risk.

Approaches and Solutions for Businesses

How can businesses and organizations strike a balance between maintaining security and providing the kind of experience customers demand? It helps to consider CIAM as part of an overall approach to customer service. Customers want both security and ease of use, and failing to deliver can have a negative effect on a company’s bottom line. 

An assessment of current data collection and storage practices is a good place to start. Companies should know:

• How customers share data
• The channels through which data comes in
• How data is stored once collected
• Who within the company has access to customer data

Combining this information with knowledge of how customers interact with the business provides guidance when choosing a CIAM solution. Platforms must be designed to scale to meet demands while providing the integrations businesses need to create the right combination of security and usability.

Single sign-on (SSO) and bring-your-own-identity (BYOI) options provide at least a partial solution by offering customers the option of signing in to multiple different accounts using one identity instead of creating separate profiles. Before investing in these third-party platforms, however, businesses need to know how providers handle security. Poor security measures can not only put companies at risk for noncompliance but also result in a potentially catastrophic loss of customers should a breach occur.

Identity and access management certifications

Conclusion

As an increasing number of users share information requiring various levels of security, businesses must now protect company data and assets along with all the information customers share through a diverse range of interactions spanning multiple channels and endpoints. Robust CIAM platforms providing seamless customer experiences are essential for meeting these diverse needs. IT professionals certified in relevant IAM disciplines can guide companies in creating and implementing customized solutions with the right tools to face tough security challenges.

In an age where over 20 billion devices are expected to be connected to the internet by 2020, identity theft is a major concern. Data breach notifications in the U.S. jumped from 12 percent to 30 percent between 2016 and 2017, and fraudulent use of identity information affected 16.7 million people, resulting in the loss of $16.8 billion in 2017. These statistics indicate the need for a better way to control access and protect identities.

One promising possibility is the use of blockchain technology to put control and ownership of identifying information back into the hands of users and eliminate some of the major risks associated with current identity management systems.

Decentralized Identity in the Blockchain

Many of the ways businesses and organizations manage identities are far from efficient and include multiple points of vulnerability. User information is often stored in centralized databases or connected to third-party authentication services, creating pools of data hackers can easily mine and exploit. Companies storing the data maintain the lion’s share of control, leaving users to rely on privacy regulations to ensure proper handling of their information.

Blockchain technology could change this whole picture by taking the centralized element out of identity creation and management. The nature of data creation and storage in the blockchain makes decentralized and self-sovereign identities possible for individuals, organizations and devices. Instead of multiple identifiers spread across platforms, decentralized identity involves a single, user-controlled set of identifiers integrated into the blockchain, which theoretically could allow universal access to platforms and services.

Each “block” of data in the blockchain has its own unique “hash” setting it apart from all others. New blocks are stored in a linear, chronological fashion, and each block contains the hash information from the one before it. The result is a database of information in which blocks are both independent and interconnected, making it incredibly difficult for hackers to tamper with data. Editing information in any one block causes the hash to change and requires adjusting the hashes of all subsequent blocks, a monumental task even for the most enterprising identity thieves.

Streamlining Transactions with Smart Contracts

Whether a user is making a purchase, accessing a service or switching between applications as part of a daily workflow, the decentralization of identity has the potential to simplify each transaction requiring authorization through the use of smart contracts.

A smart contract is “a computer program that directly controls the transfer of digital currencies or assets between parties under certain conditions.” Such contracts are self-executing and require no mediation by a third party. With smart contracts, a business or organization can set forth the terms of a specific transaction, such as accessing sensitive information, and rely on identities stored in the blockchain to validate users. This becomes particularly useful in zero-trust security models, as it eliminates reliance on third-party authentication services and has the potential to speed up workflows in a variety of use cases. 

Pros, Cons and Pitfalls

The biggest roadblock to universal implementation of decentralized identities is the current low adoption rate of blockchain technology. Only 1 percent of CFOs across the globe have already deployed blockchain in their organizations, and just 8 percent have short-term plans in the works. Thirty-four percent have no interest whatsoever, which could make global interoperability impossible if the outlook doesn’t change.

However, if decentralized identity does become a reality, it could benefit both organizations and individuals by:

• Putting control of identifying information back into users’ hands
• Minimizing the amount of data stored and transferred by organizations
• Simplifying compliance
• Allowing for the use of smart contracts to improve workflows
• Reducing or eliminating human error in transactions

Of course, every emerging technology also has its downsides. Identity verification using the blockchain is still too slow to be useful in instances where time is of the essence and lightning-fast authorization is required, and there’s always the risk of error during the initial coding of smart contracts. Hackers may still be able to undermine the security of decentralized identities if they’re able to infiltrate the blockchain at the moment a user authenticates identifying information. Once any type of error or malicious alteration becomes part of the blockchain, it’s almost impossible to correct the problem.

As more companies and organizations begin to look for better ways to address the problem of identity theft, there will be an increased demand for cybersecurity experts trained to recognize the warning signs indicative of compromised identities and create plans to mitigate risk. The Certified Red Flag Specialist certification prepares individuals to conduct risk assessments, understand the specific vulnerabilities of an organization and create a solid program for identity theft prevention. Blockchain technology and decentralized identity may prove to be an invaluable addition to such programs and could revolutionize the way businesses, organizations and individuals approach identity protection.

Biometrics are growing in popularity as an alternative to less secure forms of authentication and are gaining wider acceptance among consumers and employees. According to a report by IBM, 67 percent of people are already comfortable using biometric identifiers, and 87 percent feel they will be comfortable doing so in the near future. Millennials, who tend to be more tech-savvy, report a 75 percent acceptance rate.

This increased familiarity with biometrics makes it easier for businesses to take advantage of emerging trends in the identity and access management (IAM) space, thus providing security solutions with the potential to replace passwords, PINs and other easily compromised identifiers.

Biometrics in Action

The most common and recognized forms of biometric authentication are biological:

• Voice recognition relies on vocal patterns, and the market is expected to see significant growth through 2026.
• Fingerprint scans are used for everything from smartphone access to biometric locks.
• Facial scans are detailed but require proof of the user’s actual presence to be effective.
• Palm or vein scans, a newer solution, look for the unique vein patterns in users’ hands.
• Iris scans detect patterns in the eye and are often portrayed in popular media as the preferred form of entry for top-secret areas.

Many of these options are already used in consumer devices and common transactions, such as online payments or banking. However, biological identifiers can be mimicked or hacked in a variety of ways. This necessitates a more granular and personal approach to biometric identification as the IAM environment increases in complexity.

Continuous Authentication to Streamline User Experiences

Speed and user experience remain important when considering any changes in security measures. This is especially true for businesses in which complex processes create diverse access requirements for employees. Users at every level could quickly find themselves bogged down with numerous authentication requests, many of which require more than one identifying factor. With the concept of zero trust gaining traction as a viable approach to security, a situation could emerge in which users spend more time proving their identities than actually working.

Behavioral biometrics may be able to bridge the gap by providing a way to integrate sensitive, secure biometric identifiers into a continuous authentication model. For continuous authentication to be successful, the system must have a way of verifying a user’s true identity throughout the duration of a session. Any subtle changes in behavior could indicate the session has been compromised and necessitate a revocation of access to prevent data compromise. 

Behavioral Biometrics: The Next Step?

Unlike biological factors, behavioral biometrics are identifiers associated with the way a user normally acts. These include:

• Unique vocal inflections, such as quirks in emphasis or pronunciation 
• Keystroke patterns and typing habits
• Touchscreen gestures
• Eye movements and blinking patterns
• Skin characteristics
• Blood flow patterns
• Grip strength or pressure

Through improved data mining and machine learning (ML) technology, it’s possible to build an incredibly personal profile of each user based on these behavioral characteristics. This requires sophisticated ongoing monitoring and ML systems powerful enough to pinpoint tiny anomalies, but the technology exists to make such biometric options feasible for normal business use.

However, because of the complexity of behavioral biometrics, implementation involves a detailed assessment of security needs and workflows to determine if such a solution is practical in any given use case. If the goal is continuous authentication, behavioral biometrics will play a role in calculating the “authentication score” required to determine when to grant or deny access during users’ sessions. 

Understanding Biometrics and Privacy

Government agencies have already implemented a number of regulations dictating how user information, including identifying factors, can be handled, but the rapid adoption of biometrics has left gaps in laws. As biometric authentication becomes more common, businesses need to be aware of new rules going into effect and how to maintain compliance without compromising security.

Some options, such as device-based authentication, let businesses bypass some of the security issues associated with collecting and storing identifiers by allowing users to save biometric information on individual devices instead of in a central location on the network. When third-party authentication services are used, they require careful evaluation prior to implementation to ensure all practices adhere to current compliance regulations. Providers must be committed to continued compliance as additional laws regarding consent, data ownership and the right to privacy are passed to prevent financial and legal consequences for the businesses using their services.

Identity and access management certifications

Despite the potential compliance and privacy challenges, 86 percent of people say they would choose biometrics over a password as a secure identifier. The increased sophistication of malicious attacks and rapid rise in identity theft and data breaches indicate the need for a better form of authentication. Evolving biometric options show promise as alternative solutions for businesses seeking a stronger, more reliable approach to IAM security.