In 2016, the average enterprise had to manage access for 89 vendors. The number climbed to 181 vendors in 2017 and has continued to increase as more industries switch to cloud-based software and services. With this expansion comes an increased breach risk, which requires enterprises to go beyond the borders of their internal networks to address third party access risks and implement strict security procedures for external users.

The Rise and Risk of Third-Party Access

Eighty-one percent of IT professionals reported seeing an increase in third-party enterprise network access between 2015 and 2017, but only 34% of companies keep detailed inventories of the vendors with access to their networks. This low level of visibility may stem from a combination of poor third-party risk management and an unnaturally high level of trust. Two-thirds of enterprise IT professionals admit to trusting vendors more than they should, and just 35% would rate their third-party risk management strategies as “highly effective.”

Assuming vendor access is safe on the basis of familiarity with or the reputation of a vendor can be a mistake with far-reaching consequences. Fifty-eight percent of organizations reported breaches related to vendor access in 2019, pointing to a need for stronger access management policies. While an otherwise trustworthy vendor is unlikely to perform malicious actions while logged into an enterprise system, vulnerabilities in the same vendor’s network or software or human errors can act as a gateway for hackers. If the vendor’s system is breached, hackers could potentially use accounts to access all enterprises to which the vendor connects.

Managing and Mitigating Vendor Risk

Since 63% of businesses lack the resources for appropriate management of vendor relationships, inherited vulnerabilities remain an ongoing challenge. Risk reduction hinges on awareness and visibility. Enterprises need to know who has access to their networks, as well as when and how connections are being made.

Those with existing third-party relationships must take inventory of all vendors and review third-party security policies. This should include assessments of how data is stored and secured, as well as careful evaluation of breach prevention strategies. Following the same procedure before allowing access for new vendors can prevent inherited vulnerabilities from becoming breach risks.

Limitations on vendor access, including which devices may be used, provide additional security. Third parties should only be able to access the information they need to perform essential services, and all devices used should be approved in advance by the enterprise with ownership of the network. Because some vendors may pose higher risks than others, a rules-based risk assessment can be useful in determining the amount of oversight required to minimize the possibility of a breach.

Viewing vendors as users brings them under the umbrella of internal security policies, including onboarding and offboarding procedures. Each vendor should be subject to consistent monitoring for unusual behavior patterns during network sessions and denied access should any red flags arise. In the event a vulnerability is discovered on the vendor’s end, it’s up to the enterprise to point it out and request a fix. If a vendor refuses to correct the problem or chooses to remain ignorant of the potential consequences, it may be necessary to revoke all access or find another provider.

Proper governance ensures such third-party access rules are enforced. Enterprises with strong governance models are better able to evaluate, track, approve and monitor third parties and respond to risks in real time than the 44% of companies taking an “all or nothing” approach to vendor access.

Establishing Third-Party Security Guidelines

When enterprises assume external access poses less of a risk because vendors have their own security policies, they lack the knowledge and foresight required to maintain secure networks. Rather than relying on questionable or inadequate vendor security, enterprise IT professionals must take the initiative and create solid policies to govern vendor access.

Polices should include the following:

  • Vendor and third party access approval
  • Level of access allowed based on vendor needs
  • How access is managed and controlled
  • Policy review criteria for vendor access management including management of privileged accounts
  • Provision for continual risk evaluation
  • Routine review of vendors’ security policies and practices

Consistent enforcement of access guidelines is necessary to protect against third-party vulnerabilities and preserve the integrity of enterprise networks. Compiling policies into a document provides a straightforward checklist for new vendor evaluation and existing vendor monitoring, which is essential in a digital environment where new threats continue to emerge.

Identity and access management certifications

The complex interconnectivity between enterprises and vendors requires diligence and discernment on the part of IT professionals. Because enterprises can’t operate efficiently without support from third parties, it’s essential to establish clear policies and enforce access limitations while continually monitoring network activity. Making vendor boundaries a security priority ensures safer access for all network users and protects enterprises from hackers seeking to exploit third-party vulnerabilities.

Standard authentication methods are fraught with security risks and vulnerabilities. Even protocols with the highest perceived security levels such as multi-factor authentication and blockchain verification can become compromised, allowing hackers to infiltrate networks and access sensitive data.

Adaptive Authentication is a risk based authentication which determines the appropriate combination of authentication methods to grant entities access based on various risk factors.

Enterprises need better solutions for verifying identities and controlling access to complex systems. Adaptive authentication may provide an answer to the continued challenge of balancing strong security with user experience to prevent breach incidents while supporting productivity.

Granting Access Based on Risk

Because adaptive authentication allows users access to networks and resources based on risk levels, it’s sometimes referred to as risk-based authentication, or RBA. Assessments of risk levels are based on two groups of factors:

• Static access requirements and policies set for specific user types
• Detailed behavioral information for each individual user or network entity

Authentication may be granted using either approach on its own, but a combination provides the most dynamic option for enterprises seeking to improve security.

Behavioral data is monitored and collected using technology known as User and Entity Behavior Analytics. This is an updated version of User Behavior Analytics and includes not only human users but also devices and servers. UEBA builds profiles of entities’ behaviors in a cloud environment and uses machine learning to continue compiling an increasingly detailed view of each user.

Such comprehensive information allows the system to grant or deny access based on more than just login credentials. Profiles include granular data regarding access behaviors, such as roles, registered devices, normal login times and the distance between current and historical login locations. The more these factors deviate from normal behavior during a session, the higher the perceived level of risk associated with granting access to a user or entity.

Basics of Adaptive Authentication

In practice, adaptive authentication combines static access control rules with continuous evaluation of behavioral characteristics. During implementation, IT teams set basic access management rules based on user types and roles to dictate which resources can be accessed with basic login credentials. Beyond this point, artificial intelligence and machine learning take over to determine whether further authenticating factors are required.

Anomalies in behaviors may trigger a prompt for further authentication, such as inputting a code sent to another registered device or providing a biometric identifier. Logging in with an unrecognized device may require device registration or confirmation the device can be trusted. Too much deviation from recognized behaviors results in users being shut out of the system or application they’re trying to access.

Identity and access management teams are tasked with dictating how adaptive systems respond based on different risk levels, which are assigned “risk scores.” Reaching a particular risk score triggers the appropriate predetermined action to protect the system from unauthorized access. A hacker attempting to use stolen credentials or a stolen device to infiltrate a network may not be able to gain access even at the most basic level if the adaptive system detects a significant difference in login location or time.

Should a hacker successfully enter the system, he or she would need to be able to mimic every behavior of the real owner of the credentials in order for the session to continue. Since attributes like keystroke patterns are nearly impossible to emulate, there’s little chance a malicious third party could do much damage before being locked out.

Why and When Businesses Should Switch

Is adaptive authentication the right solution for every enterprise? Given the amount of data many organizations collect, transfer and store, the need for stronger access security is clear. However, an adaptive approach may be particularly appropriate if:

• Current “one-size-fits-all” authentication methods have become insufficient
• It’s becoming difficult to maintain proper security levels for each user and entity type within the network
• Increased speed and convenience would improve business success
• Poor user experience is impacting efficiency and profitability
• Increasing workflow complexity requires smoother transitions between applications or network environments
• The mobile workforce is growing in size
• Bring-your-own-device policies necessitate more dynamic device authentication protocols

For implementation to succeed, adaptive models must have enough information to form comprehensive user profiles. Too little information can increase incidences of false positives, which has undesirable consequences for both efficiency and user experience and burdens the IT department with superfluous security alerts. A successful adaptive authentication framework utilizes a combination of static access rules and detailed records of user and entity behavior to predict risk levels and automate security responses.

Upgrading to smarter authentication methods is necessary to keep up with the increasing complexity of modern cybersecurity threats. Adaptive authentication provides a flexible option for enterprises seeking scalable access management solutions but should be evaluated for efficacy on an ongoing basis.

Identity and access management certifications

Through partnerships between IT professionals and cybersecurity experts, enterprises can implement and deploy adaptive authentication solutions to strengthen existing identity management protocols and protect against emerging threats.

What can businesses, IT teams and cybersecurity professionals learn from some of the biggest breach incidents in 2019? What will identity management look like in 2020? It’s time to kick off the new year by taking stock of the cybersecurity landscape and preparing for new challenges.

Biggest Data Breaches of 2019: A Look Back

Breach incidents increased 33% in 2019 over the previous year to a total of 5,183 events and 7.9 billion exposed records. Sensitive data was a prime target. Hackers honed in on Social Security numbers, passport numbers, bank account information, medical records and similar identifying information.

Many of the largest breaches of 2019 hit well-known companies and social networks, including:

• Facebook and Instagram – Hundreds of millions of passwords compromised when stored as plain text
• Marriott – Up to 383 million guest records
• Zynga, producers of Words with Friends – 218 million player accounts, including email addresses, names and login details
• Capital One – 100 million credit card applications, 140,000 Social Security numbers, 80,000 bank account numbers and additional personal data
• Houzz – 48.9 million customers hacked
• American Medical Collection Agency – Data of over 20 million patients hacked
• Adobe Creative Cloud – 7.5 million customer records exposed in an unsecured database

The sheer magnitude of these breaches highlights the critical importance of securing business data and verifying the security practices of third-party service providers. Performing security audits to identify loopholes and vulnerabilities in complex business networks provides a safeguard against the growing cost of breaches, which has increased 12% over the past five years to $3.92 million per incident.

Identity Management Predictions for a New Decade

As occurrences and costs of breaches rise, businesses must redirect identity and access management efforts to better verify users, not just credentials. IAM in 2020 will require more detailed data collection and a combination of authentication methods to create complete pictures of users, how they access networks and what they do during sessions.

Collecting and storing more data points allows for contextual access control, which mixes strong authenticators like biometrics with other details, including networks, access locations and device types. Taking a contextual approach has the potential to allow businesses to move from single sign-on models to zero sign-on, in which users enter credentials only once and behavioral data is used for continual identity verification.

The shift to ZSO could remove the last bit of friction between users and networks. Current bring-your-own-identity models are convenient but can suffer from security issues if third parties issuing and managing identities fail to do their due diligence in addressing vulnerabilities. As access domains expand, users will require more self-service options, which could create additional security issues unless businesses begin to adopt strategic technology-based authentication methods.

Privileged accounts remain prime targets for hackers and big risks for businesses. Adaptive trust models may provide better access management of users with privileged credentials, as such models are designed to adapt to fluctuating risk levels. By controlling network access using behavioral data, it’s possible to identify unusual behaviors and prevent hackers from infiltrating networks. A hacker using stolen credentials can’t mimic every habit of the real user and will be locked out when behaviors deviate from data on file.

Combining new approaches to IAM with improvements in user and data tracking will allow businesses to locate and fix network vulnerabilities going into 2020 and continue to improve access control as the threat landscape changes.

Cybersecurity in 2020: Predictions and Trends

Cybersecurity experts predict continued changes and challenges in the coming year, including several trends with the potential to significantly impact how business and organizations approach security:

• Moving toward more cloud-based software-as-a-service applications will necessitate improved security measures among businesses and providers
• The ongoing threat and increasing sophistication of phishing attacks will require continued monitoring and education to prevent breaches
• Hackers will move from using stolen credentials to hijacking user identities in an attempt to infiltrate systems
• Businesses and organizations will require personalized authentication protocols to support increasingly dynamic cybersecurity needs
• Developers will begin focusing on edge computing applications to expand cloud environments and improve edge device utilization
• Improved controls will be required to prevent smart device and voice assistant hijacking

In light of these predictions, businesses should be prepared to spend more on cybersecurity in the coming year. It’s also likely new user data privacy laws and regulations will be implemented, thus requiring a greater level of diligence and accountability on the part of organizations handling sensitive information.

Identity and access management certifications

To kick off 2020 with a strong approach to identity management and cybersecurity, businesses should look for qualified experts with whom to partner and begin addressing vulnerabilities within networks, systems and protocols. By fixing issues with the potential to leave network environments open to attack, companies can move forward and face new cybersecurity challenges with confidence.