Reducing customer onboarding errors during the customer acquisition process can minimize mistakes that can be highly detrimental to your business. Customer onboarding has become even more important as more transactions are initiated and completed online. Avoiding mistakes during the customer onboarding process can help you accept more high-quality customers, and, reject poor quality customers.

Reducing Customer Onboarding Errors

Rejecting High-Quality Customers Is a Major Problem


Poor quality data can lead to quality customer rejections. During the onboarding process, customers must provide specific information to validate their identity. The information that customers provide during the onboarding process is compared with external data for validation. Relying on inaccurate data could lead to decisions made based on false negative data which leads to good customer rejection. So, connecting with high-quality data providers is essential. They’ll make sure that you never miss out on your highest quality customers. Comparing customer information to multiple data sources may prove to be beneficial in the long run.

Up to 52% of customers will stop their onboarding process due to complicated processes. Plus, more customers could be turned away due to data errors. Missing out on high-quality customers is a critical error that companies can not afford to make thus paying top dollar for a good onboarding database ultimately proves to be a good business decision.

Onboarding Poor Quality Customers Can Be Just as Bad


At the same time, onboarding poor-quality customers can be just as bad. These customers take up time, without providing much in return. A lot of customers make it through the onboarding process, despite obvious signs they shouldn’t. Usually, that’s because your company’s onboarding process doesn’t have access to high-quality identity data.

Poor data quality doesn’t just make you miss out on good customers. It can even make you waste resources on bad ones. Analyzing data sources and the results of onboarding decisions over a period of time will help determine the quality of the identity validation data. There is a correlation between quality data and the quality of customer list which can be assessed over time.

Why Having Access to Excellent Data Is Essential


Data has become one of the most valuable resources in the modern economy. Better data leads to better business decisions. Utilizing only the highest-quality data will improve your business performance. However, not everyone understands the importance of this process.

High Accuracy Decision-Making

Businesses must make customer onboarding decisions on a daily basis. The quality of those decisions will impact your bottom line. By making better decisions, you’ll avoid fraud and reduce waste.

Never Miss Quality Customers

Quality customers don’t always make it through the onboarding process all the time because of poor onboarding processes and poor-quality data sources used for decision making. Quality data sources are vital for onboarding.

Never Onboard Bad Customers

Another benefit of quality onboarding data is to reduce the number of poor-quality customers who are accepted based on false positive data. These customers often cost money in the long run which could have been prevented with some upfront investment.

Streamlining the Onboarding Process


When asked, most customers say onboarding length is the most important part of their decision for doing business with a company. If your onboarding process is long and complicated, fewer customers may be willing to complete the process. Most onboarding processes serve 3 important purposes:

Know Your Customer

Especially in finance, KYC compliance is vital. Customers must provide specific information before they can do any business. Otherwise, your company could be at risk of litigation.

Identity Verification

Never let customers complete their onboarding without providing sufficient identity verification. That’s one of the biggest ways to prevent fraud. However, asking them for the same information multiple times isn’t a good idea, either.

Fraud Prevention

If you’ve complied with the previous steps, preventing fraud shouldn’t be too hard. Monitor customer activity and keep an eye out for anything out of the ordinary. If they’ve made it through your onboarding process, they’ll probably be decent customers. So, you won’t have to worry too much about this.

Common Problems with Customer Onboarding


Customers often complain about a few common challenges when it comes to onboarding to join a business:

The Process is Too Long

First and foremost, customers don’t want to spend hours going through the process. The faster it can be done, the more people will complete it. Cut down on unnecessary steps to encourage them to complete everything.

Requesting the Same Information More Than Once

Believe it or not, a lot of companies make the mistake of asking for the same information in different forms which may not even improve the quality of their decisions. There has to be a balance between confidence level of onboarding decisions and the possibility of losing good clients.

Unclear Instructions

Above all, the onboarding process should be easy for people to understand. If people feel like they need an interpreter, something needs to change. Otherwise, people might get frustrated and stop before they finish.

Reducing Customer Onboarding Errors and Mistakes

Connect with high-quality data providers to attract more customers, reject bad customers, and never miss out on quality customers by reducing customer onboarding errors. Mistakes during the onboarding process are easy to make, but they are also easy to fix. Optimizing the process will make it easier to attract quality clients. Not to mention, you’ll minimize the prevalence of any fraud.

Certified Identity and Access Manager (CIAM)

Disgruntled employee security risks are among some of the greatest system access risks that companies face as an unhappy employee with the highest level of credentials and access privileges can cause serious harm before disappearing or even after the employee has left the organization if the company fails to offboard properly.

Disgruntled employee security risks and system access threats.

When an employee loses royalty toward the company because the employee is mistreated, is given the employment termination notice, disagrees with management over something, or just loses some employment benefits like medical insurance, performance bonus, stock options, 401K matching, or decreasing stock price, the employee may become disgruntled toward the company and some of its management members. Many times, employees don’t know how to handle such situations and become irrational resorting to violence in the workplace and the society, family abuse, and sabotage or theft of the company assets to name a few.

A disgruntled employee is very unpredictable in terms of the behavior as each person reacts to life pressures differently. In times of downward economy when people lose their jobs, homes and their savings accounts, they start having issues with their family members, the society, the government, and the company they worked for so many years. Everyone handles such life situations differently. Although some become creative and successful as a result of these pressures, many feel cornered and start behaving carelessly, unpredictably and dangerously toward others.

While certain people accumulate huge wealth and start successful businesses during economic recessions as desperation sometimes brings the best out of some people in the form of new ideas, creativity and increased contribution to the society, others who may not know the techniques to deal with life pressures end up desperately violent toward their families before harming themselves. How many times have we heard of an ex-employee returning to the company to threaten every one he blames for his misfortune? There is no shortage of people harming their entire families, others, and even themselves due to some financial pressures, lost jobs and vanished savings and home values. An employee does not become a threat overnight and there are always disturbing signs that could and should be detected by people close to the person in order to avoid potentially dangerous behavior that could lead to disasters.

You may wonder what a company could do to deal with a disgruntled employee. For one thing, companies should avoid creating disgruntled employees by being sensitive to the employee needs as well as their own business needs. According to Henry Bagdasarian, “companies should have procedures to identify disgruntled employees before it’s too late”. When companies go through huge changes such as massive restructuring of the organization or its benefit plans, especially when the change impacts a huge number of company population, they must consider a disgruntled employee a possible business risk and threat. Such risks must be handled like any other business risks. There are serious situations when a corporate psychologist should be engaged when a potential disgruntled employee is identified. During most layoffs, everyone from Human Resources, Legal department, to operations management is involved in the process, but how much do they know about human psychology and human behavior management during a huge corporate undertaking such as a layoff that impacts hundreds or thousands of employees? An orderly corporate change requires human behavior management to reduce the business risks during the entire process. Such human management requires effective communications as well as pre and post layoff support that also serves the employee interests and not solely the business interests, although managing employee interests ultimately serves business interests by reducing business risks. Companies must also monitor employee activities and pay attention to asset protection safeguards to reduce the risks that could arise from disturbed employees.

As mentioned, one of the biggest risks of a disgruntled employee is sabotage and theft of corporate assets. Many employees have unrestricted access to corporate systems and physical assets. “In my professional experience, I have witnessed unauthorized distribution of payroll files disclosing all salaries to the insiders as well as outsiders, sale of customer and employee personal information, and even piracy of digital assets”, Mr. Bagdasarian observes. Although, some of these illegal actions are greed driven, others have no financial value to the perpetrator other than personal satisfaction and revenge. During times of rapid business changes, companies must be sensitive to the employee situations and properly handle their mental state before it’s too late. Sometimes, when the damage is inflicted, it’s really hard if not impossible to reverse it. For example, when a payroll file is distributed on the Internet, it’s impossible to collect all distributed copies, and sometimes even people die as a result of a disturbed and disgruntled employee’s actions.

In conclusion, many options are available when considering disgruntled employee security risks including but not limited to employee behavior management, increased security of assets, and monitoring of employee activities in and out of the critical systems. Even when there are no major business changes, companies must pay close attention to isolated disputes, complaints and reports of strange behaviors in order to detect and defuse a potential business threat arising from a disgruntled employee.

Identity and Access Management certifications -Identity Management Institute IAM certifications

Digital identity management is no longer a luxury but a necessity. This article explains what a digital identity wallet is and how it works. It will also discuss digital identity wallet benefits and risks, limitations, and use cases.

Our world continues to experience substantial technological changes which has made it easier to accomplish tasks and enhance productivity. Of all the technological innovations already in place, the introduction of blockchain technology which has helped create decentralized applications or DApps has been a game changer for digital identity management and makes it possible to better manage identities with digital identity wallets.

The Covid-19 pandemic forced institutions and governments to rethink their approach to identity and access management. The digital identity wallet benefits and risks listed in this article will address identity security, fraud, and privacy.

Digital Identity Wallet Benefits and Risks

What Is a Digital Identity Wallet, and How Does It Work?

A digital identity wallet is an essential identity management application that allows users to store, secure, and manage digital identity keys. The keys stored in a digital identity wallet can perform various tasks such as signing statements, conducting transactions, verifying credentials, and filing documents or claims.

In most cases, a digital identification wallet would be issued and overseen by an government entity to identify an individual online and offline. Digital ID wallets contain various attributes and may:

  • have personal attributes like a social security number, name, place, date of birth, biometrics, citizenship details, and more, depending on the laws and requirements.
  • differ from one country to another. For instance, citizens in India are given a unique ID number, while those in Finland get a unique mobile ID. In Germany, individuals are assigned an eID. These attributes are used to identify an individual and include a digital identity certificate.

A digital ID wallet makes it easier to prove who you are, share personal data, and access services. Moreover, it offers users unmatched convenience and the freedom to decide how to use their personal information. Above all, a digital identity wallet provides privacy and is a powerful tool to overcome fraud and enhance productivity.

The European Commission has already made its plans for a digital identity wallet clear. The commission seeks to launch a self-sovereign identity wallet that allows users to protect their data and personal information. Users will no longer have to carry stacks of documents to identify themselves when accessing services.

The good news is that self-sovereign identity wallets allow users to share only the required credentials safely and for a needed period of time.

Digital Identity Wallet Benefits

The adoption of a digital electronic wallet will benefit both the public and institutions. It will allow users to access services using their mobile phones while institutions will be able to identify customers, receive information, and validate data. With all the identity management challenges and availability of technical solutions, there is no better time to launch a digital identity wallet solution.

Here are some of the benefits of electronic digital wallet for identification:

Storage of Essential Credentials

A digital identification wallet works just like a leather pouch. It stores all the essential documents and information that you carry with you. When you start using a digital wallet, it will store the information and make things easier for you:

  • Is secure and protects personal data.
  • Makes data easily accessible.
  • Offers complete control and privacy.

You Are in Control

One of the main benefit of a digital Identity wallet is that it gives you complete control over your data and credentials. You will have the freedom to decide whom to share the information with and for how long. Above all, individuals can determine the amount of information they will share with the other party. This way, users will never have to share unnecessary details again.

For instance, you can provide and confirm your address without having to share your social security number, date of birth, and name. The information you will share will be instantly verified by the other party giving you immediate access to your rights and the service you need.

Establish Secure Connections With Other Parties

A digital identity wallet is also beneficial to interact with others. It allows you to establish encrypted connections with other parties. You can use this app to exchange messages and share information without having to worry about safety.

Establishing connections will be as easy as scanning a QR code with your digital identity wallet. The wallet gives you the freedom to create your QR code so that other parties can easily connect with you.

Economic Benefits

As an example, the creation of a digital identity wallet will generate more than 9.6 billion Euros for the European Union and create more than 27,000 jobs within five years.

Positive Environmental Impact

Adopting an electronic identity wallet will reduce emissions due to public services. It will also cut down on paperwork, making the world a better place for future generations.

Enhanced Convenience

Citizens will no longer have to carry all their documents all the time. The adoption of the electronic identity wallet will give individuals a tool that allows them to store all their essential documents in one secure place.

Limitations of a Digital Identity Wallet

Like any other innovation, the digital identity wallet technology is also set to face some setbacks. Some of these limitations include:

Time and Money Limitations

Time and money are probably the most significant limitations of digital identity wallets. For instance, EU countries that want to join the program must invest in special software and hardware to facilitate these operations.

Security

Security is one of the biggest benefits of electronic identity wallets. However, it can also be a concern since the users’ devices will support the mobile application’s security. Smartphones without adequate protection will be susceptible to security risks and they can be stolen or lost.

Digital Identity Wallet Risks

Digital identity wallets can deliver exceptional results for individuals, the private sector, and governments. However, users must be privy to some of its risks to make it work. For example, the digital identity wallet is dependent on a device and while this is convenient, it can also be a challenge if the device breaks down, runs out of battery, or faces network problems.

Digital Identity Wallet Use Cases

Digital identity wallet topic is already being considered by many countries. For example, the EU commission has already announced its plans to have a digital identity wallet that will allow EU citizens to access public and private services using their mobile phones. The Covid-19 pandemic underscored the need for safe and convenient online services. Moreover, Cardano Prism, a significant blockchain provider for digital identity wallets, is set to supply the EU with digital identity wallets.

The EU has adopted Cardano Prism to facilitate secure identity management and storage of electronic keys. The platform will accommodate a range of use cases and solve problems across multiple industries. Major technology players like Stripe, MasterCard, and Apple have already acquired a digital identity verification company known as Ekata. These companies seek to give their consumers a seamless and user-friendly experience.

Several countries across many continents such as Africa have started to implement and use electronic ID wallets to create digital IDs for their citizens who until now had no way to prove their identities and claim their assets.

Certified in Data Protection (CDP)

Companies must consider these top identity and access management metrics to measure how well their IAM functions and improve their IAM capabilities to better protect customer information, reduce the number of breaches, and improve identity-related processes across the organization. By considering and using these top IAM metrics, companies can know how well their existing processes and controls are working and quantify the effectiveness of the IAM measures in some key areas. This article will cover 12 top identity and access management metrics that companies may consider when assessing their IAM capabilities.

Top Identity and Access Management Metrics

12 Top Identity and Access Management Metrics

1. Password Reset Requests

Password reset is one of the most common reasons for users calling into customer service. The more employees who need help with their password reset, the larger the number of calls into service desk. Tracking this metric can help companies spot potential issues in this area to assess which aspect of their password management is not working properly and make the necessary changes and investments to improve.

2. Number of Users with Access to Sensitive Data

A surprisingly large number of employees might have access to sensitive information without the necessary business needs. For example, this could be because they no longer need access due to a role change or are no longer working for the company.

This access creep could pose a security risk. Tracking this metric can help assess the risk exposure and ensure that only the right people have access to sensitive information.

3. Authentication Factors

Authentication factors include PINs, passwords, tokens, and more. The number of authentication factors in place can help companies ensure that users are taking advantage of multiple measures to reduce the chance for a single-point security failure (e.g., password theft). Furthermore, authentication factors must be regularly tested to ensure they are working properly. Tracking this metric can help companies discover areas where authentication measures may need to be improved or adjusted.

4. New Account Provisioned

Every time an employee joins the company, a new account may be created for them. The number of new accounts being created per day can provide information on whether your company is growing – and thus why internal systems may need to be scaled or updated to support them. This information can help companies understand the rate at which employees are joining and leaving the organization – allowing them to adjust their headcount or security levels accordingly. The growing number of new accounts provisioned is important to consider, as they will need to be managed over time.

5. Average Time to Provision a User Account

The time it takes to provision a user account can be an extremely important metric for IAM, especially when critical transactions are involved. Faster speeds mean employees will have access to the applications they need to do their jobs. This information is crucial for areas where multiple clients might require accounts to be provisioned in a short timeframe. Time-to-provision can help companies identify areas where they need to speed up processes.

6. Expansion Rate

An expansion is an addition of a new application, data, location, users, or business unit for which employees need additional access. The number of expansions per month can show what kind of growth your company is experiencing – helping you plan headcount accordingly. These metrics are also helpful to keep an eye on for audit purposes.

7. Number of Privileged Accounts

Privileged accounts hold administrative access to various network components, including Active Directory, servers, and more. These accounts need to be regularly audited to ensure only the correct users have elevated access privileges. Furthermore, companies should track the number of privileged accounts to ensure they are not growing too quickly. It is recommended that companies limit the total number of privileged accounts in their environments. Any account that does not have a legitimate business purpose should be disabled as soon as possible.

8. Number of Service Accounts

Companies are constantly creating new service accounts which are often embedded within application programs to perform automated tasks. While service accounts are sometimes needed, they can pose a security risk as some service accounts may not have a password expiry date. Tracking service accounts can help prevent potential security breaches.

9. Offboarding and Access Removal

How often do employees leave the organization or change roles while they unnecessarily retain system access? Measuring the percentage of departed employees who continue to retain their system access can help improve offboarding flaws and the access termination process to remove access on a timely basis.

10. Number of Inactive Accounts

While organizations create new accounts on a daily basis, some of these accounts become inactive overtime which must be assessed periodically and disabled.

11. Number of Orphan Accounts

An orphan account refers to the lack of ownership of an account. A clear account ownership ensures accountability and helps with activity tracking. If an account owner is not properly identified, the account activities can not be traced back to a particular person. Sometimes, orphan accounts are shared accounts which can cause a serious issue when investigating a security breach associated with the orphan account while no one can be held accountable.

12. Incident Response Time

It is important for companies to know how quickly they respond to issues reported by users, or an incident discovered during an audit or security monitoring. The incident response time is an indication of how quickly an organization closes an IAM gap to ensure continued operations and security.

Conclusion

These top identity and access management metrics provide a snapshot of your IAM capabilities as well as risks associated with users, applications, data, and network. Paying attention to these numbers regularly can help you reduce the total cost of ownership (TCO) and keep track of whether or not your IAM implementation is working properly and, if not, highlight areas for security and operational improvement.

identity and access management certification

Blockchain Proof of Stake can prevent cyberattack as discussed in this article. Proof of Stake refers to the consensus algorithm used in many blockchains which will also be part of Ethereum’s upcoming 2.0 upgrade. PoS is an alternative method of validating transactions and achieving consensus in a blockchain ecosystem that is considered the intellectual successor to Proof of Work.

Blockchain Proof of Stake consensus can prevent cyberattack

What is Blockchain Proof of Stake?

While proof-of-stake shares several similarities with its proof-of-work counterpart, a few key differences between the two could have significant implications for blockchain security and future scalability.

In the Bitcoin’s proof of work network, miners race to solve cryptographic puzzles to add confirmed transactions into each block on the blockchain. Nowadays, this process requires substantial computing power and is known to be relatively energy-intensive. In contrast, proof of stake delivers based on the miners’ ownership (stake) in the blockchain.

No block rewards are awarded in PoS, so validators only make money if they validate correctly and vote into the active set. If not, then they lose their deposit. This kind of consensus mechanism is a lot faster and more efficient than proof of work.

In its purest form, there will be no block rewards at all with the proof-of-stake system – meaning the only way to make money would be to validate transactions for a fee. To prevent network spam, the transaction fees would likely need to increase.

How Proof of Stake Can Prevent Cyberattack


Proof of stake is a more efficient alternative because it uses less computing power and enables faster transaction speeds. It also makes the blockchain theoretically more secure against “51% attack” – a form of cyberattack where attackers control over half the network.

Proof-of-work blockchains rely on miners to all act in good faith by following the consensus rules. This means that one group could control over 50% of mining power and execute what’s known as a majority attack.

A majority attack allows the attacker to prevent transaction confirmation, double-spend coins, and perform fork attacks, making forked or alternative versions of the blockchain valid. This is because there has been disagreement over the main version of history in a “51% attack”.


However, a proof-of-stake system only allows the validators to choose a block if they have provided a security deposit. So, attackers would not prevent transactions from being confirmed or fork the blockchain because they wouldn’t have access to their stake.

Proof of stake can also reduce the probability of forks occurring in a blockchain system because it prevents bad actors from double-spending coins. This is because the stake will be lost if this individual acts dishonestly and doesn’t follow consensus.

Proof of Stake can prevent cyberattack mainly because it requires attackers to control the majority of all coins which makes the attack costly with minimal rewards and almost impossible.

How Proof of Stake Works


Distributed computing systems, such as blockchains, are designed to be secure and offer the highest Byzantine fault tolerance which ensures the system operates correctly; even if some components fail, behave maliciously, or respond slowly.

Proof-of-work mining was used first in Bitcoin by Satoshi Nakamoto in 2008 to produce the blockchain. It is used to verify transactions through a consensus algorithm, called “proof of work,” where miners solve a cryptographic puzzle by completing an impossible value puzzle that uses trial-and-error.

This process requires expensive hardware and consumes large amounts of energy. As a miner, if you solve the puzzle first, you will be awarded the block and the transaction fees within.

Since then, variations of proof-of-work have appeared in many other cryptocurrencies, such as Litecoin. Proof-of-stake is an alternative to PoW that has emerged as a consensus algorithm for blockchain systems.

PoS could present new challenges or opportunities for organizations looking to adopt blockchain technology into their businesses.

The idea is that instead of spending resources on performing the complex calculations required for proof-of-work, a node (a computer connected to the blockchain network) stakes several coins and becomes eligible to validate transactions. In this scenario, one would need to purchase at least 51% of all the coins to attack the blockchain which would make it significantly harder to gain control over the blockchain ledger.

Proof-of-stake is primarily used by cryptocurrencies that want to encourage ownership (stake) of their currency and prevent the need for huge hardware investments required with PoW.

Proof of stake promises to bring consensus into the blockchain by allowing all stakeholders in the system to participate in the validation process. With this algorithm, there is no need for competition. Instead, there is a power distribution between all validators voted into the active set through their total coin balance and length of time staking.

Other Blockchain Protocols include:


1- Proof of Authority: Instead of relying on the entire network to validate transactions, PoA uses an authorized dealer that validates all transactions.

2- Proof of Capacity: Instead of using energy-intensive computations, PoC uses hard disk space; participants are required to store a certain amount to gain mining rights in the blockchain.

3- Proof of Burn: In this blockchain protocol, miners give up their currency by sending it to a verifiably unspendable address; thus, they can only get the currency back by mining a new block.

4- Proof of Elapsed Time: This is a particular case of a proof-of-stake algorithm that uses trusted execution environments to add blocks. Participants in the blockchain must wait a specific amount of time while being recorded by a trusted validator before they are allowed to produce a block.

5- Proof of Weight: This protocol allows participants with higher weight in the network to create blocks more frequently than lighter participants.

6- Delegated Byzantine Fault Tolerance (dBFT): This protocol allows all users who stake tokens to participate in the consensus process by utilizing token holder voting.

7- Tendermint: This protocol is similar to Delegated Byzantine Fault Tolerance but uses a combination of stakeholders’ voting and traditional proof-of-work mining to achieve consensus.

So far, most blockchain protocols have been built using the rules of the Nakamoto Consensus, which states that all nodes in the system must agree to a certain set of rules. In Proof of Stake, instead of using complex computations to verify transactions, participants must have a certain number of tokens to validate a block.

What Blockchain Projects Already Use Proof of Stake?


A handful of cryptocurrencies currently use a version of proof-of-stake, and Ethereum is planning to convert from proof of work to proof stake in ETH 2.0 which is slated for conversion in late 2021 or early 2022. Other examples are Peercoin, Nav Coin, Qora, and Nxt.

Many other cryptocurrencies have expressed interest in moving towards the proof of stake consensus model because it is better for scalability and security than Proof of Work. However, there are many technical obstacles that need to be resolved before pure proof-of-stake can be implemented.

Proof of Work vs. Proof of Stake


How do Proof of Work and Proof of Stake compare? Proof of Stake is an alternative form of consensus that has recently gained popularity. Proof-of-Stake holds the same goal as proof-of-work, to reach a fair and decentralized agreement on the blockchain, but uses an entirely different method to achieve it.

Rather than relying on computational power like with proof-of-work, proof-of-stake uses the amount of currency/tokens held by the miner to determine their chance of finding or mining a new block.

Proof-of-Stake works in some ways similar to how miners in PoW are required to solve cryptographic puzzles to find blocks, but it also has very different characteristics that complement proof-of-work.

Some of the benefits to using proof-of-stake are:


-It is less power consuming since miners are not required to use their computational power in the mining process.
-To mine, there is no need for special equipment. All that is needed to become a validator is an active internet connection and the currency required to be considered an active participant.
-It is much simpler since it does not require advanced cryptographic puzzles that must be solved to find a new block.

Benefits of Blockchain Proof of Stake in Preventing Cyberattacks


1- The cost of hacking a blockchain is higher than the potential benefits that can be reaped from such an attack.

2- To successfully carry out a 51% attack, cybercriminals must control power equivalent to at least 51% of global hashing power.

3- If they succeed in carrying out the attack, the cost of the investment becomes a significant deterrent for them to keep going with their malicious activity.

4- To be recognized as a legitimate blockchain, attackers must convince more than 50% of all participants in the network that theirs is the correct chain while simultaneously making sure they don’t get outcompeted by the “good” chain.

5- The higher the hashing power and the number of participants, the more difficult it becomes to launch a successful cyberattack.

Drawbacks of Proof of Stake


Cyberattacks against proof of work cryptocurrencies such as Bitcoin and Ethereum (PoW) aren’t new. The evidence of PoS protocol is also not without its flaws when it comes to security. One of the greatest drawbacks is that it’s not very efficient in ensuring safety as the computers must run 24/7 on the network to maintain ultimate computing power for cyberattack prevention. That’s impossible.

Some drawbacks in using proof-of-stake include:


· If someone holds 1/3rd or more of the tokens, they are given more power since they are more likely to be selected to mine.
· This can be seen as unfair because it concentrates on power among a small group of people.
· It is more centralized since only 10–20 validators participate in mining new blocks; this allows for manipulation and collaboration on the network, making it unreliable.
· Nodes have been hacked many times, undermining the trust invested in cryptocurrencies based on this consensus algorithm. The blockchain itself has never been hacked, but individual nodes have been attacked.

However, hackers have managed to find several bugs that could be exploited to create coins out of nowhere, hijack the blockchain, and recover coins that had already been spent.

Conclusion


Proof of Stake is a somewhat controversial topic since many people don’t understand how it works. However, it is easily understandable that proof-of-stake is more secure and less resource-intensive than proof-of-work, but some drawbacks still need further attention. Although a PoS blockchain has never been hacked, individual nodes have been attacked.

Certified Identity Management Professional (CIMP) certification

The Federal Financial Institutions Examination Council (FFIEC) issued a new Guidance titled “Authentication and Access to Financial Institutions Services and Systems” on behalf of its members which offers 11 tips for authentication and access to financial systems. FFIEC was established in March 1979 to prescribe uniform reporting principles and standards and promote uniformity in financial institutions’ supervision. The new guidance replaces the FFIEC-issued authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011). The two publications provided risk management Guidance to financial institutions that offered internet-based products and services. This article will discuss some of the tips and Guidance practices below.

11 Tips for Authentication and Access to Financial Systems from FFIEC Guidance

The Purpose for the New Guidance

The new Guidance set aims to provide direction for access to digital banking services and information systems. The guidance offers examples of practical risk management principles and practices that are useful for authentication and access. They also help financial institution management bodies to evaluate new authentication threats and control practices.

The new guidance addresses issues such as:

1. The need to perform risk assessment by authenticating users and customers to protect information systems, accounts and data from risks associated with cybersecurity threats.
2. The importance of extending authentication practices beyond customers to include employees, third parties and service accounts accessing financial institution systems and services.
3. The use of multi-factor Authentication (MFA), or controls of equivalent strength, to mitigate risks of unauthorized access effectively.
4. Alignment with other safety and soundness standards and other laws and regulations governing financial institutions.

Section One: Highlights of Guidance

In this section, the guidance identifies two main parties that require authentication. The first group is the users that access the financial institution’s information system. Users include the employees, third parties, board members, service accounts, installed applications and devices. The second group is the customers and consumers granted access to the digital banking services offered.

The level of authentication practices required by the financial institution depends on factors such as the operational and technological complexity of the institution: the risk environment assessment: the risk appetite, and the risk tolerance of the institution.

Some of the best practice tips highlighted include:

1. Conduct a thorough risk assessment of the digital banking and information system environment for the access and authentication issues that might arise.
2. Take note of all users and customers that access the financial institution’s systems and services and those that require advanced authentication and access controls.
3. Monitor the activities of the users and customers and implement layered security controls to prevent unauthorized access.
4. Ensure that the identity of all users and customers get verified before getting access to the financial institution systems and services.
5. Evaluate the effectiveness of the user and customer authentication controls put in place from time to time.
6. Maintain awareness and education programs to users and customers on the importance of access authentication.

Section Two: Threat Landscape

In this section, the guide points out that financial institutions are increasingly exposed to authentication risks. The risks arise from the evolution of new technologies that enable third parties to access information systems and remotely access the institution’s information system. Some of the latest technologies that pose significant risks include cloud computing service providers and Application Programming Interface (API). These system entry access points increase the opportunity of malicious users to gain access to commit data breaches to the financial institutions’ affiliates.

Specific control measures can be put across in financial institutions to reduce the authentication risk because of increased access points. The use of out-of-band communication and encryption protocols to support secure authentication is one way of doing that. The attackers use sophisticated technologies such as automated password cracking tools, which renders specific controls previously thought to be effective as useless. An example of an inadequate control technique is the single-factor authentication system. Nowadays, multi-factor authentication, in combination with other layered security controls, is more effective.

Section Three: Risk Assessment

In this section, the guide emphasizes the need for financial institutions to conduct risk assessments before implementing new financial services. For example, when introducing a digital payment service, it is vital to assess the access and authentication risks that might arise from that. Also, the assessment should be done against other business and non-business variables. A risk assessment identifies the threat opportunities and vulnerabilities exposed to access and authentication practices. The evaluation also leads to controls regarding authentication techniques and access management practices. It is important to note that this risk assessment should be done periodically during the financial institution’s product or service.

Some areas listed that require risk assessments include:

1. The inventory of all information systems and their components that need authentication. This includes the hardware, the operating system, applications, infrastructure devices and other information systems provided by third parties such as cloud service providers.
2. The inventory of digital banking services, customers and transactions that require authentication. This involves the uniqueness of the service, the customer or the transaction and what amount of risk they pose to the institution.
3. Customers involved in high-risk transactions, determined by the dollar amount or the frequency of transactions. They pose a higher potential of financial loss risk or breach of data.
4. The users of the financial institution’s information system and data. They include the employees, third parties and service accounts.
5. High-risk users that warrant advanced authentication. They include privileged users with access to critical systems and data.
6. Threats that can potentially affect the financial institution’s system, data, user accounts, and customer accounts.
7. The design and effectiveness of the controls adopted.

Section Four: Layered Security

In this section, the guidance outlines various controls that financial institutions can adopt to prevent, detect, and correct potential weaknesses in their systems. Depending on the level of risk involved, the layered security approach offers authentication solutions suitable for each need.

Some of the controls outlined include:
● Multi-factor Authentication
● User time-out
● System hardening
● Network segmentation
● Monitoring processes
● Transaction amount limits
● Assigning user’s access rights

Section Five: Multi-Factor Authentication as Part of a Layered Security

In this section, the guidance indicates that an MFA, or controls of equivalent strength, as part of layered security, is more effective in mitigating risk. According to NIST, MFA is defined as an authentication system that requires more than one authentication factor to be successful. The factors include memorized or look-up secrets, out-of-band devices, one-time password devices, biometric identifiers, or cryptographic keys. Whatever authentication factors a financial institution decides to work with, they should ensure that they are user-friendly, convenient, and provide the desired security strength for users.

Section Six: Monitoring, Logging, and Reporting

In this section, the guidance emphasizes financial institutions’ importance in having controls and processes in place to monitor, activity logging, and report. The procedures are crucial in determining whether there was any attempted or realized access by an unauthorized party. They also ensure timely response and investigation of unusual activities through logging details.

Section Seven: Email Systems and Internet Browsers

In this section, the guidance points out how email accounts and internet browser history are used to gain unauthorized access. Using social engineering and phishing techniques, the attackers take advantage of misconfigured applications and other unpatched vulnerabilities as access points to gain access to the financial institution systems and data.

Some tips on how to mitigate risks from email and browser history include:
● Implement secure configurations
● Implement layered security techniques
● Patch vulnerabilities
● Block browser pop-ups and redirects
● Limit the running of scripting languages

Section Eight: Call Center and It Help Desk Authentication

The guidance notes that a standard method threat-actors gain access to unauthorized information deceives customer call center and IT help desk representatives. To mitigate that risk, financial institutions should invest in educating their users on the processes.

Section Nine: Data Aggregators and Other Customer-Permissioned Entities (CPE)

In this section, the guidance informs on how CPE providers pose a threat to a financial institution’s customers. They access the credentials of a customer’s account information directly from the customers. They can also gain the information through other parties like API-based or token-based access. Financial institutions should assess risk factors and put-up controls that mitigate the risk of CPE’s access to digital banking services to manage such authentication issues.

Section Ten: User and Customer Awareness Education

The section tasks financial institutions the responsibility to put in place regular user and customer awareness education programs. The program educates the users and customers on the authentication risks and other security concerns when using digital banking services. When an institution educates its stakeholders, the additional authentication and access control measures will work more effectively.

Section Eleven: Customer and User Identity Verification

In this section, the guidance emphasizes the importance of financial institutions implementing reliable verification methods. Identity verification reduces the risk of incidences of identity theft, fraudulent account activities and the existence of transactions and agreements that are not enforceable.

Zero-knowledge identity proof is a cryptographic technique which allows us to prove our digital identities without revealing private information about us while we interact and engage with various kinds of transactions online.

Zero-knowledge identity proof without revealing personal data



The zero-knowledge identity proof technique offers a way of verifying or providing proof of our identity whereby one party proves to know a particular piece of information without revealing other private information. Some examples of the zero-knowledge proof protocol include submitting proof of identity without disclosing your address or demonstrating that your bank account is sufficient for a particular transaction without revealing its balance.

In this article, we will focus on the use cases of zero-knowledge identity proof, benefits, and some statistics regarding the topic. In addition, we will present information on how zero-knowledge identity proof works to replace passwords. First, let’s look at what a zero-knowledge identity proof is.

What is Zero Knowledge Identity Proof?


A zero-knowledge identity proof is a term used to refer to an authentication scheme where one party proves to the other to have a particular piece of knowledge that proves ownership of the identity. The prover verifies the required information without further disclosing any additional sensitive or personal information. This ensures that you maintain ownership of your sensitive private data.

Zero-knowledge proof (ZKP) alerts the verifier that the prover has the required information to confirm his identity. The method was introduced during the 80s by MIT researchers and is used to further enhance blockchain functionality. Zero knowledge identity proof is categorized into two areas: interactive and non-interactive.

The interactive version involves a sequence of tasks to be completed by the prover for verifying knowledge of some information. The method usually involves mathematical probability concepts to provide self-sovereign identity.

A non-interactive zero knowledge proof involves decentralized identity management that does not require any prover and verifier interaction.


The above two versions of zero knowledge proof involve the following three crucial prerequisites:


• Completeness; the verifier is convinced that the prover possesses the required information when the correct statement is submitted.

• Soundness; if the prover inputs the incorrect information or does not input any information at all, the verifier cannot be convinced as the statement can never be falsified.

• Zero-knowledge; the verifier cannot discover any other information concerning the prover; thus, personal data and sensitive data are kept anonymous.

Pros and Cons of Zero Knowledge Identity Proof

Pros


• The technique is simple as it requires no complicated methods of encryption.

• It improves the users’ privacy by keeping vital information anonymous.

• It replaces the ineffective methods of authentication to strengthen information security.

• It improves scalability in the blockchain.

Cons


• It is potentially vulnerable to sophisticated technologies such as quantum computing.

• Has strict restrictions since the entire information gets lost when the transaction’s originator forgets some information.

• Zero-knowledge proof requires a significant computing power of around 2000 computations in one transaction.

• The technique is limited to mathematical equations and numerical answers; thus, using another method requires a translation.

Zero Knowledge Proof Use Cases


Zero-knowledge identity proof offers flexibility to users who wish to control some of their sensitive information. Thus, the technique has numerous uses when combined with blockchain. Some of the uses include:

Messaging


End-to-end encryption is pretty important for messaging as no one can access the encrypted message except the intended one. Messaging platforms enhance data security by requesting the users to verify identities.

As the zero knowledge proof technique advances, particular messaging platforms will find it easier to build end-to-end encryption without giving out any additional information. Using ZKP in messaging is among the popular emerging trends in blockchain.

Authentication


Zero-knowledge proof is used in facilitating the transmittance of sensitive data like authentication information. ZKP helps build a secure channel where users can fill in their personal information without revealing it, thus preventing data leakage to malicious parties.

Storage Protection


The storage utility field is another crucial area in which a ZKP can be deployed. Generally, a zero-knowledge proof has a protocol for safeguarding the storage unit and the information contained in the unit. Besides, it provides a seamless, secure experience by protecting the access channels.

Blockchain Transactions


Private blockchain transactions should never be revealed to a third party. However, the traditional methods of sending these transactions usually have numerous loopholes.

In this case, a ZKP comes in handy to close these loopholes. When integrated efficiently, the concept makes it challenging to hack or intercept blockchain transactions.

Complex Documentation


The fact that a zero-knowledge proof can encrypt massive data makes it ideal for controlling certain blocks that grant access to a particular user while refusing the same for another user. This way, complex documentation is protected from unauthorized users.

File System Control


Zero-knowledge proof is also implemented in file systems, where it adds security layers to different files, users, and logins. The security layers ensure that the stored data is difficult to hack or manipulate.

Securing Sensitive Blockchain Information


Lastly, the zero-knowledge proof is widely used in blockchain technology to revamp transactions. The various ZKP tools add high security to each block containing sensitive banking information. For this reason, the banks can only manipulate the required blocks when certain information is requested. The other blocks remain untouched and protected.

Benefits of Zero-Knowledge Proof


• Zero-knowledge cryptography technique involves simple encryption.

• It is much secure since it requires no party to reveal any information.

• ZKPs significantly shortens blockchain transactions as users do not have to worry about the information’s storage.

Zero-Knowledge Proof Scheme


The idea of zero-knowledge proof can be applied in more practical cryptography. For example, Tom wants Mary to prove that she knows the value of x in gx mod p = y, without revealing the actual value of x, which in this case, serves as a proof of identity, and its value can be revealed later to further distinguish Mary.

Let’s say Mary gives out a random number r to Tom to serve as x, then, C = gr mod p. After receiving C, Tom can request Mary to disclose the values of either r or (x + r) mod (p – 1). In either case, Mary will provide another random value but not the exact x value.

Similarly, Tom can verify any of the answers quickly. If the requested answer was r, then gr mod p should equal C. if the request was (x + r) mod (p – 1), then g (x + r) mod (p – 1) should equal the value of C.

In this case, (x + r) mod (p – 1) value can be viewed as an encryption for x mod (p – 1). When a random value is distributed equally between zero and (p – 1), the actual x value is not revealed.

How Zero-Knowledge Identity Proof Replaces Passwords

Completeness


In the ZKP protocol, both parties must follow the set rules correctly for the statement to be true. Thus, the verifier finds no difficulty in verifying it without further assistance.

With password verification, even if the password is leaked, the verifier will not know if an unauthorized user is trying to access the system. The worst even happens in unlimited login sessions depending on the established frequency to allow multiple access from the same device without entering the password. In this case, anyone accessing a device can get entry to much of the sensitive data.

Thus, zero knowledge identity proof is ideal for use over password for authentication. Even if a third party accesses some information, the verifier will still detect them as they lack specific information, which is not the case with compromised passwords.

Soundness


If the required statement is incorrect, the verifier immediately identifies the prover as a pseudo. Thus, access will not be granted in this case since the prover has failed to provide the correct information. The verifier cannot be convinced, even if the prover insists that the provided information is the absolute truth.

With a “remember device” feature to automatically log in to some information after providing a password for the first time, anyone accessing the device can decide to view much of the information as the verifier already validated and entrusted the device. This cannot happen with zero-knowledge proof, as the prover has to provide specific information to convince the verifier.

Identity and Access Management certifications -Identity Management Institute IAM certifications
Get Certified

The growing importance of identity and access management became more apparent as the Coronavirus pandemic surprised many unprepared organizations with the scale and sophistication of cyberattacks on virtual workforces. With bad actors on the hunt for privileged access credentials that would enable lateral movement across many breached organizations and systems without being noticed for many months, cybersecurity teams worked nonstop in many instances to impellent two-factor authentication. The sheer volume of data breaches reported by major companies is alarming, with some reports estimating that more than 5 billion records were compromised in the last year alone!

Growing Importance of Identity and Access Management

Solving Evolving Challenges


Organizations were not ready for the global pandemic that hit the entire world in 2020. While organizations allowed their employees to work remotely and use personal devices to access cloud systems, bad actors were on the hunt for privileged access credentials because it would allow them to penetrate deep into systems, move around undetected across breached organizations, and execute highly critical transactions including log manipulation. Many organizations were designed to allow their employees to only be able to access corporate resources from tightly controlled computers, mobile devices, and access points, but in sending entire workforces home, they left the company-wide open to cyberattacks.

With less controls and sometimes unknown configurations in place, data breaches continue to skyrocket and even go undetected in some cases which highlights the growing importance of identity and access management. This means adequate authentication, authorization and auditing controls implemented by certified identity experts at Identity Management Institute is even more important than ever before to secure systems.

What is Identity and Access Management?


Identity and access management (IAM) is a set of policies, controlled processes, and technologies put in place to manage access throughout the identity lifecycle. This includes provisioning new user accounts; controlling how users authenticate across all systems including multi-factor authentication; managing privileged accounts, decommissioning departed users and dormant, unassigned or orphan accounts, as well as monitoring and auditing all critical actions performed by users.

Appropriate IAM solutions and adequate IAM controls are critical to secure systems and comply with industry regulations such as HIPAA, GDPR, PCI DSS as well as the authentication requirements of FFIEC.

What are the Benefits of Identity and Access Management?


When adequate levels of identity and access management controls are in place, only authorized people (and devices) can access systems and execute transactions to the extent of their authorized access or capabilities. When users access systems, their identities can be tracked for visibility into who is accessing your data, where it’s going, and what those people do with that information which is why sharing accounts or having orphan accounts is not a good idea in cybersecurity.

IAM solutions can also include user training to minimize the impact of phishing attacks. Without a complete set of IAM policies in place, your organization could be vulnerable to cyberattacks!

Multi-Factor Authentication


Traditional username and password combinations are considered single-factor authentication and weak for our current online world. The risk of system security breach is even higher considering that many people use the same username and password to access multiple online accounts they own.


With two-factor authentication (sometimes called multi-factor), each employee must use more than just the username and password to access systems or even execute a transaction. This added authentication layers is traditionally accomplished with something you know (your password), something you have (a phone, a one-time code generator, or a key card) or even something that you are (Biometric fingerprints, eye, or facial recognition).

This provides a much higher level of security because if someone attempts to access an account without having the second factor, they will not be able to login even if they crack the password.  

Convenience vs. Security


One of the typical user complaints is that security measures are sometimes excessive and lead to lower productivity in the workplace. Company executives also sometimes reject security solutions proposed by cybersecurity experts as too costly and obstacle to reaching business objectives. While these complaints are sometimes legitimate, the cost of a major security breach may be much higher and the investigation burden may prove to be even less productive.


While some IAM policies may be considered inconvenient by many, the benefits of added security layers outweigh any inconvenience employees, executives, and customers may encounter.


Spending on identity and access management (IAM) solutions by responsible and aware organizations continues to grow driven by many organizations’ need to improve cybersecurity and meet regulatory requirements.

What can Happen Without IAM Solutions?


Without IAM policies and solutions in place, organizations could be vulnerable to cyberattacks. Latest data breach cases indicate that some incidents are the result of poor user education to counter phishing attacks and social engineering schemes by bad actors who continue to look for weak targets to steal credentials and access system accounts.


One of the most notable hacks that shut down oil transportation on the east coast for part of 2021 happened when Colonial Pipeline became the victim of a ransomware attacked caused by a compromised password. This incident could have been prevented with adequate identity and access management controls.

No organization wants to be in the news, especially for a system security breach that resulted in millions of stolen data. Implementing identity and access management controls and systems can help organizations avoid falling victim to the growing threat of cyberattacks that are causing organizations to lose revenue and suffer reputational damage.

How to implement identity and access management controls


For best results, it is important that you regularly audit your policies, systems, and users to ensure policies are complete, systems are properly configured, access is appropriate, and transactions are authorized. In instances where manual processes are cumbersome, technology solutions may be implemented to save time and money by automating certain tasks.


If users are required to take extra steps, they will usually not do so until it becomes a habit. One way to build up healthy habits in your employees is through periodic awareness education and use of technology that enforces the policies automatically, such as automated password resets or two-factor authentication.

Employees should be educated on the importance of MFA and why you are implementing this policy so they understand it’s not just another thing to do but rather a security measure that is meant to keep them and their company safe.

Identity and access management technology can make your organization better prepared for cyberattacks by implementing automated tasks such as periodic forced password change, MFA enforcement, monitoring and auditing, as well as onboarding and offboarding automation.


With identity and access management (IAM) solutions from a trusted provider, you will be able to secure your employees, systems, customers, stakeholders, and organizations.

identity and access management certification

This article lists some considerations for a cloud security and access audit which can be further expanded to create a more comprehensive and detailed audit checklist.

Cloud computing offers an on-demand service that provides a shared pool of configurable computing resources which is typically considered to be more secure than a traditional IT infrastructure.

There are many benefits to using cloud services in your business. You can access your information from anywhere, as long as you have an internet connection. But with this great convenience also comes the need for more security and better access management practices.

20 Tips for Cloud Security and Access Audit

Cloud Security and Access Audit Checklist

One of the critical areas of identity and access management is system security and access audit. More importantly, the audit must be frequent or at best continuous in some areas and automated as much as possible to ensure system security is consistently maintained. Below is a list of cloud security and access audit checklist which can be expanded to meet your needs and also applied to other systems outside of cloud environments.

Have a Cloud Security and Access Policy

Having a cloud security policy communicates to employees, contractors, and customers that your company takes cloud security seriously and also lays out the expectations for everyone to collectively ensure secure cloud and access.

Choose Your Cloud Provider Carefully

There are many cloud service providers in the market, and some may be more suitable for your needs than others depending on what you intent to use the cloud services for or what your budget looks like. Consider asking for customer references, product demo, and system documentation. And don’t hesitate to ask your IT audit team for help in selecting a cloud service provider by assessing the provided information.

Maintain an Access Control Matrix

Maintaining an access control matrix, access control list, and access capability table helps with keeping an up-to-date inventory of users and their access permission to applications, data and other devices. This characterizes the rights of each subject with respect to every object in the system. The access control matrix is a table of subjects and objects showing what actions subjects can take vis-à-vis objects. A subject’s access rights are called capabilities and access to an object is called ACL.

Provide Awareness Training

Considering that system users are often the cause of data breach cases, it makes sense to spend some time and resources to educate end-users about why they are considered the weakest link in the cybersecurity chain, what company expectations are, and how they can help secure the cloud applications and data.

Require Strong Passwords

While passwords are still in use, your company security standards must require the selection and use of strong passwords. Some system security features such as passwords are commonly configurable in many systems which can be deigned to force end-users to comply with strong password requirements.

Use MFA When Possible

When two-factor authentication was introduced, many users resisted the extra effort to access systems which is why user awareness and education is important for user collaboration specially from the executives. Multi-factor authentication provides an added layer of security when a password is compromised.

Seek Executive Support

Before cloud security requirements can be imposed on the general population, the executives must be educated to support any cyber-security initiative whether it is a policy for cloud security or system access audit. Often, the first people who complain about the extra security steps or efforts are the executives which does not lead to end-user support for cybersecurity.

Avoid Being Identity Obese

The term “Identity Obese” was coined by Henry Bagdasarian in his Identity Diet book which introduced the KAOS framework with 8 principles for identity theft protection. When collecting, storing and sharing information, it is important to be mindful of the amount and type of data we unnecessarily collect, process or store in the cloud. Just like eating too much of the wrong foods can lead to health issues, collecting and storing an excessive amount of data that can lead to increased cyber attacks, higher cost of security with lower ROI, and lawsuits can lead to an unmanaged and chaotic business environment.  

Review Connected Applications and Devices

Be aware of the connected resources in your cloud environment. Often unused apps and devices continue to be inter-connected within cloud platforms for months and years exposing the company to real threats. The same goes for data. “If the benefits of collected data do not outweigh the cost of maintaining, securing, or losing the data, then it may be time to forgo that data” says Henry Bagdasarian.

Track Changes in Real-Time

When a security setting is changed, new access is established, or an existing access is changed, it is important to be notified of these changes in real-time in order to review high risk changes immediately.

This will make sure that you are actively aware of every activity related to your cloud access, system security configurations, and safety of your files and data.

Another benefit of real-time activity tracking is the awareness of newly connected devices and apps in the cloud to ensure every resource is authorized.

Ensure Compliance

When we discuss regulatory compliance, we need to focus on two key areas. We need to ask ourselves the following questions: does the platform offer features to allow my company to fully comply with local and international regulations? And, is the cloud provider compliant with regulations?
To ensure systems cover all major regulatory requirements, we need to audit the platform features against our unique requirements and ask vendors to provide third party audit reports regarding their compliance level.

Establish Monitoring and Reporting

Having an audit function within cloud operations with monitoring and reporting capabilities is important to identify gaps and suspicious activities as soon as possible in order to address them before they become a liability for the company.

Block Unauthorized Users

There are many ways for companies to automate user access approval and provisioning including IP tracking and user validation. In addition to cross-referencing users against a validated identity directory, in some cases, unauthorized users may be blocked to access a cloud system if they try to access from an unknown device, or suspicious location and time of the day depending on the user’s role and location.

Keep Secured Logs

Keeping system logs are important for periodic reviews and even more important following a security incident for investigation purposes. There are many types of logs that can be considered. The most common types of audit-related logs include but are not limited to system configuration logs, access logs, and file logs. Log security and access control is also extremely important to prevent unauthorized edits to log data which might occur to cover tracks and avoid detection of unauthorized activities. Log retention period must also be considered depending on your industry and regulatory environment. Consult with your Legal team about the required log retention period.

Audit, Report, and Monitor


Monitoring system access can prove to be very valuable when you notice an increase in a particular type of attack or a sudden spike in failed logins.
Internal audits are also important to discover and address vulnerabilities before they cause any serious damage. This includes audits of systems and applications as well as any activity that doesn’t seem normal. IT audit and security teams can help assess the security and access controls and identify any major gaps that need to be addressed.

Often, cloud and SaaS providers offer independent audit reports which may save time and cost on internal audits which are important before an external audit is requested by a large customer or regulatory body.

Auditing and reporting is further covered in the Certified Identity and Access Manager (CIAM) scope for certification.

Have the Right Tools

Having the right tools in place is necessary to automate and address issues efficiently and cost effectively. Some of these may include artificial intelligence to quickly detect suspicious access and activities as well as anti-malware software, firewalls, and an intrusion detection system. The extent of tools depends largely on your budget and risk appetite. Not every company can afford all the sophisticated tools which makes it even more important to have a discussion with your executives to collectively make the investment decision and accept the risks.

Limit Administrative Privileges

Hackers often target administrator access credential because they offer the highest level of access to all systems. Having a Privileged Access Management (PAM) system is extremely important to closely monitor high risk activities and detect or block suspicious activities.

Ensure All the Sensitive Data Is Encrypted

Ensure your sensitive data is encrypted while in transit or at rest. Consider file encryption to complement whatever encryption service the cloud service already provides. The most common types of information that may need encryption include but are not limited to credit cards, social security numbers (or other identifiers), medical records, financial records and other sensitive The type of data being stored or transmitted as well as regulatory requirements will determine which level of encryption should be used.

Backup System and Data

We need to keep in mind that regardless of our efforts, incidents happen and sometimes system and data files are lost or damaged which need to be quickly restored to continue business operations in a secure fashion. Backup and recovery policies help define the requirements and the process must be tested to make sure it works.

Manage Shared Files

Often users share cloud files with other users by sending a link to the file. If the file contains sensitive data and the link continues to be unnecessarily active, it can present a security risk that can be exploited. Having a shared file management process helps reduce the risk by deactivating the file link when it is no longer needed.  Many cloud service providers offer file management features which can assist you with shared file management.

Conclusion

There are many access and security risks that can be mitigated with periodic cloud security and access audits. In essence, a cloud security and access audit can help discover issues before they cause any damage or help detect issues quickly to contain the damage.

A cloud security and access audit can be performed before a cloud service provider is selected and thereafter periodically to make sure the cloud platform, applications and data remain secure at all times.

This high level cloud security and access audit checklist should be a starting point and expanded to meet your special security needs.

The KAOS identity theft protection framework offers 8 principles and a road map for personal identity protection. While it is impossible to eliminate identity thefts risks completely, these principles help individuals reduce their risk of identity theft to acceptable levels. The extent to which consumers adopt these principles largely depends on their awareness of and appetite for identity theft risks. Each person should determine the acceptable risk level based and the consequences of identity fraud in order to take measured actions to prevent, detect, and resolve identity theft. For example, someone may decide to occasionally monitor activities on their credit reports for unauthorized and suspicious transactions instead of subscribing to an automated alert system to be notified immediately when a change occurs.

KAOS Identity Theft Protection Framework

KAOS Identity Theft Protection Framework Benefits

The KAOS identity theft protection framework and its principles were created many years ago by Henry Bagdasarian, Founder of Identity Management Institute which have been incorporated into the Certified Identity Protection Advisor (CIPA)® training course and certification. The 8 identity theft protection principles represented in the KAOS acronym are listed below and offer the following benefits:

  • Reduce the occurrence of identity theft
  • Detect potential misuse of personal information
  • Minimize the damage caused by identity theft

KAOS Framework Principles

1- Know Target Information – We first need to identify our personal data which may be vulnerable to identity theft to protect ourselves from potential identity fraud. It entails listing our credit cards, online accounts, and sensitive documents before thinking about how to protect our identity. Like on the battlefield, you first need to know your opponents, their targets, and methods before taking measures to defend and protect yourself. The first step to protect your identity is creating a list of all your identity items and data which the KAOS framework refers to as “identity components” that are often targets of identity thieves. These may include personal assets such as death and birth certificates, passports, SSN, driver’s license, and credit cards. Bank statements and other valuable documents must be considered for inclusion. As mentioned, not just physical items are listed in the inventory list but also account numbers, passwords and login information.

2- Know Target Location – Locate where each physical item is stored and add them to your list of identity inventory. It could be in the office drawer, briefcase, or wallet. Either way, make sure you know where all your personal information is for quick access and recovery but most importantly to determine the appropriate security measure and level of protection each identity component needs. It is easier to protect your credit cards, bank statements, and passport when you know where they are.

3- Assess Data and Actions – After identifying all your identity components and including them in your inventory list, the next step is assessing the information. Assess whether it is necessary to modify your personal inventory list or not. You also need to assess if your actions to manage and protect your identity are appropriate. Don’t assess your information in a hurry because this is a critical process that will determine the measures that need to be in place to protect your identity. Assessing your identity theft protection data and measures is not a one-time process. Instead, it is an ongoing process that will require time and keen attention to detail.

Here are a few questions to ask yourself when assessing your identity inventory list and actions toward them:

• Are all these online accounts or credit cards necessary? Some of your online accounts and credit cards could be making you more vulnerable to identity theft. Get rid of any accounts that you feel expose you more to identity theft. Consider closing some bank and online accounts or cancelling credit cards, or shredding statements. Be sure to delete all personal information from your profile before deleting an online account.

• Is it necessary to open another account or apply for a loan? Sometimes we may accumulate more items and data that we actually need which the framework refers to as “identity obesity”, however if you do, it is unnecessary to add them to your inventory list. Just remember, the more items you add to your list, the more resources and efforts you need to protect your identity. For example, you need to frequently change the passwords on your major accounts.

• Where have I kept each piece of information? You should always be aware of where your identity components are. Knowing that your credit cards are in the briefcase or wallet can help locate them faster and better protect your identity.

• Who have I shared any of my personal information with? Be cautious with data sharing as we will cover in another principle. For example, if you have sent any original documents to someone, follow up to ensure you collect them. For example, we sometimes must submit our original documents, such as a birth certificate when we apply for passport.

4- Accumulate Less – You probably heard the saying “less is more”. This statement is true in this case as having less credit cards exposes us to lower risk of identity theft and offers peace of mind. It is better to accumulate less identity component rather than accumulate and manage more items and possibly being forced to eliminate later.

5- Organizing Information – The identity theft protection process doesn’t stop at identifying your identity components and compiling a list of your data. That information will need to be organized and monitored. Categorize each item on your inventory list based on their acceptable risk level and similarities. The risk level assigned to each item will determine measures needed to protect your identity. Be specific when categorizing these items, although you can opt to consolidate categories that are closely related. For example, it makes sense to keep all bank-related information together. Categorizing personal information items come with benefits such as easier access. It will also be easier to determine the risk level to apply for each category. Keeping credit cards separately from other documents may reduce your risk of identity theft and financial loss. Check your credit cards, passports, and birth certificates periodically to ensure they are always in the right place. The sooner you detect the absence of your credit cards, the sooner you can look for them or alert the card issuer and prevent potential financial losses and fraud damages.

6- Observe and Monitor – It is also paramount to review your bank and utility statements periodically for accuracy verification. Check to ensure that all your credit card transactions are authorized. Follow up with your bank if you notice unauthorized or incorrect transactions or don’t receive a transaction notification on time. The same concept applies to all your items in the identity inventory list and your credit reports.

7- Secure Your Information – After defining your information categories, address the level of protection for each category. You may assign the same level of protection measure for similar categories such as brokerage and bank accounts. For example, you can have a cabinet for keeping all statements related to utilities, brokerage accounts, and banks. Establish an extremely confidential documents category for keeping government-issued documents such as your social security card, passports, and credit cards. It would be best if you always kept this category under tight control to prevent confidential information from getting into the wrong hands. You may opt for an fireproof safe box for keeping all your valuable documents and a shredder to discard your sensitive documents.

8- Share with Caution – Finally, be cautious when sharing your personal information. Ask the requestor why they need your information and how it will be used. Seek to know who will have access to your data and how it will be stored and protected. Consumers often use too many credit cards or use them excessively to make small purchases without considering potential risks. It is often unnecessary to use debit and credit cards for frequent transactions such as paying for coffee. Instead store cards can be used to add occasional credits and use that card to make small and frequent purchases like coffee. Identity theft risk increases with each transaction that exposes our data. Finally, when it come to social media, it makes sense to share less and choose your friends carefully. Some people accept every friend request on Facebook and post many personal information daily. This can be detrimental in the long term.

In conclusion, identify what data or document is a high target for identity thieves or may be hard to reproduce if lost or damaged, then apply some security measures and best practices to protect your identity. As a last step, make sure you follow up to report any lost, damaged, or stolen personal data and documents as well as fraud and suspicious activities.

Certified Identity Protection Advisor (CIPA) consumer identity theft certification
Become a Certified Identity Protection Advisor (CIPA)