Using Mobile Device Management for Security

Businesses face numerous security challenges arising from changes in employee device use. Eighty-seven percent of companies depend on employees being able to access business apps from their personal devices, and 59% have fully established bring-your-own-device (BYOD) policies. An increasing number of employees work remotely some or all of the time and access company networks using a variety of devices running different operating systems and applications.

mobile device management (MDM) can greatly improve enterprise security

Without clear visibility and strong security policies, managing these diverse network environments can become overwhelming. Mobile device management (MDM) might be the answer for businesses in which BYOD is a necessity or remote employees make up a significant portion of the workforce.

Understanding Mobile Device Management

MDM acts as an important component of mobility management and is quickly becoming a necessary companion to other key security practices, such as identity and access management (IAM). It involves two main elements:

• Security software, called the MDM agent
• An MDM server, which is often cloud-based

Policies to govern how devices access a company’s network are created by the IT department on the server side and deployed via the software. Software can be installed on most types of employee devices, including laptops, tablets, smartphones and some internet of things (IoT) devices. This simplifies the enforcement of security and use policies by giving the IT department greater control over network access and providing the tools to monitor and manage personal devices used for work purposes.

With 71% of workers spending over two hours per week accessing company info on their mobile devices, such control is necessary to ensure data remains secure. MDM makes it possible to track the status, location and activities of devices in and out of the office, detect unusual activity indicative of unauthorized access and take preventative measures to reduce the risk of breaches.

Managing Devices for Better Network Security

Although some companies opt to provide employees with separate work devices rather than use MDM, employees are generally more comfortable using their own smartphones or tablets and more productive when working with platforms they recognize. These devices often lack the level of malware protection required to keep them secure on business networks, but MDM bridges the gap by providing IT departments with better visibility and detailed access data.

Proper management starts with a company policy detailing appropriate use of devices connected to the network, which can provide the foundation for setting up rules via the MDM agent, including whitelisted and blacklisted applications. Businesses may also provide work applications through company-specific storefronts from which employees can download the tools they need without the risk of accidentally bringing in malware from infected programs obtained through public app stores.

Benefits and Drawbacks

Implementing MDM allows companies to offer more remote work opportunities without worrying about potential security risks, which creates a flexible environment in which employees are free to access apps and data at any time. Businesses can choose the best software for projects and workflows and deploy it securely to ensure communication and collaboration occur with ease.

From an IT perspective, MDM simplifies the enforcement of security measures like encryption, application updates and data backups. Automating key processes, including device provisioning, reduces workload while maintaining strong security. Remote wiping removes private and proprietary data if devices are lost or stolen. Together, these features minimize the potential for data theft and ensure fast restoration of critical business data in the event of loss or compromise.

However, proper implementation and execution of MDM requires experienced IT staff, and business owners can’t rely solely on MDM to secure their networks. There’s still the risk of credentials being stolen and systems hacked if misplaced devices aren’t wiped quickly enough, and employees can pick up malware outside the office and accidentally introduce it into the enterprise network environment.

Challenges of MDM Implementation and Management

Employee resistance may be the biggest challenge to MDM. Staff members may not be comfortable with employers monitoring and possibly restricting the use of their devices, and some may resort to rooting or jailbreaking in an attempt to work around MDM policies.

To prevent excessive restriction, business management must clarify their security needs based on how employees are already using devices on corporate networks and how use is likely to change over time. This can be difficult for companies with large remote workforces and businesses lacking detailed security policies. Ideally, MDM should be integrated into an existing protocol and deployed in a way designed to benefit employees and the company as a whole.

Although implementing MDM can allow for better management of personal devices and improved network security, it can’t stand alone. IT teams must work with business owners to establish robust security policies in which MDM is integrated with identity management, access control and appropriate provisioning to prevent unauthorized use of enterprise systems.

Identity and access management certifications

Solving Healthcare Cybersecurity Challenges

Technology has a multitude of beneficial applications for health care, but increased adoption of new technologies introduces new security challenges across the industry. Protected Health Information (PHI) consisting of personal details, medical histories and other health related data is highly attractive to hackers, but many healthcare organizations lack the robust security protocols required to guard against cyberattacks and need help implementing better access controls.

Healthcare cybersecurity challenges

Healthcare Cybersecurity by the Numbers

In 2016, healthcare organizations were using less than 6% of their budgets for cybersecurity. This lack of investment is likely a major contributor to the massive number of attacks the industry has experienced in recent years. Healthcare organizations were the victims of 88% of all ransomware attacks across industries in the U.S. in 2016, and 89% of organizations have experienced some kind of data breach in the last two years.

By 2020, the total cost of security breaches in healthcare is expected to reach $6 trillion, up from $3 trillion in 2017. Some of this cost goes toward paying hackers to regain access to data after ransomware attacks. Twenty-three percent of healthcare organizations report paying ransoms to avoid the potentially deadly consequences of losing access to patient information and care protocols.

Major Healthcare Security Challenges for 2019

Why are hackers so interested in healthcare? A single PHI record can fetch up to $20,000 in profit on the black market, around 10 times the value of a stolen credit card number. Such a payoff is a big incentive, especially when healthcare networks provide a number of loopholes for hackers to exploit.

Ransomware is of particular concern. In 2017, 34% of attacks on the 10 industries most affected by ransomware were directed at healthcare, and the number of attacks may quadruple by 2020. Locking down a system in a provider’s office or hospital restricts access to patient records, including prescription information, test results and surgical data. Hackers know how important this information is for healthcare providers, which makes the industry a prime target for ransomware.

Migration to cloud-based applications introduces additional vulnerabilities. Of all healthcare firms relying on the cloud, 25% aren’t encrypting information as it travels back and forth, leaving private data vulnerable to attack. Almost 40% have no dedicated staff to manage their cloud-based software, but 81% are allowing employees to bring their own devices to work, many of which simply provide more unsecured endpoints hackers can use to gain network access.

Controlling Access with Better Identity Management

Limiting unauthorized access requires a greater degree of clarity and unification than is currently possible in many healthcare environments. Employees use numerous applications to access patient data and manage care, but no centralized tool or strategy exists to manage identities or login credentials. Access management is made more difficult by complex use cases and permission requirements. Not all providers with a particular role need access to the same information, and access needs may change during the course of patient treatment.

Increasing privileges, however, is not the answer. Sixty-one percent of healthcare organizations cite privileged accounts as their biggest internal threat, so adding more permissions to streamline access is likely to lead to even greater security problems. According to the 2017 IBM X-Force Threat Intelligence Index, insiders account for 71% of cybersecurity threats in healthcare. Susceptibility to phishing scams may explain why 46% of the threats were inadvertent, but 25% resulted from malicious activity by those authorized to access networks.

Automated provisioning may provide a solution. By using predetermined protocols to define access rules and leveraging artificial intelligence (AI) to assess user behaviors, healthcare organizations can provide access to necessary information without compromising other sensitive data or adding unnecessary complexity to workflows.

Applying Improved Access Principles to Healthcare

Because many healthcare procedures require fast decisions and responses, streamlining identity and access management (IAM) is essential. Employees can’t afford to spend too much time logging into applications, especially in situations where multiple platforms are required. Healthcare organizations need to map out their most common use cases, determine who needs access to the network and create protocols designed to allow appropriate levels of access at the right times.

Protocols must include initial and ongoing employee training as well as monitoring to minimize the risk of insider threats. Employees should be able to recognize phishing emails and be aware of proper password storage procedures. In environments where employee-owned devices are allowed, it’s up to organizations to require and implement security measures to protect data from compromise due to unauthorized access.

Identity and access management certifications

Although improved access management is essential in healthcare cybersecurity, 39% of organizations say they lack qualified employees to create and manage security strategies. Twenty-seven percent simply can’t find qualified personnel to help. Bringing in experienced third-party cybersecurity experts may be necessary for the industry to get the full benefit of IAM protocols for ensuring appropriate access levels and protecting PHI.

Emerging Security Threats and Technological Innovations

This article highlights the latest events and trends to demonstrate how emerging threats and technological innovations are changing the security landscape.

Equifax Makes Good on Massive Data Breach

Announced in September of 2017 three months after its discovery, the Equifax breach exposed the records of 150 million people and put enormous amounts of personal data at risk. Now the company is expected to pay as much as $700 million to state and federal regulators in a settlement to be approved by a federal court. The settlement includes between $300 million and $425 million to cover credit monitoring services for affected Americans or to reimburse individuals for any identity monitoring services they may have purchased following the breach. Equifax will also have to pay $275 million in civil penalties, making this the largest data breach settlement in history.

The required changes to security protocols included as part of the settlement highlight the importance of implementing and maintaining strong protections for sensitive customer data. For enterprises, this means combining measures like routine updates, consistent data backups and access control in robust security protocols designed to mitigate risk by minimizing unauthorized access within their networks. Failing to do so can not only result in significant financial consequences but also destroy trust between consumers and companies.

Idaptive Singled Out as an Emerging Security Vendor

In an age where the privacy of personal information is becoming more important but breaches are considered almost inevitable, it’s up to innovative companies to create better security solutions. Enter Idaptive, named one of CRN’s Emerging Vendors for 2019. The company was cited for its “state-of-the-art technology”, which help those providing access control to “meet complex IT market demands” with “next-gen access” tools.

Idaptive takes a zero-trust approach to identity management and access control, combining multiple enterprise security protocols to create a seamless user experience. As an attribute-based system, Idaptive’s technology focuses on details like behaviors, devices, networks, locations and risk levels to support granular access control. Attributes are considered in context to create a more strategic approach to preventing unauthorized access and prevent legitimate users from being locked out of critical applications. Intelligent monitoring allows for quick responses to potential threats while supporting streamlined workflows for all users.

Samsung Consortium Plans Mobile Blockchain ID System

So far, the idea of self-sovereign identity (SSI) has been more of a pipe dream than an executable concept, but a recently formed consortium may be ready to make it a reality. Personal control of data is the major draw of SSI at a time when consumers are increasingly concerned about who has their information and how it’s being used and stored. Large companies like Microsoft have looked into decentralized identity options, but Samsung is the one leading the way in the quest for true SSI.

Along with six other companies, Samsung hopes to create a mobile identity option based on a consortium blockchain. The solution would allow users to store identity information on their smartphones and submit it as needed for verification on their own terms rather than relying on a middleman. Third-party verification of identities will likely be handled by participating banks and telecom companies. Potential security flaws in Samsung’s Knox feature, which would be used to protect identifying information, must be worked out if the company is to become the first to conquer the challenge of SSI.

ARPA Privacy Computing: A Public Blockchain Security Solution?

As blockchain technology continues to be adopted for a wider range of applications, it’s becoming clear it may not be as “unhackable” as was once believed. The potential for hacking could prove to be a serious problem, since information stored in the blockchain is basically immutable. Hackers gaining access to personal data within a blockchain could take control of anything from cryptocurrency to entire identities, leaving users with few options to recover lost or stolen information.

The ARPA network is hoping to change all this. Billed as a “privacy-preserving computation network,” ARPA seeks to use its technology to solve what its co-founder calls the “two biggest problems” with public blockchains: privacy and scalability. The platform uses multi-party computation (MPC) and private smart contracts to protect personal data in the blockchain. ARPA is compatible with existing blockchain frameworks and built to be scalable to meet the needs of organizations dealing with large amounts of data, such as finance companies, healthcare providers and enterprise-level businesses.

Identity and access management certifications

Incidents like the Equifax breach and the financial backlash it caused are likely to drive businesses to seek better security measures, which will require a dynamic approach to identity management and access control. In addition, the adoption of new technology drives the need for new and better approaches to security, suggesting experienced IT and cybersecurity professionals will be in increased demand as innovations continue.

API Security and IAM Risks

Application Programming Interface (API) is a method of accessing digital information through various channels, such as mobile applications, cloud, and the Internet of Things (IoT). API allows companies to share their data with wide audiences, including customers, partners, or employees. Even though APIs have become an integral part of standard enterprise architecture, they can offer major security vulnerabilities that can be exploited by hackers and external developers. Organizations that rely only on network security solutions are open for API application breaches since API security is fundamentally different from web application and network security from the identity and access management (IAM) standpoint. This article provides an overview of security concerns of APIs and offers ways to mitigate the risks.

APIs give access to valuable information and this article provides an overview of the API security and IAM risks as well as ways to mitigate the risks.

API Security Risks

APIs give access to valuable data that may include information about business processes or are protected by privacy laws. Therefore, API platforms are to be properly protected by carefully managing authentication, authorization, identity mediation, data privacy, Denial-of-Service (DoS) threats, and threat detection. The unique nature of APIs allows malicious users to expand the surface area of attacks. The security concerns are often connected to IAM since hackers can get unintended rights to manipulate different aspects of API.

One of the most evident IAM risks while managing API is the identity and session threat. A hacker can exploit a real session ID to gain access to the user’s account if an API lacks adequate authentication and authorization controls. This problem may become even more complicated in the situation with multi-party authentication schemes. Another risk connected with IAM is the SQL injection technique used by malicious users to manipulate the database of an enterprise through API. Additionally, service information leakage can also lead to “unauthorized access through authentication factors that are not functioning because of poor security design or technology bug” according to F5 Labs. Exploiting the flaws of APIs management system may be associated with considerable impact on business.

Case Studies

API security vulnerability connected with IAM may lead to various problems. The adverse events associated with security breaches are usually the loss of service, compromise of personal and identifiable information, and theft of private data. In IoT, API hackers can get access to devices and use them in dangerous ways. The potential business impact of such events is lost revenues, legal liability, reputation damages, competitive disadvantage, contract breaches, and loss of trust from all the stakeholders. In 2018, the organizations that experienced the consequences of API security breaches were US Postal Service, T-Mobile, Valve, and even Facebook. These events led to various implications, such as exposing information on 50 million Facebook users. Hackers often decompile and examine the mobile application for API vulnerabilities. For instance, in 2017, Instagram allowed access to user contact information due to IAM flaws of API. The examples provided above demonstrate the importance of finding strategies to mitigate the IAM risks in API.

Mitigating the Risks

Protecting API from hackers is a laborious endeavor; however, the time to prevent attackers is worth spending. The first step for an enterprise to make is to realize what APIs are being used and what they can do. Modern application has many layers and may have hidden APIs of which only developers may know. Malicious users are more than glad to invest their time and effort into looking for these covered layers and finding security holes. The second step is to understand the API by reviewing the permissions and functions that are allowed. According to F5 Labs, “many APIs have identity access management privileges hidden within a configuration setting” that need to be eliminated. Even though these two steps seem obvious, they are often overlooked by companies.

Another security solution is to control access to API and mitigate the risks of identity and session threats. Akana suggests separating the identity of the user and the application that is accessing an API. However, it is a major challenge for API to become a part of a broader IAM apparatus since the providers will need to take into account authorization based on details such as user, application, geo-location, device type, and time. However, there are simple methods of dealing with security problems. They are to monitor, audit, log, and analyze the API traffic since excessive API use may be associated with greater losses than with using no API. A good API management platform may enable companies to apply the strategies mentioned above, along with other numerous ways of protecting sensitive information.

Identity and access management certifications

Conclusion

APIs are crucial for many businesses to acquire new partners and clients. The use of APIs is associated with increased risks of security breaches connected with IAM. Such breaches may lead to various problems, including reputation damage, loss of trust from all the stakeholders, legal liability, and competitive disadvantage. However, despite the potentially disastrous impact on business, API threats can be mitigated. The most efficient way of addressing the issues is by adopting an adequate API management platform and carefully analyzing the API traffic.

Identity and Access Management for Cloud Security

As we increasingly store applications and data files which contain personal and confidential information in the cloud, it is important that we take all measures to secure cloud assets in order to prevent system breaches and data loss. Identity and Access Management (IAM) is considered one of the most effective ways to provide cloud security. This article will analyze why the Identity and Access Management domain is the most significant control for data security in cloud environments.

cloud security

The operational areas of Identity and Access Management include authentication management, authorization management, federated identity management, and compliance management. This comprehensive approach ensures that only authorized users are effectively incorporated into the cloud environments.

Authentication

Authentication is crucial for cloud security, as it allows to verify and prove the identity of a user. A similar process exists in the real world in the form of presenting an ID card or other identification documents. IAM systems provide a high level of cloud security by a number of secure authentication mechanisms.

The common authentication mechanisms in a cloud system include “log-on credentials, multi-factor authentication, third party authentication, simple text passwords, 3D password objects, graphical passwords, biometric authentication, and digital device authentication”. In order to enhance the security check, some cloud service providers (CSPs) use physical security mechanisms, for instance, access cards or biometrics denying unauthorized access through authentication. In addition, Identity and Access Management may include some digital mechanisms, ensuring security in cloud environments.

Authorization

The concept of authorization ensures that the identified entities have the capability to perform only the tasks they are permitted to perform. Authorization allows to verify what access an entity is entitled to. In order to avoid data security compromise, cloud environments determine the levels of authorization for different entities. After successful authentication, authorization management determines whether the authenticated entity is allowed to perform any function within a given application.

Federated Identity Management

In Federated Identity Management, cloud services authenticate by using the organization’s identity provider. Federated identity management ensures the trust between a web-based application and the identity provider through Public Key Infrastructure (PKI) and by exchanging certified public keys.

GRC and Compliance

In order to ensure credentials are managed securely by means of access control policies or access right delegations, cloud service providers create special policies to control access for guaranteeing that only valid users are able to access the protected resources and services.

Therefore, CSPs provide three essential characteristics, which are Governance, Risk Management, and Compliance (GRC) for efficient IAM and effective reporting in organizations.  

The last operational area of identity and access management is compliance management. This ensures that an organization’s resources are secure and accessed only according to the policies and regulations.

Identity and access management certifications

Conclusion

To sum up, IAM systems are essential in providing security in the cloud environment through elaborated mechanisms of authentication and authorization management. These mechanisms may include physical methods or digital methods such as Public Key Infrastructure. Privacy is regarded as a vital issue in the cloud environment protection and can be attained through Identity and Access Management, which ensures the highest level of data security.

Security Challenges of Remote Workforce

Ninety-nine percent of employees polled in Buffer’s 2019 State of Remote Work survey expressed interest in working remotely for at least a portion of their careers, citing a flexible schedule as the top benefit. However, companies offering more remote work opportunities in response to the growing demand face security challenges unique to managing a mobile workforce and must respond accordingly to prevent unauthorized network access.

security challenges of working from home

Risks of Remote Work

Allowing employees to access company data from offsite locations raises concerns about data encryption, the security of wireless connections, use of removable media and potential loss or theft of devices and data. In a 2018 survey by Wi-Fi security company iPass, 57% of CIOs reported they suspect their mobile workers had been hacked or were the cause of security problems. Only 46% percent could be “confident” their remote employees used virtual private networks (VPNs) to increase security when connecting to company networks.

The same survey showed remote workers lack an understanding of the severity of common security risks. Sixty-two percent of security incidents related to Wi-Fi connections happen when employees use networks in cafes or coffee shops, and 27% of workers in the U.S. admit to opening emails and attachments from unfamiliar senders. Devices are often compromised as a result, putting both personal and company data at risk.

The Need for Better Remote Access Policies

Unfortunately, many business owners don’t understand the requirements for a robust remote access policy. Access needs and practices are changing among all workers, not just remote employees, and professional guidance is becoming essential to prevent serious problems like identity theft, data breaches and data loss.

IT and cybersecurity professionals can evaluate the security risks companies face and develop customized protocols to minimize these risks, but 44% of companies aren’t bringing the pros in to help. Therefore, many executives may miss key insights into potential vulnerabilities and fail to implement proper protection for remote workers.

Separating Personal and Work Data

The problem of mobile access security isn’t new. An increasing number of employers have adopted bring-your-own-device (BYOD) policies in recent years, and 69% of “IT decision-makers” think doing so a good idea. Sixty-seven percent of employees are using personal devices at work, which means employers should already have security measures in place to deal with the potential threats of mingling personal and work data.

Issuing company devices is a straightforward way to minimize risk, as it ensures corporate data remains separate. However, the majority of young employees feel their own devices are “more effective and productive,” so employers may have to take a different approach to maintain satisfaction among remote workers. Mobile device management (MDM) apps present an alternative, allowing companies to create gated access to data and perform remote locks or wipes if devices are lost or stolen.

Establishing a Secure Environment

Seventy percent of companies consider public Wi-Fi to be a top concern for security, yet 61% know their employees still use these connections for work. To reduce the vulnerabilities associated with public Wi-Fi networks, employers can:

• Ban the use of unsecured wireless connections
• Use geolocation to restrict the places from which company networks can be accessed
• Set up and require the use of a VPN for remote work

VPNs may be the least complicated to implement and enforce, as these networks don’t have the potential to compromise employee privacy and don’t restrict where remote employees can work. Reliable VPNs offer end-to-end data encryption and shield IP addresses to increase security on all types of connections.

Committing to Ongoing Education

Users remain largely unaware of the potential security risks of their actions or how these actions could compromise their employers’ networks. A whitepaper by Cisco Systems revealed only about half of workers who use personal devices to access company data have proper security installed on their devices, and many more engage in risky behaviors, including:

• 46% download personal files onto work devices
• 29% use personal devices for work without worrying about safety
• 21% allow other people to use their work computers

Despite this, the majority of remote employees still believe they’re working securely. This signals a disconnect between understanding the importance of security and the ability to implement critical security measures. To bridge the gap, employers must establish training and education programs informing all employees of security best practices and provide the tools and support to put them into operation.

Identity and access management certifications

With diligence and a focus on mobile security, businesses can support a remote workforce while maintaining secure network access for all employees. Learning to recognize and respond proactively to potential threats allows companies to benefit from the 35 to 40% increase in productivity made possible by remote work and continue to provide employees with the benefit of a more favorable balance between their personal and professional lives.

Facebook Libra Cryptocurrency Raises Privacy Concerns

Facebook’s announcement of its upcoming cryptocurrency launch is making some lawmakers and security experts uneasy. Dubbed “Libra” and slated to debut in 2020, the currency has the potential to threaten privacy on a global scale unless regulatory action is taken to minimize the risks to consumers’ data and identities.

Facebook Libra cryptocurrency privacy risks

What is Libra?

Facebook defines Libra as a “stable currency built on a secure and stable open-source blockchain, backed by a reserve of real assets.” This makes it a form of “stablecoin,” a cryptocurrency designed to remain relatively safe from wild fluctuations in value, which is achieved by backing the coins with actual currencies. Unlike bitcoin, Libra won’t start out as a decentralized currency. Rather, the currency will be available to users of Facebook products like Messenger and WhatsApp to enable low-cost domestic and international funds transfers. Each transaction will be recorded in the Libra blockchain, and the entire system is governed by the Libra Association, a not-for-profit organization of which Facebook is just one member.

Does Libra Threaten Consumer Privacy?

The impact a cryptocurrency apparently under the control of a social network already known for questionable privacy practices could have on users’ identities is causing enough concern that even the U.S. House Financial Services Committee is calling for Facebook to put off the launch until risk assessments can be performed and security concerns addressed.

As a new form of digital payment, Libra requires a platform through which users can access and transfer the stablecoins. Facebook is solving this problem by creating a subsidiary called Calibra, which will make a digital wallet available as a standalone app, as well as within Messenger and WhatsApp. In the future, this Libra wallet could allow brands to push into Facebook, selling products directly to users of the social network and collecting payment in Libra cryptocurrency. Proponents are touting this breaking down of barriers as a boon for international markets, particularly in developing areas with unstable currencies, but critics cite data mining as a serious privacy concern.

Transaction information can reveal a lot about consumers, and some say this doesn’t bode well with companies like PayPal, Visa and Mastercard on the list of founding members of the Libra Association. If Libra becomes popular enough to expand from funds transfers to a viable e-commerce currency, the metadata stored about each transaction could contribute to “super profiles,” which financial companies and retailers could potentially use to reach consumers with highly personalized marketing.

Facebook has stated it won’t use personal information from Libra transactions without consent and doesn’t plan to make user data a factor in improving targeted advertising but hasn’t provided details on how information will be secured once the Libra blockchain makes the switch from permissioned to permissionless five years after its launch. Once the blockchain becomes more accessible, there appears to be little to prevent developers and businesses from mining Libra transaction data for their own purposes. Integrating Libra payments into products may provide benefits, but each additional Libra-enabled platform would collect more data.

Of paramount concern is how Facebook plans to protect the private keys required for maintaining security in the blockchain environment. Hackers gaining access to these keys could completely take over users’ identities, which may allow them to take over numerous accounts and move from platform to platform without detection.

Identity and access management certifications

Is Facebook Creating a Decentralized Identity?

Reading the Libra whitepaper reveals an interesting secondary purpose for the cryptocurrency as it grows. According to Facebook, the Libra Association also seeks “to develop and promote an open identity standard.” Such a “decentralized and portable digital identity” isn’t a new concept. However, with 2 billion people around the world already using Facebook, Libra may prove to be a viable way to realize a goal many are working toward but haven’t yet achieved on a wide scale.

If Facebook were to succeed in deploying Libra in this way, users may face a host of new identity and privacy challenges. Libra’s links to Facebook and its products make it potentially vulnerable if accounts are hacked. Even if additional security measures were implemented, there’s still the question of whether or not it’s wise for users to trust Facebook with even more sensitive personal information than the social network already handles.

Certified in Data Protection

Because cryptocurrency is still a relatively new technology and the blockchain on which it relies is also in the early stages of development and implementation, cybersecurity professionals have a legitimate reason to be concerned about the launch of Libra. It’s unclear how hands-on Facebook intends to be once the Libra blockchain becomes permissionless and public, and without details regarding who will control users’ information or how this data will be secured, caution is required to prevent today’s uncertainties from becoming tomorrow’s identity theft crisis.

Top Security Concerns of Blockchain-as-a-Service

Businesses seeking to leverage the power of the blockchain without being overwhelmed by the administrative complexities of back end management can turn to providers like Amazon, Microsoft, Oracle and IBM for blockchain-as-a-service (BaaS) offerings. With BaaS, companies can “build, host and use their own blockchain apps, smart contracts and functions on the blockchain” while the provider handles the details of infrastructure and management.

Blockchain as a service BaaS

Although blockchain technology is a rapidly expanding industry set to generate $10.6 billion in revenue by 2023, business owners must still be aware of the potential vulnerabilities of a system previously touted as “immutable and unhackable.”

Potential Compromise of User Keys

Access to the blockchain is regulated through the use of public and private keys. Each user possesses a unique pair of these keys, which are secure as long as neither one is compromised during creation, storage or use. However, keys must be managed with the same care as any other access information. If hackers gain access to the platform where keys are stored, the data can be used to take over a user’s blockchain identity.

Due to this vulnerability, it’s still possible for hackers to use simple means like phishing attacks to steal blockchain access information. The difficulty involved in changing information once it’s been stored in the blockchain makes compromised accounts even more of a problem, which is why businesses must have reliable protection in place for all forms of access data.

Outsourced Security Management

As with all “as-a-service” offerings, the responsibility for security in BaaS falls to the provider. A business with well-managed onsite security can fall victim to malicious attacks if vulnerabilities exist in its chosen BaaS platform. Since blockchain is still a fairly new technology, it may have weaknesses no one has yet considered or discovered and which may not be manageable using existing security measures.

Businesses considering BaaS must evaluate the potential known vulnerabilities of providers and how these vulnerabilities could affect onsite security. Using a permissioned blockchain model with strong identity and access management protocols minimizes the risk of insider threats, but if something goes wrong on the provider’s end, it could compromise the information stored in customer’s blockchains.

No Solid Regulations Established

Unlike traditional cybersecurity, which is becoming increasingly more regulated to protect the privacy rights of users, blockchain technology by nature almost defies regulation. The original idea was to have a decentralized ledger in which information belonged to users, not companies or agencies, and although permissioned and private blockchains don’t share this characteristic, significant regulatory challenges still exist.

However, even without concrete standards, businesses taking advantage of BaaS are still responsible for compliance. This can be difficult, particularly for large companies dealing with international privacy regulations. Not having a single authority for blockchain regulation makes it difficult to learn from other’s mistakes, since protocols and processes aren’t transferrable from one independent blockchain environment to another. This could delay the implementation of an across-the-board solution, leaving systems vulnerable to attack.

Mistakes in Implementation and Use

Many of the issues of blockchain security arise during setup and implementation. By nature, the blockchain should be largely secure and unchangeable, but errors in the early stages of BaaS adoption can compromise a company’s entire blockchain from the start.

If a private key isn’t random enough when it’s created, for example, a hacker has a better chance of compromising a user’s credentials and gaining access to the blockchain. Just one compromised key could cause big headaches, since it’s very difficult to modify information stored in the blockchain, including critical data related to user identities.

Similar problems may occur if something goes wrong during the creation of internal protocols for verifying and recording blockchain transactions or when vulnerabilities exist in the codes of smart contracts. This may lead to problems with access control or allow hackers to compromise the interactions between parties in a contract and use the functions for their own private purposes.

A lack of rules and standards for blockchain use and governance leaves the creation of control and security protocols largely up to BaaS providers and the businesses using their services. Without adequate control measures for access and use, it becomes difficult to maintain consistent blockchain security and ensure all information stored therein is truly private.

Identity and access management certifications

The allure of blockchain-as-a-service may cause business owners to overlook or minimize the severity of these potential vulnerabilities in their zeal to adopt cutting-edge solutions ahead of the competition. Reduced overhead and ease of implementation can spur companies to invest in BaaS without fully considering the challenges, which can lead to devastating security consequences. Prior planning, knowledgeable guidance and a concrete understanding of the benefits and limitations of the blockchain is required for successful execution of this powerful developing technology.

Challenges in IAM and Cybersecurity Standards

As technology continues to evolve and use cases increase in complexity, businesses and organizations need more guidance from individuals skilled in data protection and breach prevention. Cybersecurity remains a top concern for anyone handling sensitive information, but recent incidents and study results indicate an alarming lack of understanding regarding the importance of access control and unified security management.

Some organizations are taking steps to implement better protocols, but others still struggle with vulnerabilities and lack the tools or education to meet the security challenges presented by modern network configurations and diverse modes of access. The following cases highlight some of the major concerns IT and cybersecurity professionals need to address.

Department of Defense Creates New Cybersecurity Standards

In July 2019, the U.S. Department of Defense (DoD) publishes a draft of its new five-level cybersecurity standards system for contractors and subcontractors. Known as the Cybersecurity Maturity Model Certification (CMMC), the standard is being developed to create a unified approach to security when dealing with sensitive government data and prevent potentially catastrophic security incidents. The Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute are major players in CMMC development. 

Current inconsistencies in contractor security processes cost the government billions of dollars every year, which includes the loss of intellectual property. The CMMC seeks to address and combat this loss by enforcing standards through third-party compliance audits, ongoing risk mitigation and the collection and analysis of metrics. Because DoD data is highly sensitive and a breach could present a threat to national security, rigid enforcement is required to ensure the safety and privacy of information at all times.

Full implementation and inclusion in contractor agreements is expected to begin at the start of 2020 with the goal of being able to monitor and protect the entire supply chain. 

Over 600,00 Patients Affected by Oregon DHS Breach

The effects of a breach at the Oregon Department of Human Services (DHS) in January 2019 are still being felt as notifications go out to the 645,000 people whose records were compromised. This is significantly more than the original estimate of 350,000 and is a sobering reminder of the widespread problems just a few compromised accounts can cause.

Hackers used a phishing scam to steal the credentials of nine DHS employees, which granted access to emails, messages and attachments. Although it’s unclear whether the hackers actually looked at or did anything with the data, it took 19 days for the DHS to detect the breach, perform a password reset and put an end to the unauthorized access. During this time, hackers may have had the chance to view private patient data, including health information and social security numbers. Over 2 million emails were affected by the breach.

The DHS provides training to help employees detect phishing emails and employs multi-factor authentication for login procedures, but some are still questioning the efficacy of these methods in the aftermath of such a massive event. Additional measures may be necessary to prevent similar incidents from occurring in the future and protect patients from fraud and identity theft.

Identity and Access Management Challenges

According to a study conducted at the 2019 RSA Conference by access management firm One Identity, businesses continue to struggle with Identity and Access Management. 34 percent of attendees consider privileged identity management (PAM) to be one of the most “difficult operational tasks” for businesses, followed by user password management and lifecycle management. Seventy-one percent cited data loss as a top security issue, and 44 percent recognized both insider and outsider threats as significant concerns.

Despite these findings, only 14 percent of respondents felt better access control would have a positive effect on cybersecurity. This suggests businesses understand the potential threats of poor identity and access management (IAM) but fail to see why strong IAM policies are necessary to protect sensitive data.

Statistics from employee respondents shed light on the significant threats resulting from improper or inadequate IAM protocols. Among those polled:

• 70 percent would look at sensitive files if granted unlimited access
• 60 percent would take company data with them when leaving their positions if they knew they wouldn’t get caught
• 40 percent have shared passwords with someone else

Based on such responses, problems potentially resulting from insider threats alone should be enough of a concern to prompt companies to adopt stronger strategies for provisioning, deprovisioning and access management. Implementation of tougher controls under the guidance of knowledgeable cybersecurity experts can mitigate risk and reduce the likelihood of data loss or compromise. 

For IT professionals, these changes and challenges present opportunities to aid businesses and organizations with developing improved strategies for cybersecurity, breach prevention and employee access control.

Identity and access management certifications

Cybersecurity certification and ongoing education prepares those in the IT industry to build defenses against the latest threats and implement the best protective technologies available.

Blockchain for Healthcare Data Security

Data breaches can cost healthcare organizations $380 per affected record, but current systems are vulnerable to numerous types of attacks. Patient data is extremely valuable to hackers looking for detailed identity information, which makes securing electronic health records (EHRs) and associated personal details a top priority in the healthcare industry.

Emerging blockchain technology may offer a solution to healthcare’s biggest security challenges. Features such as decentralized storage, cryptography and smart contracts provide a framework for organizations to improve data protection while maintaining accuracy and preventing unauthorized access to or alteration of patient information.

Maintaining Consistent Permissions

A blockchain may be set up as permissionless or permissioned. Permissionless, or public, blockchains are theoretically accessible to any user, but becoming part of a permissioned blockchain requires consent from the owner. Given the highly sensitive nature of patient data, permissioned blockchains are more appropriate for healthcare settings.

This can present problems if permissions aren’t handled properly. Healthcare professionals must have easy access to patient data at a moment’s notice, especially in emergencies. Inconsistent permissions may block access at critical moments, which could put patients in life-threatening situations.

Blockchain technology employs two solutions for seamless, secure permission management:

• Smart contracts grant access using predetermined parameters agreed upon by all parties involved in the contract. This rule-based form of access control can be customized to automate a variety of workflows.
• Cryptographic keys put access control in the hand of patients. Each patient has a “master” key to “unlock” health data and can give a copy of this key to health care professionals or institutions as needed. Actions may be restricted to reading or writing information, and patients can revoke keys in the event the device on which a key becomes compromised.

By allowing for the automation of processes currently requiring one or more middlemen, smart contracts and cryptographic keys minimize the risk of human error and reduce the time between the collection of health information and fulfillment of actions like insurance billing and payment. 

Protecting Patient Information and Identities

Giving patients the choice of whom they share their keys with effectively puts them in control of what can be done with their health information, including who can access it and when. Because data can’t be decrypted without a key, no one should be able to read patient information without express permission. Hackers obtaining encrypted health data would need to also steal the keys to make use of the information they obtain. Combining keys with smart contracts prevents unauthorized parties from adding information to a patients’ records, including outsiders seeking to tamper with data for malicious or self-serving purposes. 

Utilizing the blockchain also creates an environment in which all participants, including patients, review information before it officially becomes part of a record. This provides the opportunity for healthcare providers and patients to evaluate information, thus preserving the accuracy of data throughout the blockchain. Since 40 percent of patient health records currently contain errors, switching to this kind of collaborative system has the potential to improve patient care and reduce the risk of life-threatening mistakes. 

Companies like MedChain and MedRec are currently working on permissioned blockchain platforms to bring these benefits to healthcare organizations and the patients they serve. By moving patient health information to a decentralized storage solution in which records are broken into fragments and distributed across the blockchain, these companies seek to provide a better way for healthcare organizations to protect patient information.

Challenges of Blockchain Implementation

While the blockchain has many potentially beneficial applications in the healthcare industry, the technology still needs time to mature before it becomes practical to pursue widespread adoption. Adherence to HIPAA regulations is a key concern when storing private patient information in a decentralized environment, and use of blockchain technology alone isn’t enough to ensure complete privacy. Stringent security regulations, including encryption and onsite administrative protocols, would be required of each healthcare organization retrieving, storing or sharing patient data within a permissioned blockchain.

Implementing permissioned blockchain models in existing systems requires help from IT professionals who are trained and certified in the technology and familiar with the security challenges such a framework poses in a healthcare setting. An appropriate system of checks and balances must be established at the outset to prevent data errors from becoming permanent parts of the blockchain, and provision must be made for accessing records in the event of emergencies in which patients are rendered incapable of granting access using their security keys. 

Identity and access management certifications

Healthcare organizations looking to blockchain technology to improve patient privacy and ensure greater accuracy need to weigh the benefits against the potential pitfalls and work with qualified identity and access management professionals to deploy solutions customized to the unique security and compliance needs of the industry while focusing on access management, data protection and the prevention of identity theft.