Federated identity management challenges are presented with the rising adoption of identity federation among businesses and can have particular benefits at the enterprise level. By creating one central identity to access all network applications, companies simplify workflows and remove barriers to productivity. However, a unique set of security challenges must be met when using federated identity technologies. 

Security Concerns of Identity Federation by Identity Management Institute

Why Federated Identities? 

With 83 percent of enterprise workloads expected to be handled by public, private and hybrid cloud environments by 2020, the adoption of more efficient sign-on methods is critical. The extensive number of applications, projects and use cases at the enterprise level can’t be managed adequately using a system in which employees must sign in with a different set of credentials each time they move between platforms. Doing so creates several problems: 

• Each login is a point of vulnerability 
• Repeated logins reduce productivity 
• The login process creates distractions and undermines efficiency 

A federated identity makes it possible for users to sign in to any application within the “federation” using the credentials from a single application. This centralized identity forms the basis of single sign-on and is independent of platforms and technologies. By using federation, an enterprise can integrate multiple applications into a single system without the need to create a custom authentication protocol. 

Security Concerns in Federated Identity Management Challenges

Switching to federated identities as an alternative to outdated authentication methods isn’t without its risks. Most companies adopting federation only do so for a handful of applications and find it difficult to build a network in which all programs can be accessed using a single identity. This makes some areas of the network subject to common security risks, including breaches caused by the use of weak passwords. Complicating the matter is the lack of federated identity management plans in many businesses. The rapid spread of technology has left enterprises without the capabilities to implement the level of management necessary to ensure security across the board. 

For federated identities to work, user information must be shared with the third party entrusted with authentication. The nature of this information and how it’s shared, processed, stored and protected has an impact on the safety and privacy of users. Not all providers within a federation conform to the same security standards, and the use of multiple providers creates additional points of vulnerability. Enterprises must understand the security protocols and compliance measures used by third-party providers before committing to any partnerships. 

Insider threats and identity theft, two common and troubling security concerns for modern enterprises, remain problematic even with the use of a federated system. Companies need to be completely certain of the trustworthiness of users in the network and have authentication protocols designed to ensure each user is who he or she claims to be. Employee education is necessary to minimize the risk of human error, because a single compromised set of federated credentials can grant hackers access to multiple applications and allow a breach to spread rapidly across a network. 

Improper provisioning leading to privilege creep can also leave the door open for devastating breaches. A user’s federated identity should allow only the level of access required for his or her job, and any temporary access necessary for short-term projects should be revoked as soon as it’s no longer needed. Automated solutions for granting and revoking access are becoming more common as enterprises seek to improve network security and reduce the risk of data loss or theft. 

Creating a Reliable Federation Strategy

Despite its potential drawbacks, the use of federated identities has significant advantages for enterprise-level businesses. Unifying diverse applications to eliminate bottlenecks and silos creates a smoother user experience and empowers employees to work efficiently. 

To meet the security concerns among federated identity management challenges and leverage the associated benefits: 

• Focus on applications designed for federation 
• Determine the standards required to maintain interoperability
• Establish strong security standards for proprietary and third-party applications 
• Seek a provider with minimal data sharing requirements 
• Ensure the provider is in compliance with relevant regulations 
• Automate user provisioning 
• Perform routine identity audits 
• Remove dead, abandoned or orphaned accounts 

Enterprises relying on applications with which federated identities can’t be used should consider if the same functionality can be achieved with newer applications or if the existing application can be updated for integration into a federated system. Critical programs lacking the functionality for federation require additional considerations to ensure security. 

As identity federation becomes more common, the resulting partnerships between providers and businesses are likely to drive the establishment of tighter security policies across the board. Recent changes in regulations governing data privacy require diligence on the part of all parties involved in the creation and management of federated identities, so businesses desiring to enjoy the benefits of this modern authentication method must understand the risks and take steps to mitigate as many as possible.

Identity and access management certifications

Privilege or access creep poses a threat to security in all networks but can be a particular problem in larger companies where many employees share enterprise resources and inappropriate access levels often go unnoticed for a long period of time which can potentially lead to devastating breaches.

Understanding Access Creep

Privilege creep occurs when employees accumulate more access rights than are required to perform the tasks associated with their positions. Also called access creep, the process occurs gradually over time and is often the result of: 

• Failure to revoke temporary access granted for special projects 
• Updated job duties or requirements 
• Promotions or changes in position within the company 

In all these cases, employees may retain access to data, applications and resources unrelated to their duties, thereby putting the system at risk in a number of ways. The most notable of these risks include: 

• Increased potential for insider threats resulting from the use of excessive access for personal gain or retaliation by disgruntled or dissatisfied employees 
• Hackers’ ability to infiltrate higher levels of the network using a single set of stolen credentials 

Accumulation of unnecessary privileges also poses a threat to compliance, especially in enterprise environments handling highly sensitive data, such as Social Security Numbers or health records. Failing to maintain compliance with privacy laws and regulations or suffering a breach in which large amounts of data are lost or compromised can have severe financial and reputational consequences.

Excessive Access in Privileged Accounts

Some users within enterprise systems, such as administrators and managers, require access to sensitive data or resources to do their jobs efficiently. Services and applications may also need a higher level of access to ensure workflows proceed without interruption and communication across the network is maintained. Alarmingly, the 2016 Verizon Data Breach Investigations Report revealed 53 percent of breaches result from the misuse of credentials associated with privileged access. It’s not uncommon to find credentials for sale on the Dark Web, and a hacker needs to purchase only one set to undermine the integrity of an entire enterprise system.

In many cases, users make it easy for hackers to obtain login information and access networks without buying credentials. About 80 percent of access breaches in enterprises result from weak or stolen privileged account credentials, and once hackers hijack these accounts, it can be difficult to determine the true extent of a breach. Privilege creep exacerbates the problem by extending hackers’ access deeper into the network. It can take IT professionals a considerable amount of time to sort through access information, pinpoint the cause of the breach and implement countermeasures to restore network security. 

Smart Strategies to Maintain Appropriate Access Levels

Proper identity and access management strategies can prevent privilege creep and reduce the risk of associated data breaches. Enterprises must focus on following best practices to establish and maintain strong identity governance policies.

Least Privilege

The principle of least privilege provides a baseline for managing all user accounts. By granting each user the lowest level of access necessary to fulfill his or her role within the company, enterprises can ensure smooth workflows while preventing unauthorized access across the network. Enterprises should also consider implementing role-based access in lieu of user-based methods to assign access levels based on the tasks a user must complete rather than associating privileged access with individual accounts.

Reduce the risk of access creep with periodic access audit and certification.

Auditing and Recertification

Routine access audits clarify access needs for enterprise users and pinpoint areas of weakness, including abandoned or orphaned accounts. Removing these accounts eliminates points of weakness hackers could otherwise exploit. Periodic recertification subjects active user accounts to scrutiny to determine if current access levels are appropriate or need to be adjusted. These processes are an essential part of access management and could benefit the 52 percent of enterprises unable to account for all privileged credentials within their networks. Clear policies for managing temporary access and processing changes in employee roles within the enterprise reduce the risk of access privileges extending beyond what’s appropriate. Identity Management Institute members include experts in access audit and certification.

Modernizing Access 

Many enterprises continue to rely on passwords and other outdated authentication methods, and a surprising 54 percent use paper or Excel spreadsheets to store details about access credentials. In situations where the use of passwords remains necessary, credentials must be managed in a secure centralized location to prevent loss or compromise. Switching to multi-factor authentication relying on stronger methods, such as the use of hard tokens, one-time PINs and geofencing, makes it more difficult for hackers to penetrate deep into networks. 

Preventing privilege creep at the enterprise level starts with clarity regarding access needs throughout the company and the establishment of strategic access management strategies. With the use of intelligent identity management tools and strong authentication methods, it’s possible to manage employee access to reduce the risk of internal and external breaches resulting from the misuse or compromise of privileged credentials.

Subscribe to the Identity Management Journal to receive periodic announcements and articles.

Identity and access management certifications

Imagine arriving at work one morning to discover all of your employees have received an important video announcement from you and are scrambling to comply with the instructions it contains. Their responsiveness would be impressive if not for one thing: You never recorded or sent the video, and now you somehow have to undo the resulting damage. 

Improvements in artificial technology (AI) and machine learning (ML) could soon make such flawless deceptions possible. Called “deepfakes,” these videos have the potential to undermine security at every level from small businesses to global governments. 

How Deepfake Videos Work

A deepfake is a video made by employing AI and ML to create an exact likeness of a person saying or doing things he or she never actually said or did. The deception plays on the human tendency to believe what is seen and can be very effective in making it appear as though the contents of a video is genuine. 

These videos aren’t simply fakes created by hackers skilled in forgery. Deepfakes rely on a form of machine learning in which two networks are fed the same data sets and pitted against each other in a back-and-forth battle of generation and detection. Known as generative adversarial networks (GANs), these systems consist of one network creating fakes and another evaluating the fakes for flaws. The data set consists of hundreds or thousands of images and videos of the person to be imitated, and a forgery is considered good enough when the detection network no longer rejects the results. 

Hackers and Malicious AI

When deepfakes first appeared on Reddit, people mostly used the technology to goof off and create fake pornographic videos. However, the software to produce such videos is readily available to everyday users, making it simple for hackers to employ deepfake tactics and use realistic false content to manipulate their targets. 

Deepfake videos are prime candidates for viral status and can spread rapidly across social media. Because fake rumors can take as long as 14 hours to be recognized and debunked, a well-produced deepfake could become entrenched in the public mind as truth long before the deception was detected. Hackers can take advantage of the popularity of viral fakes to spread videos containing malware or record messages designed to entice users to click on links as part of a phishing attack. 

Videos may also be used to draw people to websites in which malicious code has been embedded, turning their computers into tools for mining cryptocurrency. Known as cryptojacking, this kind of attack can also be launched on mobile devices and run undetected in the background as users go about their daily tasks. 

Deepfake Deceptions and Access Control

Deepfake technology hasn’t yet progressed to the point of perfection, but rapid advances in AI and ML mean scenarios like the one described above can no longer be relegated to the realm of science fiction. Using deepfakes, hackers could trick employees into giving away a great deal of information, including access credentials, financial records, tax documents, customer profiles and proprietary company data. 

Because GANs require a significant number of images to create realistic deepfakes, this kind of attack isn’t likely to become the norm overnight. However, the internet in general and social media in particular provides a wealth of pictures and videos posted by users and could theoretically be mined for the data sets necessary to train GANs to produce convincing results. 

Employees tricked by deepfakes or those who indulge in viral videos on company time could easily open the door for hackers to access business networks and fly under the radar or launch large-scale attacks. Such a prevalent threat to access control and compliance requires an updated approach to security. 

Preparing for Deepfake Security Threats

To get your network and your employees ready to stand up against the potential risks posed by deepfake videos: 

• Develop and deploy ongoing security training 
• Monitor employee activities on company devices 
• Update your BYOD policy to prevent infected devices from spreading malware to your network 
• Invest in security software with deep learning capabilities to predictively detect malware threats 

Combining employee training with machine learning software minimizes the likelihood of human error and leverages the power of artificial neural networks to protect your company from sophisticated threats. 

The rise of deepfake videos in a world where fake news is already a concern signals a future in which it could be nearly impossible to trust anything you read, hear or see. Detecting falsehoods requires an updated approach to security, including employing the same technologies used to create deepfakes. The future of security may boil down to beating hackers at their own games, and learning to identify and outsmart threats launched using fake video content could be just the start of a new wave of necessary security upgrades.

Identity and access management certifications

As businesses increasingly leverage cloud storage services, identity and access management in cloud platforms has become a major challenge and risk concern for cloud users.

Identity and access management in cloud platforms

Overview of Identity and Access Management in Cloud Platforms

The rapid migration of systems and data to the cloud with cloud storage accounting for $50 billion of the total amount of $266 billion spent on public cloud services by the end of 2020 raises unique concerns regarding data security, identity management and access control. As more businesses of all sizes opt to invest in the tools offered by popular cloud platforms, it will be increasingly necessary for executives and their IT departments to develop the appropriate identity and access management (IAM) policies designed to address the emerging concerns.

Cloud platform providers are responding to the need for stronger security with integrated IAM solutions. Knowing what offerings are available and how to leverage the tools included in each platform provides a framework for smarter, stronger IAM policies made to address the growing number of potential vulnerabilities and new types of risk associated with connected devices and remote workers in modern businesses.

Cloud computing tools are most commonly offered in two ways: software-as-a-service (SaaS) and platform-as-a-service (PaaS). In a typical SaaS model, the customer pays a monthly or yearly fee to use an application or software platform managed entirely by a third-party provider. PaaS offers more flexibility by allowing customers to control which apps are deployed on a third-party platform.

Cloud Platform Providers

Top cloud platform providers give businesses flexible, customizable cloud environments in which to build networks of integrated and complementary applications designed to support more efficient workflows, improve collaboration and increase productivity. Each provider has its own suite of available applications and range of features to address the diverse requirements of today’s connected businesses.

A white paper published by Identity Management Institute for its members offers analysis of the 3 major cloud platforms Amazon, Microsoft, and Google.

The Role of Middleware for Identity and Access Management in Cloud Platforms

The job of middleware is to connect client requests made via a network to the data being requested. In cloud environments, these tools may be bundled as part of a PaaS offering or obtained through another provider. The link created by middleware serves to bridge the gap between the front end of an application, which the user sees and interacts with, and the back end, consisting of computers, servers and data storage.

For the purposes of IAM, middleware can be used to simplify authentication and user access across extensive suites of cloud-based applications. Third-party authentication options like Okta, Ping Identity and Symantec VIP are known as authentication-as-a-service (AaaS) and are part of the growing number of cloud-based services being established to support the many businesses migrating to the cloud.

Conclusion

Preserving data integrity requires IAM policies designed to clearly define user roles and privileges and control access to applications within cloud computing platforms. Businesses planning to invest in cloud platforms and move more computing infrastructure to the cloud must carefully assess the security controls available and seek PaaS solutions designed to integrate with, supplement and strengthen existing security frameworks.

As businesses move into the future and embrace updated technologies, flexibility in cloud environments will become more important, and security concerns will continue to evolve. Today’s top cloud platform providers offer scalable, customizable solutions with built-in IAM tools, and it’s up to IT specialists to identify the unique concerns of the businesses for which they work and choose the best solution to address workflow needs and security requirements.

The Sarbanes-Oxley (SOX) Act of 2002 is just one of the many regulations you need to consider when addressing compliance. Also called the Corporate Responsibility Act, SOX may necessitate changes in identity and access management (IAM) policies to ensure your company is meeting the requirements related to financial records integrity and reporting.

 

What is Sarbanes-Oxley (SOX)?

SOX was passed in July of 2002 in response to a rash of incidents resulting from malpractice in accounting. The regulation added to existing guidelines and included “reforms to improve financial disclosures from corporations and prevent accounting fraud” with the aim of protecting investors from “fraudulent accounting activities.”

All publicly traded companies located or doing business in the U.S. are subject to SOX regulations. The act:

• Increases corporate responsibility for financial reporting
• Establishes new accounting guidelines
• Mandates protections against accounting fraud
• Imposes more serious punishments for noncompliance

Records collected and stored by companies affected by SOX are subject to a number of protocols intended to increase accuracy in reporting and discourage unlawful falsification and destruction of records. With strict rules governing financial reporting and how long records are stored, SOX changes the way many businesses approach accounting.

SOX Compliance Requirements

The first step in SOX compliance is to establish an “accounting framework” to create verifiable paper and data trails for all financial activities. Every action with the potential to affect financial reporting must be traced and documented as proof of compliance, including changes made to financial and accounting software.

In addition, companies must establish internal controls designed to prevent fraudulent activities and reporting. CEOs and CFOs are required to personally certify all records as “complete and accurate” in accordance with section 302 of SOX, affirming they’ve reviewed the controls at least once in the past 90 days.

Section 404 outlines the requirements for monitoring and maintaining controls. Using a framework like COBIT, companies must conduct an annual audit to determine how well the controls are working. and report the results directly to the Security Exchange Commission (SEC). All audit records, whether physical or digital, must be kept on file for no less than five years.

Should a security breach compromise finances or records, SOX regulations require affected companies to report the incident as soon as possible.

Risk of Noncompliance

Failure to comply with SOX can incur serious penalties. Company executives who certify false reports can be fined up to $1 million for each instance, sentenced to up to 10 years in jail or both. Willful certification of false reports carries a fine of up to $5 million, a jail term of up to 20 years or both. The severe nature of these penalties drives home the importance of having strong security measures, especially since a single accounting error can compound and create several inaccurate reports if it isn’t caught in time.

How Does IAM Relate to SOX?

Because both physical and digital records are affected by SOX, access management is an integral part of compliance. When the act was first passed, many businesses weren’t yet dealing with the complexities of connectivity seen in modern enterprises. However, the requirement to put “adequate internal controls” in place for “financial reporting and governance” extends to IT, especially in environments where multiple device types connect to the corporate network from a variety of locations and a great deal of information is handled in the cloud.

Strategic IAM practices control several factors with the potential to affect financial reports:

• Insider threats
• Data breaches
• Human error

By automating activities such as user provisioning and deprovisioning and implementing granular conditional access controls, companies minimize the risk of unauthorized access and reduce instances of privilege creep. Assigning identities to devices makes it easier to control how and where employees access corporate networks, helping prevent some of the problems associated with establishing and enforcing BYOD policies.

Business IAM solutions also include automatic logging and reporting tools so that clear reports can be generated for every audit. Since corporations tend to have large numbers of employees with various levels of network access, automated logging and report generation are essential for SOX compliance. Without these tools, it would be nearly impossible to track the actions of every user and every device, and suspicious behavior could escape notice long enough to cause serious problems.

All digital security policies, including IAM, should be evaluated for efficacy as part of the annual SOX compliance audit.

Access Management Controls

For SOX compliance, organizations should keep the following access management areas in mind:

  • Manage access rights during on-boarding, role changes, off-boarding
  • Ensure Segregation of Duties (SoD)
  • Maintain access control matrix
  • Perform periodic access audits
  • Automate reporting

Staying in compliance with regulations like SOX is important for the safety of your company and the data you handle. If you haven’t yet put measures in place to ensure compliance in regards to financial records and reporting, work with your IT department to develop an IAM strategy designed to minimize errors, prevent unauthorized access and secure all records during transmission and storage.

Read additional articles in our IAM blog.

The increasing number of connected technologies used by businesses and consumers is creating more points of data vulnerability. Each new endpoint provides a potential “in” for hackers and increases the risk of identity theft from data exposure.

Business owners must recognize the growing identity theft threat to their companies, employees and customers and take steps to mitigate the risks and ensure personal data stays out of the hands of malicious third parties.

More Technology, Greater Risk

The vision of a completely connected world, once realized only in science fiction, is quickly becoming a reality. Internet of Things (IoT) technology forms an expanding web of devices in constant communication with each other and with a variety of networks. This connectivity permeates every aspect of business and personal lives and has greatly increased the risk of identity theft.

According to a survey by The Harris Poll, almost 15 million people had their identities stolen in 2017 and experienced nearly $17 billion in total losses. The Consumer Sentinel Network lists identity theft as the second most common reason for fraud reports, surpassed only by debt collection fraud.

Why are connected technologies of particular concern when considering identity theft risk? IoT devices constantly collect and send data about users, including intimate details most consumers never realize they’re sharing. Modern hackers have access not only to identifying information but also may obtain data about individuals’ personal lives, right down to their fitness habits, the groceries they buy most often and even rough maps of their homes.

Today’s Biggest Threats to Identity

Although the Federal Trade Commission lists employment and tax fraud and credit card fraud as the two most common forms of identity theft, account takeovers are becoming more attractive to modern hackers. More connectivity means hackers can gain access to a larger database of information and launch more widespread attacks using a single set of stolen credentials.

In the 1,597 data breaches recorded by the Identity Theft Resource Center in 2017, hackers gained access to users’ names, social security numbers, birthdates and driver’s license numbers, all of which can be used to impersonate an individual or mine for more data. However, to steal an account, all a hacker needs is a user’s login information and a strategy for flying under the radar when committing fraudulent acts.

The risks associated with this type of identity theft are seen in the increasing popularity of online fraud, especially in the realm of online payments. Over 80 percent of credit card fraud is now committed in “card not present” situations, such as the use of digital payment gateways. Electronic Health Records (EHRs) are also popular targets, although hackers seem to be developing a greater interest in social security numbers when obtaining user data.

Business Identity Theft?

Individuals aren’t the only ones at risk. Businesses can also fall victim to identity theft. Both the high volume of activity and large transactions occurring at the corporate level attract hackers looking for big payouts. Unlike in data breaches, however, hackers committing business identity theft don’t infiltrate a network to steal information. Instead, they impersonate the identity of a business to commit fraud.

Businesses of all sizes are susceptible to this form of identity theft, but small businesses may be at a greater risk due to a tendency to ignore potential threats. Over half of small businesses have no concept of their level of risk from cyber attacks, and 58 percent fall victim to malware as a result. Business identity theft can affect credit score, cash flow, tax filings and brand reputation.

Strategies to Safeguard Identity

Business owners and corporate IT specialists must be aware of the risks associated with the unique nature of their onsite networks and the ways in which employees and customers connect to and interact with these networks.

Identity theft “red flag” risk assessments and routine security audits reveal points of weakness and the need for stronger safeguards and better access management polices. Using information gathered from these assessments, businesses should:

• Invest in updated security software designed to handle connected technologies
• Consider incorporating machine learning into security protocols
• Review and update access permissions
• Implement data encryption tools
• Establish protocols for user provisioning and deprovisioning
• Create policies limiting which company details can be shared publicly
• Continually educate employees on how to minimize risk

Securing internal networks with these tactics closes many common loopholes hackers use to access personal information and helps to protect businesses, employees and customers from the devastating consequences of identity theft.

Although the rapid spread of new technologies is putting personal information at greater risk for theft, business owners can take steps to increase security and protect proprietary and consumer data. Technology will continue to shift and expand, and diligent awareness of threats is essential to preserve data privacy and prevent identity theft.

ncidents of call center fraud are on the rise according to various call center fraud reports. This is partly due to the migration of scammers from online channels, where breaches are becoming more difficult to commit, to the largely unprotected and vulnerable environment of call centers.

The evolution of authentication has been somewhat slow across organizations when compared to the fast changing technology and cybersecurity threat landscape.

The increasing complexity of systems is leading to a need for more secure authentication methods. Although passwords are a ubiquitous form of verification, allowing users to access applications and perform actions within a system, there have always been problems with this method. Creating secure passwords and managing them properly is difficult when users have dozens of different accounts and log in from multiple locations throughout the day.

The evolution of authentication by Identity Management Institute

An answer to the problem may be found in password-less authentication methods. According to a survey by Wakefield Research, 69 percent of organizations are considering phasing passwords out in the next five years, opting instead to take advantage of passwordless models to increase security and make logins easier for both employees and customers.

Basics of Passwordless Authentication

The idea of a passwordless authentication model is straightforward. Instead of entering credentials consisting of a username or email address and a password, users verify their identities with an alternative method. The change is meant to address the problem of passwords standing in the way of reliable security, workflow efficiency and even customer retention.

Options for password-less authentication include:

  • Biometrics – Already in use in smartphones and other devices, biometric logins consist of a unique biological identifier, such as a fingerprint. However, until biometric technology improves, this may not be the most secure choice unless combined with other options.
  • Email – Upon entering his or her email address, an existing user is sent an email with a verification link. Clicking the link completes authentication and allows access.
  • Token or one-time code – Instead of a link, users receive a token or code they then enter into the website or application. This code is attached to every action taken during a session and decrypted as users interact in real time before being destroyed when the session is terminated.

These new authentication options eliminate the need for passwords and the potential security risks associated with poor password management.

Passwordless Authentication Benefits

Getting rid of a familiar form of identification to increase security may seem counterintuitive, but passwordless authentication has the potential to increase security for both your customers and the users within your organization. Making the switch addresses common problems with password security:

  • Weak passwords
  • Poor password management
  • Accidental use of default settings
  • Using the same password for multiple accounts
  • Not changing passwords regularly

Many of these issues result from “password fatigue,” which is experienced by users asked to create passwords for every website and application they use and enter these passwords numerous times throughout the day. This often leads to apathy in password creation and can threaten system security.

Passwordless authentication is also more convenient. Customers don’t like juggling logins for dozens of sites and tend to abandon those requesting the creation of yet another account. Employees required to log into multiple applications during the course of standard workflows are less efficient, and tasks slow down even more if a password is forgotten and needs to be reset. When no passwords are required, all users enjoy a more seamless experience.

Passwords Elimination in the Evolution of Authentication

Password fatigue explains the phenomenon of passwords becoming weaker as a user is asked to create more accounts. After a while, users no longer care if the password is secure and will use anything just to be able to gain access. This can create a serious security problem in your system. Weak passwords, use of default login options and stolen credentials account for 63 percent of breaches (Verizon). If even one customer’s account is hacked, all the data stored by your company is at risk. The same is true for employee accounts across critical business applications.

Customer retention rates are also affected by password fatigue. Seventy-five percent of customers stop using a service or website if they need to perform a password reset, and 30 percent abandon their hopping carts if checking out requires account creation. This is of particular concern when it comes to first-time or one-time customers. You could lose out on lucrative sales during popular shopping seasons or drive away customers who may otherwise have become loyal shoppers if you don’t have an alternative way for them to log in.

In addition to these considerations, your organization could benefit from passwordless authentication if:

  • Employee password management is poor
  • Workflows continue to hit bottlenecks due to excessive login requirements
  • Your system network is expanding to include more applications
  • A significant number of customers are abandoning carts at checkout
  • Password security problems have led to breaches in the past

There may be some situations in which it makes sense to retain the use of passwords or use a method like multi-factor authentication instead. Base your decision on your company’s needs and the unique security requirements of your network.

Passwordless Model in the Evolution of Authentication

If you decide to make passwordless authentication part of your security protocol and authentication evolution, the first step is to research the options to find a reliable provider. Request demos from vendors to see how the authentication process works, and get all the details you can about the security of the process.

Implementation details are specific to providers, but your chosen vendor should work with you to help you set up your passwordless login system. Let all users, both employees and customers, know you’ll be making the switch, and provide clear instructions for use of the new system.

Once passwordless authentication is in place, monitor performance to determine if it delivers the desired results. You should see a drop in shopping cart abandonment on the customer end and an increase in workflow efficiency for your employees.

The rise of passwordless authentication may usher in a time when no system or application requires a password for access in the evolution of authentication. Companies looking to streamline workflows, update security and offer an alternative to customers experiencing password fatigue can benefit from switching to passwordless options. Since changes in technology inevitably bring new security concerns, it’s time for organizations to start adopting alternatives to outdated authentication methods and bring identity management strategies up to date.

Visit our blog for more articles.

The identity and access management (IAM) landscape is always changing, and staying on top of the latest news can help you protect yourself and your business from vulnerabilities. From major market expansion to the latest attack on Facebook, here’s what you should know about IAM this month.

$14.82 Billion IAM Market Share Predicted

By 2021, the global market share for IAM is expected to exceed $14.5 billion in U.S. dollars, representing a compound annual growth rate of 12 percent. This significant jump reflects growing security concerns as companies adopt more cloud-based applications and continue to invest in SaaS solutions. An increasing awareness of compliance requirements is also driving the market as regulations are updated.

Facebook Breach Blamed on Access Token Error

Facebook’s latest breach affected an estimated 30 million users, but it was neither complex nor sophisticated. Personal information, including check-ins, searches, contact information and profile details, was stolen from 14 million accounts, and contact information from an additional 15 million accounts was also compromised.

Hackers gained access to data through a simple flaw involving video previews. When users chose to view a birthday video using Facebook’s “View As” option before posting it to their profiles, right-clicking to obtain the source code for the page revealed an access token for the user from whose perspective they were previewing. Hackers were able to scrape access tokens for millions of users by exploiting this vulnerability,

Facebook says the problem was fixed as of September 27, but as with any breach, users should continue to exercise caution.

Malware Remains Most Popular Attack Method

According to research by Positive Technologies, the frequency of malware attacks dropped from 63 percent to 49 percent between Q1 and Q2 this year. However, attacks involving compromised credentials increased from seven to 19 percent.

Malware is still the most popular form of cyberattack and can be used to steal credentials for use in more sophisticated or extensive breaches. Targeted attacks executed for the purpose of extorting money from companies or stealing valuable data are still common, meaning you need to be diligent across departments in your company. A single phishing email, compromised file or infected employee device can provide an open door for hackers to undermine your IAM framework.

Federated Identities May Give Way to Consolidated Identities

The current trend in using federated identities may need a makeover to keep up with the complex security concerns and requirements of modern businesses. A federated identity allows a user to log into multiple services with one set of credentials, such as when you access a third-party website using your Facebook or Google account. A federated identity supplies a single key for cross-domain interactions and interactions between software platforms from different companies, allowing users to access a variety of services without the need for all providers of these services to use the same kind of authentication technology.

Consolidated identity is being proposed as the next wave of IAM within enterprises. Currently, employees using multiple tools to do their jobs likely have to log into each platform with a separate identity. Doing so creates a distraction, slows down workflows and makes it difficult to work efficiently. A consolidated identity combines access rules and authentication protocols to allow access across siloed services based on a user’s needs and security level. This aggregation of access rights can greatly improve time management and increase productivity.

Google Introduces New IAM Tools

Identity management and security is an increasing concern as the adaptation of cloud platforms becomes more widespread and companies are beginning to rely on a greater number of cloud-based applications for daily business tasks. Google recognizes the complex issues involved in enterprise IAM and has been working on new tools to improve cloud security.

“How do we rethink identity in a cloud-based world?” was the question posed by Karthik Lakshminarayanan, Google’s director of product management. The company is answering the question with:

  • Cloud Identity for Customers and Partners (CICP), a tool to add IAM to apps for better security
  • Secure LDAP to allow for seamless access to access both new and legacy applications
  • Cloud Identity-Aware Proxy (IAP) for context-aware access, making it possible to control data and application access based not only on credentials but also the context of a request
  • Location restrictions for the Google Cloud Platform to prevent the unauthorized creation of resources in specific offsite locations

Some tools are still in development, and others are being finalized to help make IAM easier for businesses working with sensitive data in the cloud.

Continue to monitor the latest IAM news and read new articles to stay on top of industry changes and get alerts regarding security concerns. New product and service releases and innovations from big players in the industry can transform your approach to IAM and ensure better security for the future. And, don’t forget to get certified.

Companies failing to follow proper employee offboarding measures are at risk for data loss, cyberattacks and other malicious activities. Regardless of the reason for an employee’s exit, offboarding is an essential part of the transition process. Protect your system and all sensitive data with these six critical identity management procedures.
employee offboarding best practices

Collect All Company-Owned Devices

Company-issued smartphones, tablets, laptops and other devices should be turned in before an employee leaves for good. These devices not only contain sensitive information but also represent a significant monetary investment. Be sure to collect all other items used for data transfer and storage, such as memory cards and flash drives, to prevent confidential information from leaving the premises.

Retrieve keys and security cards to ensure employees can’t gain physical access to the building once their tenure is over. Being able to get in and out of the office without checking in or making an appointment literally leaves the door open for serious breaches if the conditions of departure are less than cordial.

Terminate Personal Device Access

If your business has a BYOD policy, employee-owned devices may retain information, applications and other company assets. Removing data and programs pertaining to company activities is a key part of offboarding. Even if no ill will is intended, employees can easily walk away with proprietary data on their personal smartphones, tablets, laptops and external storage devices. If passwords were stored using tools on any of these devices, hackers could gain access to your system with stolen credentials long after an employee has left the company.

Revoke Network Access

The identity and access management (IAM) solution your company uses should have tools for managing the entire employee
lifecycle, including offboarding. When the time comes to remove a user from the system, take advantage of these tools to completely eliminate the employee’s unique

identity. Don’t be tempted to reuse the account with different login credentials for the next person taking over the position. A new employee may not need the same level of access even if he or she performs similar duties, and rolling accounts over may cause problems with “privilege creep,” in which an employee accumulates more access rights than necessary to perform his or her job.

Access to company applications and third-party cloud-based programs used by your business for communication and collaboration must also be revoked. Change any common passwords for these applications or other system tools, and make sure related apps are wiped from personal devices. If an employee-owned device has its own identity within your system, remove this privilege when the person leaves.

IAM software makes network access management much easier by centralizing all information about each employee’s credentials, level of access and privileges so that you can be sure all points of vulnerability have been addressed and don’t have to search through every application to terminate access.

Remove Employee Data from Systems

Once access has been revoked, make sure the names of employees who no longer work for your company don’t show up on contact lists, in meeting rosters or as the primary contacts for projects. Forward all communications from terminated employee accounts to a manager or supervisor, and communicate clearly with other employees to ensure everyone is aware who has been offboarded and who is responsible for picking up their tasks until a new hire is made.

Follow a Set Procedure Every Time

Go through the same steps with each employee you offboard. Adhering to a plan ensures you don’t miss any critical actions and greatly reduces the risk of disgruntled employees wreaking havoc once they’ve left. Employees in good standing are saved the potential embarrassment of and backlash from accidental data leaks. Create a checklist of best practices, and follow it to the letter to keep your company and your employees safe.

Keep Records

Compliance is an important issue for any business handling sensitive information, interacting with clients and customers or conducting transactions. You may be subject to additional compliance rules depending on the industry in which you operate. Proper offboarding is necessary for compliance, especially in cases where the information you store could be stolen, sold or publicly distributed by employees with malicious intentions.

If your IAM solution doesn’t already keep detailed logs, enable the option or upgrade to a system with this capability. Logs can be used in the event of a compliance audit to prove you followed your offboarding procedure correctly and no loose ends were left to create vulnerabilities. Furthermore, logs are necessary for any critical investigation as a result of security policy violations and data breach cases.

Following the same offboarding procedure with every candidate reduces the risk of accidental or deliberate data theft and eliminates as many points of vulnerability within the system as possible. Make offboarding part of the process of managing the employee lifecycle to avoid the potential for serious security problems down the road.