Changing IAM and Data Breach

Changing cybersecurity concerns impact every organization handling sensitive personal data. The latest trends in identity and access management (IAM) point toward a future in which most data and applications reside in the cloud and the concept of a “user” becomes more and more flexible. For IAM specialists, the challenge lies in keeping up with these changes and understanding how to adapt security protocols to meet the needs of clients across industries.

IAM Meets UEM for Stronger Device Security

Until recently, functions in IAM and unified endpoint management (UEM) overlapped, but each solution ran on a separate platform. As the number and types of devices used to access networks increases, it’s becoming necessary to bring the two together into a single system for easier management.

UEM involves “securing and controlling” all the devices on a network in a connected, cohesive manner from a single console. Devices may include:

• Desktop and laptop computers
• Smartphones
• Tablets
• IoT devices

Businesses of all sizes are now dealing with situations in which employees access applications and data from multiple devices, often moving between devices during the workday. Each device needs to be not only monitored but also secured to prevent data compromise or theft.

Some IAM providers are beginning to add UEM capabilities to their offerings in response to these changes, and UEM companies are doing the same with IAM. However, for companies not using comprehensive platforms, it’s necessary for IT professionals to seek IAM and UEM solutions designed for smooth integration to ensure there are no gaps in security coverage. 

Microservices Increase IAM Flexibility

Device diversity and complex workflows require flexible environments for access and security. Vendors are making this easier for developers and end users by modularizing common IAM functions into “microservices.”

In a modular system, services like token validation and authentication are provided as independent, self-contained modules, which can then be connected using integrations. Communication via APIs keeps services independent of any particular platform or operating system, so developers can also incorporate IAM modules into apps. Integrations can be challenging when grouping modules from different vendors, but these links are essential for proper communication. Information must flow uninterrupted between modules for access and authorization to remain efficient.

Cloud Migration Requires Updated Access Roles

Just as IAM structure is changing, so are definitions that were once clear. In the past, a “user” was a person and a “machine” was a single device, usually a computer or workstation. Today, a user can be an actual person, an application, a mobile device, an IoT device or anything else requiring access to or within a system. Machines may be applications, systems or devices of any type.

Cloud migration is part of what’s driving this change. By the end of 2019, half of all enterprise workloads will be in the cloud, and IAM services are also moving to cloud environments. This shifting landscape requires a new approach to access management, although not all businesses are on board. Some still handle and store identity information on premises and are either unwilling or not yet ready for a completely cloud-based solution.

However, on-premises security measures are no longer sufficient to address the concerns presented by complex modern systems. Businesses must go beyond the basics and consider adopting a more aggressive approach, such as zero-trust security. With so many endpoints to consider, the granular control offered by zero trust is becoming an essential part of cybersecurity protocols.

Over 80 Million Households Exposed in Latest Massive Data Breach

A database recently discovered by a team of Israeli data security experts highlights the critical importance of IAM for all types of organizations. As part of their work at vpnMentor, the team was performing a sweep of unsecured cloud databases with the intent of notifying owners of the need to protect the data.

The database contained information on more than 80 million U.S. households, and all individuals in the database were over age 40. At first, no one was sure where the data had come from or who had compiled it, but later reports showed it apparently belonged to company offering insurance, healthcare or mortgages. Only some of the data was encrypted; other information was readily accessible. Exposed information may have included names, addresses, genders, marital statuses and income levels.

Since the discovery of the database, which was hosted on a Microsoft server, Microsoft has removed the information and notified the owner. However, it’s unclear how long the database existed or whether any of the data was compromised by hackers.

Without dynamic, adaptive security systems equipped to detect subtle changes in user behavior and prevent unauthorized access, the risk of breaches in these types of situations remains high. Businesses and organizations need qualified cybersecurity specialists to develop robust protocols designed to protect systems from today’s sophisticated hackers.