The shock of one mega data breach barely has time to fade before the next one arrives. Target. Michaels. Neiman Marcus. High-profile resignations are happening, data security is making headlines in the mainstream press, and consumers are anxiously recalling credit-card purchases they made months ago. But this is only the beginning. For too long, organisations have been collecting identity information without stringent security precautions in place to protect it. The consequences are only just starting to hit home—and they’re hitting hard.
In any breach, there’s damage to the brand and loss of customer confidence, both of which are extremely hard to calculate but which can at their worst cripple future growth. And there are fines, too. Target and Neiman Marcus both disclosed their breaches promptly, but when Kaiser Foundation Health Plan lost a hard drive with information on more than 20,000 Kaiser employees and their families, it waited three months to notify affected individuals—and found itself in court. The state of California requires companies disclose breaches in a timely way, and is now suing Kaiser for $2,500 for each violation—which adds up to a fine of up to $51.3 million. Companies operating in other states could soon be subject to similar standards: the White House is proposing the creation of a consistent national standard for promptly notifying consumers in the event of a breach.
Such security issues are the logical outcome of pervasive connectivity: if everything is connected, everything is vulnerable. Still, many organisations have been caught by surprise. They’re suddenly realising they are vulnerable, and this is driving a new awareness of how critical security processes and technologies are to customer engagement, revenue, and brand equity.
Every business, nonprofit, or other organisation that holds personal data needs to reevaluate the security of its IT infrastructure and start asking itself: how can we mitigate risk? How can we make sure the right users have access to only what they need? And, most importantly, how can technology advancement help manage identities so that we can continue to benefit from wider connection and sharing of personal data, without running the risk of exposure?
Firewalls and perimeter defenses are largely irrelevant when so many systems have to be accessible to huge numbers of users from outside the organisation. Instead, many organisations are attracted to an approach that Brad Maiorino, recently hired as Target’s chief information security officer, calls “attack surface reduction.”
“You don’t need military-grade defense capabilities to figure out that you have too many connections,” Mr. Maiorino said. “You have to simplify and consolidate those as much as possible.”
In addition to reducing the number of connection points, companies are making it more complicated to log in. Weak user-selected passwords are the Achilles heel of many systems, so more organisations are implementing multi-factor authentication to make it harder for unauthorised people to guess passwords or log in with stolen credentials.
But while tightening up access makes sense to a point, customers and business partners demand ease of access and will take their business elsewhere if they feel like access is too complicated. Instead of getting more restrictive, organisations need to add more contextual intelligence to their access processes. Today’s single sign on (SSO) must be more than a simple yes/no decision. Access systems should capture and act on context for each transaction.
Context includes multiple factors, such as, which systems does this particular user need to access in order to complete their legitimate tasks? When does this user need access? Where is this user located? With a tightly defined context of the norm for each user, security systems can accurately spot and respond to deviations from the norm. If someone logs in from a new device or a different country, for example, systems should ask for additional authentication.
Such contextual intelligence could have protected Target. Why would an HVAC vendor need access to POS systems? Why would they be logging on in the middle of the night, when they typically do their maintenance during business hours? And why were they logging in from a remote location, when usually they logged in from one of their offices or a Target location? Any one of these contextual clues could have raised a red flag and potentially prevented the breach.
The increasing size and number of breaches prove that the era of traditional Identity and Access Management (IAM) is over. IAM was internally focused and designed to support thousands of employees on their corporate laptops. It just can’t interact securely with external users, potentially in the millions, logging in from multiple mobile devices, tablets, web browsers, and the Internet of Things at any time, from anywhere. In today’s digital world, the ability to manage a multitude of external users is becoming increasingly important.
That’s why the industry as a whole has begun to shift to Identity Management, which ties users to digital identities that an organisation can identify and interact with, so that they can deploy seamless and secure services to these customers across applications, devices, and things. Identity Management can support multiple devices per user, react to context, and scale up to accommodate millions of users at a time. It links devices—laptops, phones, touchpads, and even cars—and new mobile and social apps to a single security platform that enables identity synchronisation and SSO anytime, anywhere.
Identity Management offers organisations a dynamic, proven security system that handily outclasses anything that came before it. At the same time, because it provides much greater insight into who accesses which systems from which devices and when, its benefits go far beyond security. This new data helps companies to understand their customers, not just protect them. It opens up new revenue opportunities for cross-selling, upselling, and delivering personalised services to customers. Given the potent combination of iron-clad, adaptive security and a personalised customer experience, Identity Management is a technology every organisation should be evaluating now—preferably before the next big breach hits the headlines, and certainly before the next big breach hits them.
By Neil Chapman SVP & MD EMEA / International, ForgeRock