黑料海角91入口

First, What Exactly is Identity Security?

Most would define identity security as the practice of ensuring that only the right people are accessing company resources; it also includes verifying users are who they say they are when they authenticate to a resource. Effective identity security usually involves having an identity and access management (IAM) solution in place that allows IT admins to centrally manage user identities and their access to IT resources. With an IAM solution, IT admins can enforce password complexity requirements, MFA, and securely provision/de-provision access throughout the network鈥攃omponents that are vital to any solid identity security strategy whether your network is in the clouds or on-prem.

Identity Security in the Past

Historically, identity security has been in the background of most security strategies, while the focus has been on fortifying the network perimeter. This worked okay in the past because resources only existed within the corporate network, behind firewalls, on-prem. This made it possible to keep them safely insulated from the 鈥榳orld鈥� (read: internet) , behind a heavily fortified perimeter. To access anything, employees would have to be physically inside the office and on its secure network, or gain access to it via VPN. Additionally, employees only needed a limited amount of IT resources to do their job, so there was a very limited number of touchpoints to keep track of.

Identity security also remained a silent partner for some time because it seemed to take care of itself. This was, in large part, due to the monopoly that Microsoft^庐 had over the IT landscape. From Windows^庐systems and Microsoft Office^庐 to Active Directory^庐 and Windows Server^庐, it was difficult to get through a workday without using a tool from Microsoft. Buying into this setup, though, provided organizations with secure, centralized user and resource management. When someone on the internal network accessed an IT resource, IT would  depend on Active Directory to ensure only the right people were obtaining access to valuable company data.

This on-prem, Microsoft-centric environment led IT organizations to believe that they could trust the internal network communication taking place in their environment, and so that鈥檚 why they focused their efforts on protecting the network perimeter. This approach was commonly thought of as 鈥渉ard on the outside, and soft on the inside鈥�. Kind of like M&Ms^庐, but there are digital assets at the center instead of chocolate.

However, the IT landscape has undergone a substantial transformation over the last two decades as technologies have 鈥榣ifted and shifted鈥� themselves to the cloud as subscribed-for services. This traditional on-prem approach to identity management, therefore, would show its strain and demonstrate itself as a non-viable and potentially insecure solution moving forward.

The Impact of Modern Technology on Security

First, many IT resources have moved to the cloud, and now most environments are utilizing web-based applications, cloud servers, cloud file storage solutions, and more. Second, the number of providers and platforms that organizations depend on has increased dramatically with the shift to the cloud. In turn, this has multiplied the number of touchpoints that IT and information security teams have  to keep track of.

Fortunately, security methods have adapted accordingly in response to this explosion of diversity, and a new network security model was presented in 2009 that has redefined the relationship between IT organizations, users, and their data. It鈥檚 called Zero Trust Architecture or Zero Trust Security, and this updated network security model has been widely adopted since it burst on the scene, blueprinting how system resources and digital assets can be fortified with security from the inside out. The idea is relatively simple鈥攂y necessity, all network traffic and network users can鈥檛 be trusted. When implemented correctly, cybercrime can then be spotlighted and eradicated before it ever grows out of control.

Zero Trust Security is predicated on three core concepts to help redesign security throughout a network⁸. Networks must be:

1. Easily managed and segmented for security and compliance
2. Domain-less effectively (the concept of a centralized network won鈥檛 exist)
3. Centrally managed from a single console

The last concept, central management for all networking elements, was further described as the 鈥渒ey to creating the network of the future.鈥�⁸ However, organizations have found it difficult to create a centralized management system for all of their networking elements, and subsequently, they have lost their control over identity security as well. So, why is this a challenge?

Identity Security, Decentralized

The most ubiquitous directory service (Active Directory) was built to support on-prem, Microsoft-based IT resources, so IT admins have had to resort to a patchwork of independent vendors to assist with the secure management and 鈥榖inding鈥� to Active Directory. These have included utilities to manage privileged user access to non-Microsoft servers; deploying SAML and other identity federation technologies to secure web based applications; specialized MDM solutions to control non-Windows systems; and more.

Sadly, these options have only ended up creating cumbersome workflows, introducing complex vendor relationships, and ultimately, increasing costs. Given this, it鈥檚 understandable why a good number of organizations have been slow to pour more resources into identity security solutions like identity and access management.

Yet, continuing to remain complacent about identity security will only increase your chances of getting breached, and here鈥檚 why: 鈥淭he average company currently uses 1,083 cloud services in total.鈥� If that鈥檚 not alarming, consider that only 108 of these are known services鈥攎eaning 975 unknown services on average per company.⁹

In other words:

• 10% Environment Under IT’s Control
• 90% Environment Outside IT’s Control

Further, the subscription-based, credit card model most applications leverage has made it too easy for entire departments of companies to bypass IT altogether to get the applications they want to use for their job. This has resulted in the proliferation of shadow IT where confidential streams of data exist outside of the walls of an IT organization鈥檚 governance, and therefore, outside of IT admins control. In today鈥檚 world, this is a nightmare for two reasons. One, company data is being accessed on upwards of 975 services that have little protection and oversight. Two, the little protection they do have is under the control of end users. What鈥檚 wrong with this?

The Human Factor

Human Factor 1: The Desire for Convenience  

As a reminder from the introduction, 61% of users reuse passwords despite 91% knowing the security risks;⁴ the top two passwords for 2018 were 123456 and Password.⁵

Why do users have such a hard time with passwords? Well, a study from the Old Dominion University discovered a couple of things that may explain why users have trouble with this component to their credentials. The study found that,

“Users choose strong passwords only if they are willing to sacrifice convenience; it is not sufficient for them to simply understand it is important鈥�¹⁰“

The study was also able to determine that users are willing to sacrifice convenience for accounts, that if breached, would result in deep personal loss (e.g., bank accounts). For accounts like email, on the other hand, the study indicates that users have no interest in giving up convenience for security because when it comes down to it:

“Users are not concerned about security issues unless they feel they will be affected if the account is misused.¹⁰“

Ultimately, users engage in poor password habits because they think they won鈥檛 be impacted by the consequences.

Human Factor 2: The Effect of Information Cascade  

Another human factor that weakens security is a psychological phenomenon known as information cascade.¹¹ Information cascade is the name for when a person notices the decisions of one person and decides to make the same decisions, even if they know it鈥檚 wrong. According to a study from the University of Basel in Switzerland, people are especially prone to copying the decisions of their supervisors.

The study found that:

82% of participants agreed with the decision of their supervisor despite privately having a different opinion.¹²

This means if a tenured employee stores their password on a sticky note that鈥檚 attached to their monitor, other employees will notice and do the same, especially newer employees.

Human Factor 3: The Power of Curiosity

Lastly, users are still prone to falling for phishing scams, and hackers are not looking to let up on this type of attack any time soon. The The 2018 Verizon Data Breach Investigation Report found that phishing was in the top three for the kinds of attacks that resulted in a security incident/breach.¹ One of the reasons users continue to fall for phishing attacks, despite security training, has to do with their curiosity. In fact, a study conducted at Friedrich-Alexander University, Germany, found the following with their participants:

• 45% fell for a phishing email even though
• 78% reported they were aware of the risks of clicking on unknown links.

When asked why they clicked on the link, the large majority of participants said that it was due to curiosity.¹³

Sophisticated attacks are another reason why users continue to fall for phishing scams. Verizon鈥檚 2017 Data Breach Digest¹⁴ presents an interesting example of one organization鈥檚 experience with a phishing attack that ultimately led to fraudulent wire transfers:

“An accountant within the organization received an email from 鈥渁 customer claiming to have paid a late invoice. The email instructed the accountant to click a link and provide their email domain credentials to authenticate and review the payment receipt.鈥�

Once the attacker had gained these credentials, they used them to 鈥渓og into [the accountant鈥檚] email account and study [the organization鈥檚] wire transfer approval process by searching through emails. The threat actor even used previously sent invoices and tax forms to create fake versions that were used to鈥�fabricate an approval email chain that they sent to [the] Wire Transfers Department.鈥� Sadly, in this case the attackers ended up getting what they came for, and at the time of the Data Breach Digest being released, the organization was still working with law enforcement to recover their stolen funds.

So while a user鈥檚 curiosity is certainly a weakness, it鈥檚 important to realize that hackers also employ cunning tactics that make it increasingly difficult to spot a phishing email from a real one.  

Even with threat actors鈥� cleverness at play, these three factors illustrate who ends up guarding your company data when identity security isn鈥檛 taken seriously: users who care more about convenience than the security of your company鈥檚 data, who are too easily influenced by the behavior that鈥榮 occurring around them, and who are up against clever hackers who exploit their curiosity. It鈥檚 no wonder that users and their credentials were the largest attack vector in 2017鈥攖hey are easy pickings for hackers who understand how to leverage human psychology for their own selfish gain.

Steps for Accelerating Identity Security

So, now that there is an understanding as to why it鈥檚 time to take identity security seriously, it鈥檚 time to transition into providing a few steps that your organization can take to accelerate your identity security strategy. Since the human element is at the center of whether or not identity security is a success, the solutions discussed below will help you counter users鈥� curiosity and strong desire for convenience. After all, 鈥淚n the big data era, insiders are exposed to increasing amounts of sensitive data, posing huge security challenges to organizations.鈥�¹⁵ Hence, the focus is on taking steps that strengthen the weakest link, whoever that may be.

Combating Curiosity

One way IT organizations can proactively address risk associated with user curiosity is by providing information security awareness training. When conducted in-depth, security awareness training has been shown to effectively teach users how to identify phishing techniques and improve their password and browsing habits. A 2010 study found that almost all of the participants involved with the study鈥檚 security awareness training completed it with the 鈥渃orrect idea about phishing and the dangers it poses both to the individual and to an organization.鈥�¹⁶ 

Additionally, the type of delivery method for security training was found to significantly impact users鈥� understanding. A 2014 study on user preference for security training suggested that the best approach is to combine training methods and use them together to teach users about a specific cyber security topic. For example, the study focused on teaching users how to identify phishing attacks. They used a game-based training method to teach users what to look for in URLs in combination with text- and video-based training methods to cement their knowledge. The study found that users gain a more complete understanding from this multimodal approach, and almost all participants walked away with a correct idea about phishing.¹⁷ In theory, once phishing is recognized in the wild, the jig is up for hackers so to speak, and the temptation to open a curious email can be sidestepped.

In addition to making sure employees understand email security, here are a few other recommended talking points that should be discussed in your quarterly security training:

• IDENTITIES: Enable MFA everywhere possible and use passwords that are impossible to guess
• SYSTEMS: Remember, don鈥檛 insert flash drives of questionable origin and lock systems when leaving them unattended
• BROWSERS: Use a reputable browser like Chrome, Safari, or Firefox, only add plugins if they have a true business need, use an ad blocker, and don鈥檛 accept invalid SSL. certificates
• PHONES: Have a PIN that wipes your phone after a certain number of incorrect attempts and have remote wipe enabled on your phone

While security training is a fantastic starting point to mitigate human curiosity, technology can be a powerful layer to add to your security strategy; one that often works well at preventing users from making choices based on convenience.

Fighting Convenience with Convenience

In order to greatly combat the human factor of convenience, implementing single sign-on (SSO) technology has been recommended.¹⁰ This technology largely removes the temptation to repeat passwords for convenience. Thus, many security malpractices disappear.

However, not all SSO solutions are created equal. In fact, the term 鈥楽SO鈥� has become synonymous with web-based authentication using AD credentials because most SSO providers emerged as a means to connect Active Directory to the flood of web-based applications that had emerged in the early 2000s. But, as mentioned a few sections ago, web-based applications were only part of the changes that have taken place in the IT landscape. Modern IT environments are also leveraging cloud infrastructure hosted in AWS^庐 or Google Cloud Platform鈩� , wireless networks, Mac^庐 and Linux^庐 systems, and file storage solutions like on-prem Samba-based file servers and cloud solutions such as Box鈩�, Google Drive鈩�, and more. Active Directory still does not natively support many of these modern IT resources. Therefore, solely implementing a web app SSO provider isn鈥檛 going to be enough for effective identity security because cloud infrastructure, Mac and Linux systems, and file storage will each require additional third-party add-ons or remain outside of IT鈥檚 control. In other words, your IT environment will largely remain decentralized and rely upon the 鈥榩atchwork鈥� of vendors to ensure you鈥檙e covered.

Clearly, an effective identity security strategy doesn鈥檛 benefit from an approach that utilizes AD and a string of third-party solutions. Instead, it needs a new kind of directory service altogether. One that joins the move to the cloud, embraces resources of all protocols, providers, and platforms, and securely connects users to their resources regardless of location. Such a solution would make it possible to centrally manage user authentication to all IT resources, giving IT full control and widespread visibility over their environment.

Fortunately, there is one solution on the market that is providing a more comprehensive approach to SSO. By 黑料海角91入口^庐, the concept of True Single Sign-On鈩� is delivered via the Directory-as-a-Service^庐 platform. And, by implementing a True SSO solution for the enterprise as a whole, users no longer have to remember multiple passwords.

Securing Identities with True Single Sign-on鈩�

Leveraging True SSO with 黑料海角91入口 enables organizations to provide their end users with a single set of credentials to access virtually all of their IT resources, including systems, servers, applications, file storage, and networks. End users only have to remember one secure password instead of hundreds, providing users with a more convenient workflow. Additionally, this comprehensive approach to SSO provides IT admins with centralized control over user authentication and authorization. When used with 黑料海角91入口鈥檚 identity security features like MFA, Password Complexity Management, and SSH Key Authentication, IT is able to subtly guide users into making good identity security choices. For example, IT admins can ensure users are leveraging secure passwords and are rotating them on a regular basis. On top of that, IT can enable MFA across Mac and Linux systems as well as the 黑料海角91入口 admin and user console. This increases security around users accessing applications, tightens administrative access control, and bolsters Mac and Linux device security. Lastly, SSH authentication no longer has to be a hassle. Users can conveniently manage their public SSH keys without any intervention from IT鈥攊mproving efficiency and security.

While you can鈥檛 stop hackers and bad actors from using phishing techniques to obtain your users鈥� credentials, what you can do is start taking action now to ensure their efforts to steal digital assets are in vain. Dumping the majority of your security budget into fortifying the perimeter with anti-malware, firewalls, IDS, and 鈥渁nomaly threat鈥� detection solutions has been shown to be a dated security strategy, and hackers are well aware that the weakest link lies within. As Zohar Steinberg, CEO of the security-driven payment company Token, once said:

鈥淎ny piece of your personal information, when in malicious hands, can be considered serious. Often times, once hackers get a hold of certain pieces of personal information, they can use various techniques to get more, so even something as an email can seem harmless, but can eventually lead to other information being stolen from that first step.鈥�¹⁸

Take it from the execs who have experienced a data breach and upgraded their identity security game: revamping your identity security approach is fundamental for avoiding data breaches and defending the long-term success of your enterprise.

Sources

1. 2018 Verizon Data Breach Investigations Report. Report. 2018. Accessed July 31, 2018. .
2. 鈥淕artner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017.鈥� Hype Cycle Research Methodology | Gartner Inc. December 7, 2017. Accessed July 31, 2018. .*
3. *Editors, Forbes Technology Council. 鈥淐EO Disconnect On Cybersecurity Increases Risk Of Breaches.鈥� Forbes. March 21, 2018. Accessed July 31, 2018. .
4. **鈥漈he Password Expose.鈥� LastPass. November 1, 2017. Accessed July 31, 2018. .
5. ***鈥濃�楾he Most Popular Passwords of 2018 Revealed: Are Yours on the List?鈥�.鈥� welivesecurity. December 17, 2018. Accessed December 17, 2018. .
6. 鈥犫��2018 Annual Data Breach Year-End Review.鈥� Identity Theft Resource Center (ITRC). February 2019. Accessed February 2019. .
7. Mathews, Lee. 鈥淔ile With 1.4 Billion Hacked And Leaked Passwords Found On The Dark Web.鈥� Forbes. December 12, 2017. Accessed August 06, 2018. .
8. Kindervag, John. Build Security Into Your Network鈥檚 DNA: The Zero Trust Network Architecture. Report. November 5, 2010. Accessed July 31, 2018. 
9. 鈥淲hat Is Shadow IT? How Do I Control It? Download Checklist.鈥� Skyhigh. Accessed July 31, 2018. .
10. Tam, L., M. Glassman, and M. Vandenwauver. 2010. 鈥淭he Psychology of Password Management: A Tradeoff Between Security and Convenience.鈥� Behaviour & Information Technology 29, no. 3: 233-244. Academic Search Premier, EBSCOhost (accessed July 31, 2018).
11. MBE, Oz Alashe. 鈥淭he Psychology Of Cyber Security: How Hackers Exploit Human Bias.鈥� HuffPost UK. November 27, 2017. Accessed July 31, 2018. .
12. Sch枚bel, Markus, J枚rg Rieskamp, and Rafael Huber. 2016. 鈥淪ocial Influences in Sequential Decision Making.鈥� Plos ONE 11, no. 1: 1-23. Academic Search Premier, EBSCOhost (accessed July 31, 2018).
13. 鈥淥ne in Two Users Click on Links from Unknown Senders 鈥� Friedrich-Alexander-Universit盲t Erlangen-N眉rnberg.鈥� Friedrich-Alexander-Universit盲t Erlangen-N眉rnberg. August 25, 2016. Accessed July 31, 2018. .
14. 鈥淒own to the Wire.鈥� Data Breach Digest, February 2017. Accessed August 7, 2018. .
15. Cheng, Long, Fang Liu, and Danfeng Daphne Yao. 鈥淓nterprise Data Breach: Causes, Challenges, Prevention, and Future Directions.鈥� Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery 7, no. 5 (2017). Accessed July 31, 2018. doi:10.1002/widm.1211.
16. 鈥淭he Positive Outcomes of Information Security Awareness Training in Companies 鈥� A Case Study.鈥� ScienceDirect. June 09, 2010. Accessed July 31, 2018. .
17. Abawajy, Jemal. 2014. 鈥淯ser Preference of Cyber Security Awareness Delivery Methods.鈥� Behaviour & Information Technology 33, no. 3: 236-247. Academic Search Premier, EBSCOhost (accessed July 31, 2018).
18. Paul, Kari. 鈥淓verything You Wanted to Know About Data Breaches, Privacy Violations and Hacks鈥� last modified April 3, 2018.