Changing Your Digital Footprint
Organisations globally are embracing digital transformation. Digital transformation is happening across the world, as businesses large and small are looking to embrace the change. While many companies shift to the Industry 4.0 mindset proactively to improve efficiency, productivity and get closer to the customers and control the supply chain, others try to keep up to remain competitive.
Digital transformation is changing the digital footprint of organizations in scales never seen before. It impacts every aspect of a business, and first of all – the existing processes and technologies. As an organization’s digital footprint increases, the cyber security risks, and attack vectors grow.
Secure communications and identities are at the heart of keeping your information secure in the age of digital transformation. Individuals are urged to constantly bring their privacy and security up to date with the modern threat landscape.
The digital transformation requires that organisations rethink and improve consumer and employee identity management, and protection of private information. Organizations need to ensure the access to such information of internal staff, and third-party contractors and business partners is restricted. The personally identifiable, private data must be controlled and protected irrespective of where it resides – in the cloud, on employees’ personal devices, or on premises.
The Current State
A recent survey the Current State of Identity and Access Management in Organizations looks at how businesses tackle digital transformation, the stemming cyber security risks, and the identity management.
The majority of organizations understand the urgency for a mature Identity and Access Management strategy. The reality is the existing strategies are far from mature both regarding managing customer and employee identity for the protection of sensitive data.
The digital transformation is changing the consumer business. On the one hand, companies need to open their infrastructures to the consumers and consumer-facing applications. On the other, the incoming EU GDPR will hold companies liable for data protection and privacy. So, a strong identity management infrastructure is a means for survival, not a luxury.
One of the effects of the digital transformation is that identities multiply exponentially, and it is time for the CISO’s and information chiefs to address that growth.
There is growing concern among Security Chiefs about the secure aspect of digital transformation. Banking, Insurance, Retail, Manufacturing, Telecoms, Public Sector and Transport services admit the digital transformation of businesses is only possible when the solutions come with security embedded in.
This view echoes a PwC report from last year – build trust into everything you do.
The CISO’s and Information Chiefs from major European industries name threat and breach mitigation as the primary goal of their digital transformation strategies. A priority that clouds the traditional goals such as improving customer experience, or efficiencies, and cutting costs.
IAM Security Challenges
- Mobile and BYOD
- The shift of corporate systems to the cloud
- Shadow IT
There are many roadblocks in setting up an IAM system. One of the main ones is gaining visibility of data and all the repositories of identities. In a typical organization, shadow IT, BYOD, cloud, consumer-facing infrastructure and SaaS are steadily joining the corporate infrastructure. The patchwork quilt of the IAM repositories is often hard to map. Yet, the visibility into these repositories is the key to securing them.
One more challenge is risk assignment to applications, systems, and users. The prioritization of users, and data, based on sensitivity and value is key to protecting the most critical assets first. Here, input from management is essential, so that the IT departments can assign multiple roles to an employee. So, the main roadblock here comes into play if the management is slow to provide that input.
46% of organizations believe the lack of training is one of the main issue facing their IAM strategies today. Meanwhile, a security firm Preempt study states that 35% of passwords in a recent LinkedIn breach were re-used multiple times for other accounts. 65% of passwords are susceptible to brute-force cracking.
In other words, tightening the grip on password management inside the organization certainly helps, but it won’t solve the complex problem of IAM in the digital era.
Security Best Practices
- As project-specific as IAM setup is, there are general guidelines that can set you on the path to a successful IAM strategy.
- Map the repositories of identities.
- Identify the top-priority data that requires protection.
- Plan for the short- and long-term goals (i.e. short-term – GDPR compliance, long-term – increase of productivity/efficiency/market share, decrease in the time and cost of breach detection/mitigation).
- List the solutions you can develop internally and the ones requiring a SaaS vendor.
Choose cloud provider with strong security (consider advantages of zero-knowledge providers).
- Deploy end-to-end (at rest and in transit), military grade encryption for all communications including chats, messages, voice and video calls and messages, emails, customer service chats.
- Implement advanced authentication (two-factor, RFID SSO, biometric) or notification of suspicious logins; integrate access control devices into the workflow (card readers, biometric scanners, RFID tags).
- Restrict user/role-based data and network access – designate user roles clearly; define each user’s/group’s access restrictions and privileges.
- Use server and client-side encryption.
- Scan, log network activity.
- Secure management of keys.
- Enforce password expiration policy, strong passwords, and easy-to-use yet secure passwords management system.
- Ensure all solutions you implement are compatible among them, and with the operating systems (corporate and BYOD) across the organization: OS – third-party and SaaS applications – web servers – IAM tools.
- Choose providers and solutions that offer the required level of customization and scalability for seamless integration into the existing ecosystem.
- Before the acquisition, assess any prospective solution from the regulatory compliance perspective (GDPR, PSD II, whichever applies to your organization).
Cybersecurity, Secure Communications, and IAM, as well as Compliance, are constantly evolving. Security goals are changing all the time. Numerous surveys prove that more than half of UK companies are not prepared for the GDPR, which means that we will hear bitter news about the first fines as soon as 2018.
Best practices naturally help you set a sound basis for your cyber security strategy however, you have to keep up-to-date with the ever-changing threat and regulatory landscape to act proactively and preemptively instead of reactionary.
The latter costs a lot more than the former.
Please also join our Telegram group and visit our Facebook page and Twitter page for more inspiration.