Guest blog by Robert Block, VP of Strategic Solutions in Identity and Access Management for Optiv
No matter where you look or what you read, the analysis on compromised credentials is alarming and overwhelming:
Sixty-three percent of companies who experience a breach due to stolen passwords.
Fifty-five percent of internally focused data breaches were a result of abuse of granted access.
Sixty percent of companies can't detect compromised credentials.
It takes an average of 98 days for a financial services company to detect an intrusion on its network.
It takes an average of 197 days for retail organizations to detect an intrusion on the network.
An average of 29 incidents or events can be investigated on a daily basis, and the average organization logs an average of 75 events per day making it impossible to keep up.
- Source: 2016 Verizon Data Breach Report
These numbers are not surprising, as the access management industry has struggled since inception. In the industry's first evolution, a username and password was assigned to all individuals for every application they used, forcing users to create and remember too many passwords leading to a terrible user experience and significant security risk. To solve this predicament, the industry developed strategies to improve the end user experience through reduced sign-on and single sign-on (SSO), creating a single authentication event that did improve security but still caused security teams to squirm, due to a single "key to the kingdom."
This discomfort resulted in the creation of the access control evolution, two-factor authentication and its variants, step-up authentication and multi-factor authentication. We now have the same vendors that developed those technologies offering organizations SSO to enhance the end user experience and two-factor authentication to increase security. However, the current approach of one size fits all for every application, leaves organizations to figure out when and where to implement what and how much. This all-or-nothing approach in combination with the ever-evolving application and infrastructure landscape; on-prem, cloud, hybrid, SaaS, PaaS, is causing organizations to throw up their hands in confusion, delaying deployments and creating a perfect storm for external and internal threats and breaches.
We believe it's time for an access management revolution. It's time to understand the fundamental decision criteria in determining what to do and how to do it. Then it's time for us to have the conviction to say, we need to lean forward, shift when required and stop expecting to be a victim of our own self-inflicted IT chaos.
Here are some best practices related to access management that organizations should consider implementing to reduce the risk of a breach:
Recognize that one solution no longer fits all, and outline your business objectives (and risk tolerance) for each major user class, including internal user to business, business to business, business to external affiliate and business to consumer.
Create an approach that will span your major platform investments (mainframe, client server, on-prem, hosted, cloud-based).
Baseline behavior and understand "stable" data flows. Security at the perimeter, and even the most complex security at the front door, is not enough, detecting anomalies is key to identifying "threat" behavior.
Go beyond user identification and leverage the context of identity attributes and behavior patterns for real-time authentication decisions, such as two factor authentication or denial-of-transaction.
With respect to first two best practices above, organizations need to get comfortable owning and understanding that they will likely make investment in 1-3 market-leading solutions to support a given user class or platform type.
With all of this, it's clear the entire cyber security framework needs to change. Organizations must evolve from their current "serving its purpose investment" to an integrated set of identity-enriched security investments. These investments will fuel a real-time transaction model whereby threats can be identified, isolated and remediated in minutes or hours, not days or weeks. Only then will we see the trend of "when will I be breached next" change.
Ping Identity and Optiv are founding members of the Identity Defined Security Alliance, for more information on the IDSA and how it can help your enterprise, please visit our IDSA page.