When I was young, I went on a trip through the Carpathian Mountains with my family. Seeing the immense tunnels, dams and other feats of infrastructure made me realize that humans are capable of building extraordinary things. I also vividly remember my aunt’s words that day: What we are able to build in days, months or years, we have the ability to destroy in seconds, minutes or hours.
That truth still applies, especially in the digital age. What your company may build (e.g., database, digital service, product, application, etc.) in a couple of years, a hacker can easily crash in minutes, leaving your businesses helpless. And in our “new normal,” where the global pandemic has overhauled how business is done and how security is enforced, potential vulnerabilities are being exposed as enterprises scramble to implement work from home (WFH) quickly and on a mass scale.
The traditional enterprise security model must change. Zero Trust, backed by technologies such as multi-factor authentication (MFA) and single sign-on (SSO), modernizes security by eliminating the notion of trusted networks and replacing it with confidence derived from verifying risk profiles, leading to improved access decisions.
The Threat: Data Breaches
The biggest data breaches of the decade all involve some sort of identity data theft. Poor credential security can result in a bad actor gaining access to customers’ personally identifiable information (PII), leading to compromised identities and stolen data. And it goes beyond protecting just your customers and your resources. The reputational damage is difficult to recover from, and in some cases, it can even mean closing the door on your business for good.
Ironic isn’t it? You’re the victim of a crime and you also get punished by the market. You could say you’re a “double victim.”
When trying to compromise a target, hackers often utilize unsecured backdoors. Anything from open ports to unsecured APIs can provide a bad actor with an opening. Sure, defenses like network intrusion detection systems (NIDS) can help, but they are good only if configured correctly. And procuring the necessary NIDS rules from third-party cybersecurity services firms can be prohibitively expensive.
Also, today’s regulations—GDPR, CCPA and the Sarbanes-Oxley Act, to name a few—mean that there is very little room for error. In some cases, the fines imposed can cost up to a staggering 4% of a company’s entire global revenue!
The Traditional Model Must Change in 2020
Given today’s major shift to a work-from-home (WFH) model, the enterprise typically doesn’t own the network utilized for work anymore. Employees now access the company network through their personal routers or hot spots. In some cases, their ISP might even try to sniff some packets for commercial reasons. All of these factors must be accounted for, or you risk leaving your organization exposed to exploits.
Even enterprises within the traditional network model have limited effectiveness in controlling access to data. Let’s examine this with the analogy of a tunnel, where the tunnel itself consists of common security tools like VPNs, firewalls and other intrusion detection systems, and users are authenticated cars passing through. The tunnel is secure in that it keeps outside, unknown elements from entering, but a bad actor can still hijack a car prior to entering and sneak in posing as the original, known car. They might display some abnormal behavior (faster driving, won’t stay in their lane, etc.), but it won’t matter as the tunnel is not designed to detect it.
Just because the cars are inside the tunnel does not mean they should be trusted by default. It's important to add multiple levels of verification that will allow for granular access management based on identity and facts, not trust. That’s where the concept of Zero Trust emerges.
Zero Trust: No Time Better Than Now
“The safest place for a PC is 6 feet under with no connection to the outside world.”
This is a common saying in the security world, as any time you connect devices or access the internet you are introducing risk in some form or fashion. The image below showcases the traditional method for employees performing their tasks when working from home:
But there are a number of weaknesses in this model:
Home internet connections do not have the same level of security as corporate networks.
Home networks are typically shared and may get compromised by another member of the household, who may download malicious code without knowing it.
The enterprise has little control over the health and security of various hardware and software components, such as the router, operating system, device, etc., being used to access the corporate network.
In fact, bad actors increasingly target VPNs because many organizations assume (incorrectly) that once inside, the traffic is safe. And this plays into a hacker’s motives, as the more silent an attack, the more damage it can create. It’s like a thief avoiding home alarms in their quest for the household jewels.
Coming back to my tunnel analogy, imagine Zero Trust as a gate at the tunnel that asks each driver to prove who they are and ensure they are going the right way. Zero Trust will also enable you to mount cameras inside the tunnel to alert you if a driver exhibits abnormal driving behavior. All of these mechanisms will ensure that only the correct cars get in the tunnel and arrive at the end destination. Intelligent identity, which utilizes controls such as multi-factor authentication and single sign-on, is a critical step toward Zero Trust and offers the kinds of adaptive controls that are needed in modern enterprise security.
Navigating the Noise in Identity Security
Exploring the identity and access management (IAM) marketplace for security tools can be overwhelming. Tools that promise the world may end up delivering little to nothing, and buzzwords and pledges can be borrowed among vendors. It’s important to buy what is right for your organization. It’s necessary to ask the hard questions. And remember, your criteria should determine not just existing needs, but also be in line with your digital transformation roadmap.
While many companies will lure you in with a free offer to help deal with the immediate impacts of COVID-19, you must find out if it is reliable, scalable and secure. Just because it’s from a popular vendor doesn’t mean that it’s a slam dunk for your enterprise. Make sure it fits your use case and not the vendor’s by asking questions like:
Does the vendor support your entire environment (factors like legacy systems, integrations, etc.)?
How is downtime handled? What are the SLAs?
What happens if during peak time your customers can’t log in anymore? Who will be blamed: you for making the decision, or the vendor for not holding their end of the agreement?
Another facet is customer service. Seek out customer references from companies of similar size and industry. Get a sense of whether the new provider can cope with a sudden influx of customers. And in the event of an outage or other issue, determine ahead of time how quickly and effectively customer service will respond.
Just because the licenses may be free or heavily discounted doesn’t mean the implementation is. Try to understand the overall TCO and if the vendor meets your criteria. With that in mind, we’ve created buyer’s guides for enterprises considering new MFA and SSO solutions.
And remember that the old adage “there is no such thing as a free lunch” continues to ring true. Even if offers may appear to be generous or “free,” most vendors will try to incentivize sales through promotions. If the product doesn’t deliver, it may end up costing you considerably more than other solutions that initially appeared to be more expensive. Having to start back at square one has both real and hidden costs.
Get 6 Months of Unlimited SSO & MFA at No Cost
Here at Ping Identity, our mission is to secure the digital world through intelligent identity. Whether it is for your customers, partners or workforce, providing seamless, secure and personalized experiences is what we do. Here a few examples of why we are trusted by over 60% of the Fortune 100: