Credentials vulnerability: Identity and access management best practices. When it comes to passwords, their online presence offers companies a broad digital attack surface that cyberattackers can break through in various ways.
If they succeed in stealing valid access data for an account, they can use the hijacked identity to steal valuable data or cause further damage in corporate environments. In a working world that is increasingly characterized by remote work, the security and credibility of digital identities are gaining new relevance. Similar to physical forms of identification, digital forms of identification must also be reliably protected against misuse, theft and fraud. The digital fingerprint and all traces that users and organizations leave behind on the Internet, however, are highly individual and extremely diverse. This makes protecting identities and securing digital company assets through unauthorized access extremely complex.
Access data are always at risk
For companies that collect and store large amounts of customer data, data security and brand reputation are closely related. A trusting relationship is an essential part of business relationships. This property is also strengthened in the digital context by data protection regulations. The General Data Protection Regulation (GDPR) sets companies a narrow framework for handling personal data and protects the rights of private individuals with information and notification obligations for the processing companies. Any breach of the duty of care with regard to customer data or the loss of the same is subject to fines for companies. An experience that the hotel chain Marriott had to make: Cybercriminals had hacked the accounts of two employees and were thus able to access the accounts of hotel guests. Since this security breach went undetected for years, the number of harmed consumers amounts to over 300 million. The British Information Commissioner's Office (ICO) originally imposed a fine of over 110 million euros for this, which was reduced to 20 million euros due to Marriott's extensive willingness to cooperate and taking other judgments into account.
In fact, a significant proportion of hacking incidents can be traced back to misplaced or stolen credentials. Unfortunately, the strategy of changing passwords at regular intervals usually only has a limited effect because many users use the same password for several accounts. Password reuse has become a common misbehavior because it is both difficult and inconvenient to remember numerous, complex passwords. However, this significantly increases the risk of damage in the event of a hack.
Identity and access management against password risks
Passwords always pose a risk, regardless of their size, complexity or uniqueness. Companies must take this into account in their IT security strategies. The development that employees are transferring their private password habits to their work environment can be counteracted with stronger authentication controls. In order to efficiently mitigate threats and comply with data protection regulations, the login process must be made more secure through identity and access management (IAM). This should have the following elements:
Activation of multi-factor authentication (MFA) and single sign-on (SSO)
These features help reduce the risk of account compromise while providing a seamless login experience for users. MFA creates an additional layer of security, for example through an SMS token sent via text message or through a third-party app such as Google Authenticator. Without a second form of authentication, the user will not be verified and will not be given access to the account. SSO enables users to access a variety of independent cloud resources by logging into a single portal. The convenience of only having to remember one password can thus be offered to users in a secure manner. The password should be replaced with a new one at regular intervals, if necessary by means of an automatic request to the user.
Context discovery through network activities
In order to determine whether a user is really who they claim to be online, it is important that companies continuously monitor network activities and the behavior of their employees to detect anomalies. For example, if an employee logs in from their home IP address Monday to Friday at 9 a.m., but suddenly logs in from another location on Saturday evening at 22 p.m., this behavior would be classified as suspicious. Context-based, granular authentication enables organizations to confirm the identity of users based on their location, device, and daily activity. This also gives companies more security for data access, regardless of where it takes place.
Create awareness
Despite suitable technical solutions, a security strategy is incomplete without education and awareness. Companies need to make their employees aware of the value that seemingly insignificant access data can have for cyber criminals, what attack tactics they use and what irregularities they should be suspicious of. This makes it easier for employees to protect their access data and digital identities - and thus also those of their customers in a broader sense.
In the corporate environment, negligent behavior in dealing with digital access data can have serious consequences under certain circumstances. With these simple technical measures, companies can reduce the associated risks. At the same time, they can respect the wishes of their employees for practicality: it is not necessary to always remember dozens of complex passwords. However, protecting sensitive data from unauthorized access remains a shared task: both companies and their workforce should always be kept up to date on threats to digital identities and jointly develop their behavior accordingly.
More at Bitglass.com[starboxid=4]