27 February 2018

Five Key Access Management Considerations for 2018

In the first half of 2017 alone, the volume of cyber-attacks doubled compared to the same period just one year earlier. There is no doubt that the security threat to businesses is growing; cyber crime is rarely out of the news. With upcoming legislation, such as the EU GDPR (General Data Protection Regulation) or the Payment Services Directive (PSD 2), coming into force, organisations will have to prove they are making every effort to protect data, providing clear audit trails of what is accessed, when and by who. Whether you’re just starting out, or are looking to improve your existing access management strategy, the following five considerations are key in 2018.

1. Simplify your infrastructure by consolidating access management technology


Often, organisations have multiple solutions in place to manage strong and adaptive authentication, Web Access Management, Mobile Access Management, Enterprise Single Sign-On (ESSO), and Identity Federation. There is little technology available that enables organisations to manage all of these systems from a single platform. Using a number of disparate access management solutions can be problematic and provide a splintered view of user access.

To best ensure access is secure and properly regulated, it’s important to have a single and reliable view of all user access across all access points. Single platforms produce a clear audit trail, which is much simpler to control and manage. Employees are able to clearly see their rights, and managers are better equipped to control access and determine entitlements for employees.

2. Be aware of who has access to sensitive data and applications


More employees are working remotely, yet they still demand quick and easy access to applications they would have in the office. This extension of applications outside of organisations may present problems when managing user access. A lack of control over access to sensitive applications from internal and external users can result in critical data loss, security breaches and the disclosure of confidential information.

To maintain compliance with legislation such as GDPR, organisations will need to show they hold personal data securely in terms of accessibility and encryption. This also means knowing exactly who is able to access this data.

3. Enable your workforce to work securely on any device


Bring Your Own Device (BYOD) and the use of mobile devices is fast becoming the norm. Deployment of these devices can often cause headaches for IT security managers, as well as employees wishing to use mobile devices efficiently. Increasing demands from the business means that mobile devices need to be fully supported to enable employees to access the network securely. Not being able to provide a high level of security across all devices used to access sensitive information is a major security risk.

4. Keep access traceability of a constantly changing workforce


Organisations are always going through workforce changes. Managing the movement of staff and the necessary changes to entitlements can present a challenge that is often overlooked. Not being able to manage these changes quickly and effectively can lead to dormant accounts being left open – an easy way for cyber criminals to gain access to sensitive data.

5. Increase authentication and bring single sign-on to end-users


Access can be managed through a range of methods; passwords, ID and additional forms of identification can often be required. It can be difficult for individuals to use different access methods for each application and having to remember multiple passwords. The confusion can lead to a security breach, with people using overly simple passwords, writing them down or constantly changing them. This flawed approach increases the risk for organisations and means they are unable to enforce strict IT security policies, as well as increasing pressure on the IT department.

Access management should be a key consideration for all organisations in 2018. The implications of not having a secure and comprehensive solution in place can have severe consequences, as we have seen time and time again in security breaches reported throughout 2017. Having a comprehensive access management system in place not only eliminates this as a concern, but means your employees can work freely and efficiently, without having to worry about a complex sign on process differing across each device.

Read the full paper, Five Key Access Management Considerations to Consider in 2018, here.

12 February 2018

How to overcome the common misconceptions around Identity and Access Management

Identity and Access Management (IAM) can no doubt bring many benefits to an organisation; increased security, greater usability and better flexibility across devices. However, IAM is not a magical solution that can solve all organisational issues. Unfortunately, before starting out on implementing an IAM solution that’s exactly how some organisations view it.

Here we take a look at the common misconceptions people have when it comes to Identity and Access Management projects and how these can be overcome to ensure a successful and effective implementation.

IAM is a ‘magic bullet’


Unfortunately, IAM is not a spell you can cast to solve organisational blurred lines, inconsistent definitions of job roles and responsibilities or technical deterioration that renders applications and standards incompatible.

If this is what is being expected of IAM, you need to make sure to prevent disappointment further down the line by:
  • Evaluating your IAM maturity
  • Set out a roadmap to increase maturity levels
  • Specify the requirements for each step, in order to get the most out of IAM

It’s important to be realistic and clearly communicate the scope of your project, even at initial stages, across all organisational levels. If necessary, make sure to adapt to market technologies, internal processes, budget etc.

Manage the project yourself to save time and resource


IAM is cross-functional so the implementation of this type of project will impact the entire organisation. It is essential to communicate and involve all stakeholders. Not just IT, but human resources, general management, auditors, legal and so on. To aid in smooth implementation, make allies with all of these departments. Help them to resolve concerns they may have about the project from the outset.

It’s crucial to educate the entire organisation, from board level down and overcome any misconceptions around Identity and Access Management. If everyone is not on the same page about the goals you’re aiming for with the IAM implementation, the likelihood is that problems will occur further down the line.

In our latest paper, Reasons to get started on an Identity and Access Management project, we explore the challenges that can occur during an IAM project and best practices for ensuring success. You can read the full paper here.

To find out more about Ilex International’s range of Identity and Access Management solutions, click here.

15 March 2017

Securing your data in the cloud

Organisations are continually moving business applications and services to the cloud. Alongside the growth of remote workers within an organisation, securing and controlling access to cloud-based infrastructure and services has become increasingly challenging.

While some organisations have mature Identity and Access Management (IAM) solutions protecting internal systems; with the rapid adoption of cloud, many are using these existing policies to secure the cloud. This is not the way to approach the issue. Cloud must be treated for what it is, a different solution which requires its own policies and controls.


Risks and threats


Often cloud providers will have their own security controls in place to protect their services. However, businesses must be aware it is their responsibility to protect their own data in the cloud. As such, the security controls provided to an end user are usually limited and in some instances, simply do not exist. Some of the most common risks to cloud-based services can be overcome by ensuring an IAM solution is in place.

The most common risks which can be reduced through an IAM solution are:
  • Poor identity and access governance and management
  • Data breaches caused by poor credentials and identity management and procedures
  • Unsecure user interfaces and API
  • Compromised accounts
  • Insider threats

Whilst an IAM solution will provide the ability to reduce these risks and threats, unless it is combined with a mature strategy and the correct processes and procedures, the reduction of risk will be far less.

The key consideration when moving to the cloud is to evaluate and understand the gaps in existing process, policy and procedures, the potential need for additional security controls and the requirement for detailed planning and project governance is critical. If these key actions are carried out it will ensure any adoption of cloud services or infrastructure is a success.

To read our full paper, ‘Securing the Cloud’, click here.

7 March 2017

Open Banking initiative: What does this mean for the UK banking sector?

By: Barry O’Donohoe, Co-Founder, RAiDiAM Consulting


A report from Identity and Access Management specialists Ilex International and RAiDiAM Consulting looks at the upcoming Open Banking legislation and the impact on UK banking organisations.


The Open Banking initiative has formed as a result of the UK Competition and Market Authority’s (CMA) latest effort to promote increased competition and consumer choice among banking service providers. In addition, the CMA intends to expand upon the European Banking Authority’s Payments Services Directive 2 (PSD2) directive by being more definitive in specifying the technological implementation of standards.


These APIs will transform the existing relationship between banks and their customers and raise complex identity assurance and access management challenges. Providing a standard set of APIs will be challenging for many functional and technical reasons. Perhaps most challenging from a security perspective will be the replacement of bespoke application protection mechanisms, protocols and internal standards with a single modern Identity and Access Management (IAM) capability that can integrate with third parties.


Open Banking in action


Open Banking API offerings are broadly categorized into three services: Public information, account information services (AIS) and payment initiation services (PIS). The CMA’s high-level roadmap schedules the delivery of APIs in the order of their security or risk levels. APIs requiring no security to implement will be delivered first, starting with the delivery of financial product descriptions and ATM / branch locations by the end of Q1 2017.


Achieving assurance in a headless world


These days, customers almost always interact exclusively with banking services via first party channels, whether mobile, telephony or Face2Face. Such channels require customers to perform an appropriate degree of identification and verification before services or information is provided.
Alternatively, with an API channel consumed by third parties, bank’s will need to address use cases where TPPs are performing operations on a customer’s behalf when the customer may not be present during the course of the transaction. Banks must adjust security postures to reflect the loss of control, quality assurance and variable degrees of app security that may be used by customers to access banking services.


Conclusion


Digital identity assurance is leading to a change in the industry. The coming swarm of digital financial asset management APIs will enable new and innovative services to be deployed at a pace previously unseen in the financial services industry. API delivered services have the potential to significantly increase the threat surface banks are exposed to and pose new challenges for identity assurance. Delivery of an API channel will require significant investment in IT Security and IAM infrastructure. It will also require the re-engineering of business processes to manage the numerous new identity classes and their authorisations.


To read the full paper, ‘Open Banking and PSD2: An Inflection Point for Digital Identity Assurance’, click here.

19 December 2016

Time to re-engineer Identity and Access Management

IAM is historically driven by compliance and user provisioning. It had a very limited scope of coverage in terms of applications, a low return on investment and provided very restricted controls and views of access.

As more business applications and services move to the cloud and mobile working increases, controlling access to data and keeping it secure is challenging. Ilex International has re-engineered the approach to IAM, enabling organisations to benefit from the evolving technology landscape, whilst maintaining security in a much simpler way.


Written in conjunction with our UK consulting partner, Rivington Information Security, our latest paper, 'Time to re-engineer Identity and Access Management' explores the current challenges faced by organisations and explores a new approach to IAM covering:
  • Mobile security
  • Cloud security
  • Universal access management
  • Standardised identity management

You can download the paper here.

17 November 2016

Single Sign-On (SSO): How to differentiate the good from the bad when it comes to user experience and security



Steve Mullan
UK Operations Manager
Launching a Single Sign-On (SSO) project in an organisation is often linked to the user’s dissatisfaction with the current IT system, and the need to remember countless logins and passwords to access everyday applications.

In the absence of an application designed to remember IDs and passwords and input them automatically for the user, many users tend to bypass security policies. They choose either weak passwords (few characters, simple, easy to guess),  write them down, or give them to trusted colleagues while they are out of the office.

For the Chief Information Security Officers (CISO), the absence of SSO results in unacceptable weaknesses including incompatible security strategies and password policies for each application, varying levels of security and complicated audit or traceability. Last but not least, the cost to businesses is very real. Industry analysts maintain that the cost to reset user passwords and having the necessary support teams in place represents several dozens of euros per user and per year for large organisations.
All of these issues can easily be resolved with the implementation of a SSO solution. SSO considerably improves the user experience by only having to authenticate once, via the primary authentication method defined by the company. The SSO solution then automatically authenticates the user across other applications they want to access, using their secondary credentials. There is no need to remember multiple passwords, SSO takes care of it. This provides added peace of mind for both users and the IT security team.
Once the budget for an SSO project is approved, the CISO typically manages the implementation and oversees the project. This process should always start with answering some basic questions, such as how to differentiate the good SSO solutions from the bad ones?
A bad SSO solution is limited to solely SSO features. A good SSO solution adds to the basic functions already in place with additional features essential to IT security. These features include strengthening authentication mechanisms and access control logics – limiting authenticated user’s access to specified applications – and tracing access to all protected applications..
Before automatically authenticating a user on an application, a good SSO solution will strongly authenticate them and control their rights. It then improves the user experience and traces their activities including authentications, authorisations and delegations. Security is therefore maximised before (through authentication and access control) and after (through traceability) the SSO operation takes place.

What to look out for in a good SSO solution 

  • Authentication: As access to all authorised applications is automatic once the user is primarily authenticated, it is essential to ensure that the primary authentication is properly secured. Any SSO solution should offer several one, two or three factor authentication methods (something they know, something they have and who they are). This will depend on the security method used including smartcards, USB keys, etc. and the sensitivity of each application. Authentication must also be possible across all devices (fixed workstations, laptops, tablets and smartphones), on web portals accessed from inside or outside the organisation and in virtualised environments.
  • Access control: Once the user is authenticated on the SSO solution, it should be possible to grant access, or not, depending on various criteria. This includes the level of primary authentication (one, two or three factor), time slots, origin IP/DNS, user profile provided by the company’s directory or the access rights management solution and type of device (PC, tablet, smartphone).
  • SSO: SSO must be accessible across all applications including web applications, client server applications, virtualised, mobile, internal or external, in the office or at the partner’s location, in SaaS or Cloud mode, controlled or not, etc. In short, it must cover Web Access Management, Enterprise SSO and Identity Federation. Organisations using only web applications or external applications are largely a thing of the past. 
  • Traceability: For all protected applications, reports, audits, authentication statistics, authorisations and delegations should be visible from a single source.

Good SSO serves all purposes: users enjoy quick and easy authentication to all authorised applications and the CISO can apply comprehensive security policies covering the entire IT system. SSO strengthens authentication and allows for traceability to all controlled applications. In addition, the Chief Finance Officer (CFO) can considerably reduce the cost of managing and renewing user passwords.

Why choose between user comfort and increased security when you can have both?

13 September 2016

Mega breaches: What’s behind the headlines?

Nowadays, barely a day goes by without an organisation getting hacked. In this age of ‘big data’, cyber criminals can compromise almost any type of personal information. As technology continues to evolve, so do the number of routes of entry for criminals to gain access to sensitive information. These attacks are also increasing due to more businesses using the cloud, adopting Bring-Your-Own-Device (BYOD) and other connected objects.

Why do attacks happen?

More often than not, hacks are conducted with criminal intent. Hackers are on the look-out for what will benefit them – financially or otherwise. The cyber crime landscape is always changing and organisations can find it difficult to stay ahead. There are a number of forms hacks and cyber-attacks can take, including:
  • State-sponsored attacks/cyber espionage: Considered by many to be the new form of inter-state spying. This is usually to uncover state secrets or areas of interest that may be useful to the country carrying out the attack
  • Insider threats: Insider threats are attacks carried out – both accidentally and maliciously – by those within an organisation. The risk of insider threats is on the rise, with 64 percent of security professionals saying insider threats occurred more frequently in 2015[i]
  • External attacks: On a basic level, these are attacks by anyone outside of an organisation. However, beyond that the reasons behind external attacks can differ greatly – state-sponsored attacks are an example. More usually, external hackers are simply cyber-criminals out for personal financial gain.
Our paper, ‘Mega Breaches: Behind the headlines’, examines the rise in mega breaches, why they happens and examines some of the most highly publicised mega breaches of the past couple of years. The paper also explores what steps organisations can take to mitigate the risk and protect sensitive data.



[i] Insider Threat Report 2015, Computer Weekly: http://www.computerweekly.com/ehandbook/Insider-Threat-Report-2015