Does this sound familiar? Ann, sitting at her desk eating lunch, is surfing the Net. She checks her personal Yahoo email account and sees a message from a purported survey company asking her about her music preferences. She opens the email and takes the survey. Seems harmless enough, but what Ann doesn’t know is that this survey company doesn’t exist and embedded in some of the survey prompts hid an undetected botnet that downloaded onto her desktop. This nasty bugger can record her keystrokes and take screen shots as she navigates through your network. Now some unauthorized entity has her login credentials, passwords…essentially her online/employee identity and access to your enterprise’s proprietary assets and other sensitive data.
You tell them, you educate them, but sometimes it’s not enough. You need to implement another layer of security. These threats aren’t new…they simply get more insidious, more widespread and more effective.
Account takeover is one of the more prevalent forms of identity theft and one of the most damaging to businesses. In fact, according to Meridien Research, while the victim suffers an average loss of $808, businesses absorb about $18,000 (that’ more than 20x) in fraudulent charges per victim.
Problem is, every time technology finds a way to slow or prevent some type of fraud, hackers will always be one step ahead. But it’s not a hopeless consideration. Especially if you apply adaptive risk processes into your security initiatives.
Adaptive risk is the key engine in the unified Identity Management/Access Management (IAM) deployment. It provides the smarts (or the means to collect the “fingerprints”) of possible identity breaches while closely controlling who gets to access what portions of your network.
This process is designed to assess/score risk attributes during authentication so that Access Management can determine whether to require the user to complete further authentication steps. The risk threshold is the first value set in the module and various checks can be enabled, each with their own score. For example, if Ann is a Admin Assistant for marketing, her credentials are not enough to give her access to HR applications or finance data. However, even if the network weren’t partitioned as such and her credentials were stolen, it’s highly unlikely she’s trying to access social security numbers from a laptop in Belorussia at 3 in the morning. Or someone using Ann’s “identity” is trying to buy 10,000 Los Angeles Dodger jerseys from a “vendor” site in China using company funds, there are certain levels of authentication beyond password that can be applied to prevent further breach.
Taking a step back, it really starts with asserting control of the process. You must have the visibility to verify such things as a specific device or location. Then you need the parameters to recognize and affirm behavior patterns to ensure proper identity. These verifications are added to existing enterprise requirements for login/password credentials and additional knowledge-based authentication. In this way, adaptive risk policies make an endpoint an additional second factor-without requiring any behavior change.
Through IAM, there are certain aspects you need to apply to get that enhanced visibility and to exert the necessary activity control:
To those that heavily sighed because the cost of such a deployment is not just prohibitive, but resource draining, I say the enterprise power of cloud-based solutions (security-as-a-service) makes these initiatives affordable, manageable, and most importantly, strengthens the backbone of any security initiative.
Many companies (especially financial institutions) have various anti-fraud programs. For many it’s more than a compliance issue, but one of common sense protection. However, too many modest organizations like regional and community banks are hamstrung by a “decline in anti-fraud expertise.” (says Dr. Ken Baylor Research Vice President for NSS Labs, a leading information security research and advisory company) This is not to say dealing with such organizations is a risk. In fact, because many of them find additional value in cloud-based security initiatives, they are as safe as their Wall Street brethren. Security-as-a-service has been show to provide the equalization factor—the ability to apply enterprise-class power, capability and control over access to the network and the expanding perimeter of SaaS and other third party applications and solutions requiring authorization and credentialing.
And it starts with a plan, a policy and a process.
Tags: Access Management, adaptive risk, best practice, BYOD, Cloud, cloud computing, cloud security, enterprise-it, FFIEC, hacker, HIPAA, Identity Management, intrusion detection, IT security, malware, network perimeter, risk, risk assessment, risk management, Security, security-as-a-service, single sign on, SSO