4 trends in securing employee identity
Businesses are considering new approaches to protect identities
In early September, Equifax suffered a massive data breach affecting the private information of more than 140 million people.
Soon after, the company suffered a second public blow to its reputation when researchers discovered that scores of the company’s accounts were protected by the same generic username and password: admin.
The incident offered a pointed reminder of what can happen when an organization’s authentication routines fail to prevent unauthorized access to network data. This is especially important in an era of mobility and cloud computing, where data is seemingly everywhere – residing on handheld devices, tablets and laptops, or clouds.
With so many potential points of entry, all it takes is sloppy cyber-etiquette to enable malicious hackers to penetrate even the most sophisticated defenses. This is why many businesses are reevaluating their approach to securing employee identity. The fact is that user identity – not the traditional firewall – has become the front line in the cyber-struggle to defend against network intruders.
Here are a few new approaches to consider:
1. Ditch passwords altogether
When the US National Institute for Standards and Technology (NIST) issued recommendations governing identity guidelines over the summer, it argued against constantly requiring users to update their passwords. The truth is that periodic password changes don’t prove effective in preventing breaches.
So why maintain the pretense? Some would just trade manual passwords altogether for something more trustworthy and effective.
2. Adaptive authentication
The basic idea is for the system to adapt to a user’s risk profile and tendencies, so that the authentication process recognizes their tendencies over time. Sometimes referred to as risk-based authentication, this approach comes up with a risk profile comprised of a mix of variables. These might include things like the time of the day or the originating IP address.
3. Identity-centric security
Many companies are also embracing Identity-as-a-Service (IDaaS), using third-parties for identity authentication and governance, along with single sign on for the cloud. Identity-centric security uses context, behavioral analytics and predictive security approaches to see to it that the people trying to log in are indeed legitimate and authorized to access the network.
4. Device attribution
As identity flows outside of organizations thanks to the proliferation of mobility and remote access, one popular idea is to embrace device attribution as a verification method. To be sure, there’s also been debate how secure a proposition this is. After all, smartphones do occasionally get lost or stolen.
One way to sidestep that concern, however, is through the deployment of two-step verification to reduce the risk of compromising a trusted device for authentication. The general approach involves treating devices in the same way the company might treat individuals – complete with their own identity in order to build a security system around those devices.
Whatever architecture enterprises settle on, one thing is clear: Organizations will need to make a choice. No longer can they depend solely on a traditional security model built on the notion that a firewall will protect their most important data. But leaders can rest assured that new ID authentication methods will keep pace with both developments in technology and the evolving threat landscape.
Visit the AT&T Identity Services page to learn more.
AT&T Cybersecurity Insights report
Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."
In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.