How Will Identity And Privacy Drive Digital Transformation?

SecuritySecurity Management
identity deception fraud social engineering security © Pretty much everyone knows that passwords aren't supposed to be shared. Passwords exist to protect your information and your employer's information from being seen by people who shouldn't see it and who could cause serious damage if they do access it. This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don't you?) So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible. He asked for it. But of course there's more to it than that. What Snowden did was tell a couple dozen of his coworkers that he needed their passwords because he was a system administrator. Those coworkers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people's login information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer. Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time. The obvious question is how this applies to you and your organization. After all, the chances are pretty good that you're not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals, or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not. Unfortunately, if you lose control of your organization's passwords, you're doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently. Here are some things you can do: 1. Require passwords that are hard to guess, but don't go overboard. If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn't really help security. 2. Control what happens if a password is shared. It's easy to say that your staff should never under any circumstances share a password. But that's not how things work in the real world. Sometimes a system administrator really does have a reason to request a user's log-in credentials. 3. When that happens, what should the user do? That depends, but at the least they should know that they should then immediately change the password. You might also want to require that any password-sharing request be reported on a routine, easy-to-fill-out form that will disclose the action to whomever you designate to handle this, such as your IT manager. 4. Make password changes easy to accomplish, and automate the reporting process so that every such change is logged. 5. Don't depend on complex control software as a primary means of user verification. It might be useful, but nothing works as well as good practices properly followed. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Require two-factor authentication for access to information that's really important. Many companies use a smartcard that doubles as an access card and organizational ID card. This reduces the problem of stolen log-in credentials. More complex methods of access control certainly exist and should be used under extraordinary situations, but are not always appropriate. It's important to remember that maintaining access security requires the willing cooperation of your staff. This means that you have to tell them what needs to be protected, the means they should follow to protect that information and what they should do if they suspect that protection has been compromised, even by someone who claims a plausible reason to do so. Here's one way such a procedure might work: One of your workers with access to something sensitive, such as human resource data, requests help with a problem logging in to the network. Somebody from the help desk asks for the log-in credentials to see what the problem is and to try to fix it. The person being helped provides the information and then immediately sends an email to a designated manager saying something like this: "I provided my log-in info to Sam Smith from the help desk to fix a log-in problem. My extension is 123." Once the log-in problem is solved, the employee should immediately change their password. That change will be recorded by your network management system where it can be verified by a manager or security staffer. Will that eliminate all data loss? Of course not, but it will eliminate some of it. It requires little in the way of resources and it allows management follow-up since problems—including an administrator who seems to be asking for a lot of passwords—will show up quickly. While you can throw automation at such a problem, at some point the most basic answer is training and management. It's hard to be more effective than that unless you already have training and management practices to enforce password discipline in place already. Shutterstock
0 35 No Comments

Daniel Raskin, VP of strategy at ForgeRock, thinks companies must change their approach to customer identity and privacy to achieve true digital transformation

We all have an identity – it’s what establishes who we are. In today’s connected world, the ability for businesses to understand the power of user and customer identity is pivotal to effective digital transformation. Those that can harness this power are able to deliver highly targeted services customers want, when they want them, through the medium most suitable to them. Those that cannot are destined for the business scrap heap.

Yet if identity management is so fundamentally important to future business success, why do so many businesses struggle with it? The main reason is their inability to fundamentally change the way they approach it. Traditional identity management solutions have long focused on internal security and employee-centric activity.

A new way of thinking

They were designed to manage the identities of a fixed number of users doing a rigid number of tasks. However, the type of strategy required for effective digital transformation turns this conventional thinking on its head, putting customer identity at the centre of the business model for the first time. For many businesses, this is uncharted territory. What’s more, there’s no way their existing legacy identity management systems can cope with this new approach, or the millions of external identities required for an effective customer-centric solution.

laptop security identity - shutterstockHowever, technology is evolving rapidly. Now there are user-centric identity platforms that provide businesses with the tools to build comprehensive customer profiles across multiple channels and touch points. In doing so, they can develop a digital picture of each customer and their habits, helping to guide the development of new, more meaningful products and services. As a result, customers get instantaneous, relevant delivery of digital and physical services. Importantly, they also benefit from intelligent security, based on dynamic characteristics such as location, device, time of day and familiarity.

However, the elephant in the room here is privacy. Businesses can’t offer more identity driven services without also implementing better privacy controls. Regardless of how good any new service is, adoption will suffer if customers feel that by using it, their privacy is being compromised. Furthermore, the impending arrival of the new EU Data Protection Regulation is likely to further intensify any issues caused by perceived disparity between identity and privacy when it comes into force (likely in 2017).

For a while now, the identity industry has been working to develop universal standards that give more effective privacy controls to users, delivering the peace of mind required to spur adoption of identity-driven services.

The prevailing identity and privacy-related standard used today is known as OAuth. You may not know it by name, but you’ve almost certainly come across OAuth in action online. It’s most commonly used as a way for a user to allow two sites or applications to exchange personal data on their behalf – for example, granting a specialized third-party Twitter mobile app access to your Twitter account to see and post tweets, or letting a news website access your email address and contact information through Facebook.

OAuth enables users to consent to sharing this data, creating easy mashups of information that make the online experience more convenient. It also lets users revoke access to their data should they change their mind at a later date. However, OAuth has some limitations. For example, while it enables data sharing between applications, it doesn’t allow data sharing with other people – sometimes called delegation. And because the apps’ business models rely on asking the user to join the sharing connection only at the last possible moment, users find that their privacy controls are far less granular than they want and expect.

User-Managed Access (UMA) is a next-generation privacy standard that builds on OAuth by putting the emphasis squarely on the user. UMA extends OAuth’s capabilities to authorise the sharing of a user’s data not only from app to app, but from person to person as well. UMA also provides users with a much greater level of control around how their data is shared. Similar to the Share feature on Google Apps, it lets users choose “scopes” of sharing based on specific rules (such as read and edit) that are specific to each app. And just like the Share feature, UMA allows users to “push” sharing to other people whenever they choose, as opposed to when an app requests access. All of these features add up to a greater level of flexibility that gives online users the chance to tailor what information they are sharing about themselves, with whom, and for how long.

Uptake of both standards will be critical to enabling better privacy controls for customers in the Internet of Things (IoT), making them more comfortable using new digital services and platforms. OAuth is a great place for any business to start; but increasingly consumers will expect the flexibility and customisation that the more advanced User-Managed Access standard permits.

Crucially, the concept of identity and privacy together creates the new “killer app” for businesses. As more and more devices and objects join the IoT, businesses must successfully balance services with effective privacy controls. You simply can’t undergo effective digital transformation without it. Ultimately, customers want to use new technology, but they also need assurance that their identity is being protected and shared in a responsible manner. Many businesses are embracing digital transformation, but only those who offer efficient identity management and effective privacy controls will reap the full rewards that it has to offer.

How much do you know about biometric technology? Take our quiz!

Click to read the authors bio  Click to hide the authors bio