IDAM–NewSecurityControls

Next Article

ALTRON ARROW

A DIGITAL WORLD REQUIRES DIGITAL ACCESS MANAGEMENT SOLUTIONS

In the identity and access management (IDAM) space, new security solutions – such as two-factor authentication (2FA), biometrics and zero trust security – are among the ways of improving your security posture. Ulwembu’s Glenn Noome, director: Smart Integration, and Sabelo Xaba, enterprise solutions manager: Infrastructure, answer our questions on this topic.

Why do you feel IDAM is vital in today’s digitally transforming world. In today’s world, there is one thing that is for certain: all aspects of life are going digital. We have critical information at work, as well as personal information for everything – from health to banking – and it is all becoming digital.

The currency and value of data are increasing at a rapid rate. Every part of the working environment is generating data, which has become invaluable and, to that end, needs to be protected and accessed strictly by those who have the authorisation to do so.

IDAM refers to identity and access management, meaning the correct person (identity) is given access (access management) to the permitted data. Access management, as it states, is more than just viewing data, but also covers the user’s permissions to change or delete that data.

It is my belief that eventually every person will have a digital signature. A simple example of this is your smartphone verifying your identity through facial recognition, and allowing you to pay a bill at a retail store via your device, which is linked to your bank account. Eventually, all services – like banking, health, driving licences and so on – will be linked to a person’s digital ID, which will include both business and personal information. This is of particular importance, as we’ve seen a greater intertwining of personal and work life than ever before, since the advent of Covid-19 and the attendant increase in remote working.

With threats constantly evolving, what are the challenges that current IDAM solutions face and why are such solutions now inadequate, in the face of the increasing evolution of cyberattacks? As we know when it comes to digital information, there are more ways than ever of duplicating data, as well as data being more accessible in the cloud. This means that anyone could gain access to data if security is lacking.

We are now seeing devices like smartphones upping the ante on the requirements around the identification of the correct user and the provision of access to certain data. Previously, this type of device was less secure, as all that was required was a digital password. Today, we’re seeing additional measures – like dual authentication, where it verifies you through a password, and biometrics, through a fingerprint scanner or facial recognition. What would you say is the answer to these challenges? How can we improve IDAM in order to get ahead of the bad guys? Multiple levels of authentication are a must – including the use of passwords, authenticator applications, location-based access and, most importantly, verifying the person themselves.

What are the benefits of, and the challenges to, implementing the following types of IDAM solutions? Multifactor authentication (MFA): This is one of the best ways to verify that the correct access is granted, as it adds a layer of protection to the sign-in process. MFA does take longer and may require multiple apps, fingerprint scanning, or entering a code or PIN received, but

is one of the most secure authentication methods.

Biometrics: The challenges of this type of technology have been reduced, due to the fact that devices like your laptops and smartphones now have in-built biometric or facial recognition. This in turn confirms you are the correct person who is connecting to the information or services. In these times, where touching things is frowned on due to Covid, facial recognition is the better way to go.

Behavioural biometrics: Behavioural biometrics analyse a user’s digital physical and cognitive behaviour and are most commonly used today to prevent fraud. This type of technology is able to distinguish between authorised users and cybercriminals – it monitors their actual behaviour online as opposed to static data, which can be duplicated. As a fairly new technology, behavioural biometrics are being used predominantly within the banking industry, but are seeing some uptake in other verticals. Zero trust: Also known as ‘never trust, always verify’, zero trust is an architecture designed to consider every request on the network to be a threat and therefore requires the user to continually verify that they are who they say they are.

Are there any other current security options for an organisation to consider? If so, what are they and how do they work? Staff awareness is a huge consideration. Two of the biggest threats organisations face are phishing and ransomware – both of which exploit human error. If employees receive phishing emails and are unable to spot that they are scams, the whole organisation is at risk. Similarly, internal error, privilege misuse and data loss are all the result of employees not understanding their information security obligations. These are issues that you can’t fix with technological solutions alone. Organisations must instead support their IT department

by conducting regular staff awareness training.

The current security mantra seems to be ‘defend in depth’. How would you recommend implementing such a defence, and how important is it to involve all aspects of the ‘people, processes and technology’ trinity? Defend in depth is a concept used in IT security where multiple layers of security controls are put in place throughout an IT system. The digital world – especially now in the new normal – has changed how we live, work and play.

The digital world is constantly open to attack and, because there are so many potential attackers, we need to ensure we have the right security in place to prevent systems and networks being compromised. Unfortunately, there is no single method that can successfully protect against every single type of attack.

This is where a defence in depth architecture comes into play. A layered security approach is key – organisations can be never be fully protected by a single layer of security. Where one door may be closed, others will be left wide open, and hackers will find these vulnerabilities very quickly.

Considerations should include applying proper security protocols at the network access level, including software such as proper anti-virus, data protection and integrity. A good firewall can assist with the above.

What final words of advice relating to the topic would you give to those organisations where IT might be necessary to ensure operations, but is not related to their core business? Organisations need assistance in identifying where their IT security risks are and how they can be mitigated. Because cyberattacks can be so detrimental to a business, if their primary business is not IT, the outsourcing of IT security to an expert in this area might be the best answer.