2018 Annual Digest of Identity and Access Management


Identity and Access Management continues to be a key component in building an enterprise’s cyber security strategy. Today we are presenting our observations of Identity and Access Management in 2018. What happened this year? What can enterprises learn from events in the media in terms of Cyber Security in general, and Identity and Access Management specifically?

Here is a brief timeline of significant regulations, data breaches and world events that were marked by the media, including Gemalto sources and these events signified in the Identity and Access Management arena:

Q1

February 1
PCC DSS 3.2 takes effect

What happened
This payment card regulation affects individuals who access systems which hold credit card data. From February 1, 2018, they are required to authenticate themselves with multi-factor authentication. The Payment Card Industry Data Security Standard was developed to encourage and enhance cardholder data security and facilitate broad adoption of consistent data security measures globally. The ultimate aim is to reduce credit card fraud.

Lessons learned
Companies should already be far along the road to PCI DSS 3.2 compliance by now. They should be prioritizing compliance by working with partners on encryption, key management and authentication.

Q2

May 19
The Royal Wedding

What happened
When Prince Harry married Meghan Markle, thousands of reporters were present, and yet the secrets about Meghan’s dress, manufacturer and designer remained a secret. While the interworking of the dress designer, Givenchy and the Royal Family network will remain privileged, it seems that part of the reason for the success of the secret was that the work was confined to locations which were secured physically.
Lessons learned

Physical seclusion is not always possible for fashion industries and other global enterprises today. They often collaborate on Computer Aided Design (CAD) software alongside cloud-based applications, and some require reports that provide visibility into login attempts into their ecosystem. An identity and access management solution as a service (IDaaS) can help fashion enterprises or governmental institutions ensure that only the right person receives the right information at the right time, without endangering the enterprise or its end customers.

May 25
General Data Protection Regulation (GDPR) begins

What happened

General Data Protection Regulation (GDPR), requires companies to be more accountable to their EU-based users on how their data is controlled and used. It also requires companies to notify their local data protection authority regarding suspected data breaches.

Lessons learned

Although GDPR can fine organizations for data breaches, these fines may be reduced if the organizations can prove that they have deployed security controls to minimize damage. To help your organization handle GDPR, identity and access management provides a first line of defense to the sensitive user data harbored in your companies’ cloud and web apps. With scenario based policies and convenient access management, you can help your enterprise save on GDPR costly fines or sanctions.

Q3

August 1
Reddit’s Company Cloud Attacked

What happened
Reddit, the social media platform, considered to be the 5th top rated website in the U.S., shared that a few of their employees’ administrative accounts were hacked. An attacker gained access to data through Reddit’s company cloud after compromising some accounts.

Lessons learned
While they did in fact have their sensitive resources protected with two-factor authentication (2FA), Reddit encouraged users to move to token-based 2FA. For years corporations and security professionals have been urged to implement multi-factor authentication (MFA) as the solution for cybersecurity concerns. While MFA isn’t a silver bullet that solves all your cybersecurity concerns, it is a key component in elevating the security of an organization and adding a very important layer of protection.

September 25
Facebook Mega Breach

What happened

The September 2018 Facebook breach was not only a ‘mega’ breach in terms of the 50 millions of compromised users affected, but also a severe breach due the popularity of the social media giant. Cyber criminals got ahold of users’ FB login credentials. The breach was compounded by the fact that many users utilize their Facebook credentials to log into other social media sites, which means that the hackers actually were able to access not only a user’s Facebook account, but to all other accounts that use Facebook login credentials.

Lessons learned
The risks that consumers were exposed to as a result of buffet-style sign on in the Facebook case, also apply to the enterprise. Fortunately, there is a solution: To maintain the convenience of single sign on without compromising on security, enterprises can use Smart Single Sign On.

Q4

November 30
Quora and Marriott Hotels announce massive breaches of user data

What happened
Quora Q&A site suffered a massive breach of user data, including the compromise of 100 million users’ credentials. On the same day, the Marriot International Hotel chain suffered a serious breach, allegedly undetected for 4 years!

Lessons learned
In the Quora case, similar to Facebook, accounts are linked to other social media sites such as games and quizzes, so that access to one account opens the doors to related data. The Marriott Hotel incident shows that it’s not enough to protect your data. It also deals with access issues involved with mergers and acquisitions – in this case merging the Starwood Reservation system with Marriott. You need to see who is accessing your networks and see if there is any unusual activity, right from the start. Monitoring and reporting capabilities in an access management solution can help organizations gain insights into unauthorized access attempts.

Identity and Access Management as a Strategy, 2019-style:
In 2019, it is inevitable that there will be more cyber security violations, including corporate identity theft. And it’s likely that more regulations will be put in place to force enterprises to be proactive, not just reactive.

The question is what organizations will do to brace these breaches. For more information on how your enterprises can prevent breaches, enable the continuous business transformation of their resources securely and simplify compliance, learn more about Gemalto’s SafeNet Identity and Access Management, request a 30 minute demo of SafeNet Trusted Access or watch our video, “How Access Management Enables Cloud Compliance.”

*** This is a Security Bloggers Network syndicated blog from Enterprise Security – Gemalto blog authored by Ronni Kives. Read the original post at: https://blog.gemalto.com/security/2018/12/19/2018-annual-digest-of-identity-and-access-management/