July 6, 2016 By Patricia Diaz 2 min read

In the early 1900s, Henry Ford discovered and addressed the weakest link in auto manufacturing: the production process. By creating the assembly line, Ford not only made the Model T widely available and affordable, but he also precipitated a global revolution in manufacturing, reshaped commerce and mobilized the world.

If you think of the world’s greatest inventions, such as Ford’s assembly line, you will find they all successfully address the weakest link in their respective fields. But when it comes to avoiding a data breach and improving security, what is our weakest link? Unfortunately, the answer is people.

Our heavily reused “123456” passwords or our susceptibility to clicking on phishing emails is not the biggest problem. One of the most significant hurdles is our lag in adopting technologies that truly target identity and access management (IAM) threats.

The Proof Is in the Pudding

The Verizon “2016 Data Breach Investigations Report” found that 63 percent of confirmed data breaches involved leveraging weak, default or stolen passwords. You can interpret this finding in one of two ways: The first and most obvious way is that 63 percent of data breaches are due to careless users. In fact, the report stated that the common threats associated with attacks involving legitimate credentials were, among others, stolen credentials and social phishing.

Now, the other way to interpret the statistic is to consider that if something as simple as stealing a user’s credentials is enough to expose sensitive information, organizations are not sufficiently utilizing intelligent access management practices.

I agree with the latter reasoning. Henry Ford did not lay blame on his plant workers for being the weakest link in his manufacturing process. Instead, he developed the technology that enabled his employees to work eight times faster — and therefore cheaper — than they could before.

Similarly, we should not blame end users for being the weakest link in security. Instead, we should acknowledge that users are the victims of sophisticated, continuously evolving malware and tricky phishing scams. We should enforce appropriate policies that can control access beyond easily stolen usernames and passwords.

Authenticating Beyond the Username and Password to Prevent a Data Breach

Back in 2004, Bill Gates predicted the death of the password. But now, 12 years later, it seems like we are clicking on “forgot password” more than ever. Given the rise in major data breach reports in recent years — and the role that stolen credentials play in those incidents — it is clear that many current access technologies might have been appropriate 12 years ago, but not today.

It is more important than ever to authenticate beyond username and password. Enforcing risk-based access policies can dynamically step up authentication in high-risk situations.

Risk-based access operates under a set of policy rules that determine, based on a calculated risk score, whether an access request should be permitted, denied or challenged. Attributes that impact the risk score of a specific request can include IP reputation, the user’s behavioral patterns, device characteristics and more. For instance, a banking application could take into account both the amount of funds looking to be transferred by a user as well as the user’s physical location to determine if stronger authentication is needed or if the user should be denied authorization to perform the requested transaction altogether.

Risk-based access allows for organizations to create policies that control access dynamically, adapting to the ever-changing ways users are accessing and consuming information. There are enterprise-grade IAM solutions that secure access points and corporate networks through risk-based access capabilities.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today