January 3, 2019 By Jimmy Tsang 4 min read

A company hires a contract web developer to help with updates to the website. The contractor isn’t given their own credentials to the back end of the site, instead one of the other developers shares their user ID and password. Once that contract employee finishes their project, they’re let go… but they may still have access to the site.

As a security leader, you see users come up with risky workarounds all the time, from sharing passwords for cloud services to recycling credentials for both personal and work accounts — despite repeated attempts to educate them of the security implications. Compromised passwords in the workforce carry significant implications; regulations such as the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) impose serious fines for shared credentials and lost data.

While you might be tempted to lock down data access altogether, you know that oversecuring your infrastructure is a recipe for shadow IT, user frustration and decreased productivity. How can you give employees the streamlined access they need to perform their jobs efficiently without exposing your critical data to insider threats? That’s where silent security comes in.

Learn to govern users and identities with silent security

The User Account Privilege Conundrum

Enterprises usually adopt one of two diverging strategies for identity and access management: They either take a loose approach to employee access or a restrictive no-privilege paradigm, and each strategy has its own drawbacks. Employee access to networks, apps and data can aggregate over time based on seniority, project, team or reporting structure. In many cases, this access should be significantly pared back, but isn’t due to a lack of standardized processes for granting access. When credentials are compromised in an overprivileged network, the risks of data loss can be much higher.

In contrast, no-privileged access is a paradigm inspired by an absence of trust for insiders. While it can seem like a way to simplify complex access management, the practice can inspire frustration. Users are often required to repeatedly verify identity and authenticate. Fifty-one percent of workers are likely to develop workarounds in the face of a frustrating user experience, according to a Forrester report. No-privileged access can create a false sense of security as employees lean on shadow IT. Last year, inadvertent insider error resulted in 20 percent of compromised data records.

Today, 60 percent of knowledge workers want productivity gains with better data access, according to The Wall Street Journal. As user expectations rise, security leaders face a tangle of competing risks: Strategies for identity and access management must scale across an increasing number of mobile devices and workplace apps. Simultaneously, the GDPR, HIPAA, Revised Payment Service Directive (PSD2), Financial Industry Regulatory Authority (FINRA), and other regulatory mandates and authorities have heightened requirements for secure IAM practices and audit pressures.

How Can Companies Balance Security, Productivity and Compliance?

The answer is silent security, which is defined by invisible safeguards that only intervene when necessary. Trusted users shouldn’t ever have a reason to detect silent security. This approach can protect your networks and data using multifactor authentication when necessary, instead of as a rule. IT teams can choose between automated frameworks for authentication to streamline the complex process of governing users and identities.

Behavioral analytics are at the core of silent security frameworks. By creating user profiles, machine learning algorithms can track data access and actions over time to identify potentially risky users based on real-time updates to risk scores. The system can continually enforce least privilege and granular access control, and audit and manage accounts based on user needs for data access.

Silent security is more effective than no-privilege approaches to security because it gives the IT team a streamlined, frictionless framework for identity and access management. This approach ensures that employees have access to the right data at the right time and helps security professionals prevent superfluous access. A defined framework for frictionless security allows the enterprise to simplify compliance and pursue digital transformation.

Transform Access Control

The average American adult has 130 unique password-protected accounts, according to a report from Dashlane. This drives enterprise users to cope with password fatigue by recycling credentials or employing risky workarounds. Single sign-on (SSO) capabilities relieve users of the mental load of remembering many different passwords with a unified authentication pathway into all workplace applications.

Business managers can group employee access to lower-risk apps and grant permissions based on business activity and need. The result is more flexible, user-friendly authentication that can bridge the gaps in access control as organizations pursue digital transformation.

Stay Ahead of Compliance

The average cost of regulatory noncompliance has increased 45 percent since 2011 to $14.8 million in 2017, according to Ponemon Institute and Globalscape. Silent security can help IT and risk professionals stay ahead of changing regulatory requirements with access audits and tools to prove compliance. Leaders can quickly gain visibility into policies and access and streamline communications between business and IT around access decisions. Organizations can continuously customize the ideal governance strategy for easier audit cycles by tracking compliance in real-time.

Streamline the Future

“Identity is its own solar system. Its own galaxy,” said Robert Herjavec, CEO of global IT security firm Herjavec Group, as quoted by Dark Reading. “The problem with users is that they’re interactive.”

Enterprises need solutions to handle the growing complexity of governing users and identities. Both overprivileged frameworks and no-privilege solutions can present productivity and security risks in a complex network of mobile workers, smart devices and workplace apps. Identity is the new enterprise perimeter, and smarter access management requires silent solutions to balance security, productivity and compliance.

Read the e-book: Govern users and identities

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today