A company hires a contract web developer to help with updates to the website. The contractor isn’t given their own credentials to the back end of the site, instead one of the other developers shares their user ID and password. Once that contract employee finishes their project, they’re let go… but they may still have access to the site.
As a security leader, you see users come up with risky workarounds all the time, from sharing passwords for cloud services to recycling credentials for both personal and work accounts — despite repeated attempts to educate them of the security implications. Compromised passwords in the workforce carry significant implications; regulations such as the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) impose serious fines for shared credentials and lost data.
While you might be tempted to lock down data access altogether, you know that oversecuring your infrastructure is a recipe for shadow IT, user frustration and decreased productivity. How can you give employees the streamlined access they need to perform their jobs efficiently without exposing your critical data to insider threats? That’s where silent security comes in.
Learn to govern users and identities with silent security
The User Account Privilege Conundrum
Enterprises usually adopt one of two diverging strategies for identity and access management: They either take a loose approach to employee access or a restrictive no-privilege paradigm, and each strategy has its own drawbacks. Employee access to networks, apps and data can aggregate over time based on seniority, project, team or reporting structure. In many cases, this access should be significantly pared back, but isn’t due to a lack of standardized processes for granting access. When credentials are compromised in an overprivileged network, the risks of data loss can be much higher.
In contrast, no-privileged access is a paradigm inspired by an absence of trust for insiders. While it can seem like a way to simplify complex access management, the practice can inspire frustration. Users are often required to repeatedly verify identity and authenticate. Fifty-one percent of workers are likely to develop workarounds in the face of a frustrating user experience, according to a Forrester report. No-privileged access can create a false sense of security as employees lean on shadow IT. Last year, inadvertent insider error resulted in 20 percent of compromised data records.
Today, 60 percent of knowledge workers want productivity gains with better data access, according to The Wall Street Journal. As user expectations rise, security leaders face a tangle of competing risks: Strategies for identity and access management must scale across an increasing number of mobile devices and workplace apps. Simultaneously, the GDPR, HIPAA, Revised Payment Service Directive (PSD2), Financial Industry Regulatory Authority (FINRA), and other regulatory mandates and authorities have heightened requirements for secure IAM practices and audit pressures.
How Can Companies Balance Security, Productivity and Compliance?
The answer is silent security, which is defined by invisible safeguards that only intervene when necessary. Trusted users shouldn’t ever have a reason to detect silent security. This approach can protect your networks and data using multifactor authentication when necessary, instead of as a rule. IT teams can choose between automated frameworks for authentication to streamline the complex process of governing users and identities.
Behavioral analytics are at the core of silent security frameworks. By creating user profiles, machine learning algorithms can track data access and actions over time to identify potentially risky users based on real-time updates to risk scores. The system can continually enforce least privilege and granular access control, and audit and manage accounts based on user needs for data access.
Silent security is more effective than no-privilege approaches to security because it gives the IT team a streamlined, frictionless framework for identity and access management. This approach ensures that employees have access to the right data at the right time and helps security professionals prevent superfluous access. A defined framework for frictionless security allows the enterprise to simplify compliance and pursue digital transformation.
Transform Access Control
The average American adult has 130 unique password-protected accounts, according to a report from Dashlane. This drives enterprise users to cope with password fatigue by recycling credentials or employing risky workarounds. Single sign-on (SSO) capabilities relieve users of the mental load of remembering many different passwords with a unified authentication pathway into all workplace applications.
Business managers can group employee access to lower-risk apps and grant permissions based on business activity and need. The result is more flexible, user-friendly authentication that can bridge the gaps in access control as organizations pursue digital transformation.
Stay Ahead of Compliance
The average cost of regulatory noncompliance has increased 45 percent since 2011 to $14.8 million in 2017, according to Ponemon Institute and Globalscape. Silent security can help IT and risk professionals stay ahead of changing regulatory requirements with access audits and tools to prove compliance. Leaders can quickly gain visibility into policies and access and streamline communications between business and IT around access decisions. Organizations can continuously customize the ideal governance strategy for easier audit cycles by tracking compliance in real-time.
Streamline the Future
“Identity is its own solar system. Its own galaxy,” said Robert Herjavec, CEO of global IT security firm Herjavec Group, as quoted by Dark Reading. “The problem with users is that they’re interactive.”
Enterprises need solutions to handle the growing complexity of governing users and identities. Both overprivileged frameworks and no-privilege solutions can present productivity and security risks in a complex network of mobile workers, smart devices and workplace apps. Identity is the new enterprise perimeter, and smarter access management requires silent solutions to balance security, productivity and compliance.
Read the e-book: Govern users and identities
Product Marketing for IBM Security Solutions
Jimmy believes in a client-centric approach to product marketing. He is leading the development of IBM Security’s strategy and go-to-market to evolve how w...