A company hires a contract web developer to help with updates to the website. The contractor isn’t given their own credentials to the back end of the site, instead one of the other developers shares their user ID and password. Once that contract employee finishes their project, they’re let go… but they may still have access to the site.

As a security leader, you see users come up with risky workarounds all the time, from sharing passwords for cloud services to recycling credentials for both personal and work accounts — despite repeated attempts to educate them of the security implications. Compromised passwords in the workforce carry significant implications; regulations such as the General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA) impose serious fines for shared credentials and lost data.

While you might be tempted to lock down data access altogether, you know that oversecuring your infrastructure is a recipe for shadow IT, user frustration and decreased productivity. How can you give employees the streamlined access they need to perform their jobs efficiently without exposing your critical data to insider threats? That’s where silent security comes in.

Learn to govern users and identities with silent security

The User Account Privilege Conundrum

Enterprises usually adopt one of two diverging strategies for identity and access management: They either take a loose approach to employee access or a restrictive no-privilege paradigm, and each strategy has its own drawbacks. Employee access to networks, apps and data can aggregate over time based on seniority, project, team or reporting structure. In many cases, this access should be significantly pared back, but isn’t due to a lack of standardized processes for granting access. When credentials are compromised in an overprivileged network, the risks of data loss can be much higher.

In contrast, no-privileged access is a paradigm inspired by an absence of trust for insiders. While it can seem like a way to simplify complex access management, the practice can inspire frustration. Users are often required to repeatedly verify identity and authenticate. Fifty-one percent of workers are likely to develop workarounds in the face of a frustrating user experience, according to a Forrester report. No-privileged access can create a false sense of security as employees lean on shadow IT. Last year, inadvertent insider error resulted in 20 percent of compromised data records.

Today, 60 percent of knowledge workers want productivity gains with better data access, according to The Wall Street Journal. As user expectations rise, security leaders face a tangle of competing risks: Strategies for identity and access management must scale across an increasing number of mobile devices and workplace apps. Simultaneously, the GDPR, HIPAA, Revised Payment Service Directive (PSD2), Financial Industry Regulatory Authority (FINRA), and other regulatory mandates and authorities have heightened requirements for secure IAM practices and audit pressures.

How Can Companies Balance Security, Productivity and Compliance?

The answer is silent security, which is defined by invisible safeguards that only intervene when necessary. Trusted users shouldn’t ever have a reason to detect silent security. This approach can protect your networks and data using multifactor authentication when necessary, instead of as a rule. IT teams can choose between automated frameworks for authentication to streamline the complex process of governing users and identities.

Behavioral analytics are at the core of silent security frameworks. By creating user profiles, machine learning algorithms can track data access and actions over time to identify potentially risky users based on real-time updates to risk scores. The system can continually enforce least privilege and granular access control, and audit and manage accounts based on user needs for data access.

Silent security is more effective than no-privilege approaches to security because it gives the IT team a streamlined, frictionless framework for identity and access management. This approach ensures that employees have access to the right data at the right time and helps security professionals prevent superfluous access. A defined framework for frictionless security allows the enterprise to simplify compliance and pursue digital transformation.

Transform Access Control

The average American adult has 130 unique password-protected accounts, according to a report from Dashlane. This drives enterprise users to cope with password fatigue by recycling credentials or employing risky workarounds. Single sign-on (SSO) capabilities relieve users of the mental load of remembering many different passwords with a unified authentication pathway into all workplace applications.

Business managers can group employee access to lower-risk apps and grant permissions based on business activity and need. The result is more flexible, user-friendly authentication that can bridge the gaps in access control as organizations pursue digital transformation.

Stay Ahead of Compliance

The average cost of regulatory noncompliance has increased 45 percent since 2011 to $14.8 million in 2017, according to Ponemon Institute and Globalscape. Silent security can help IT and risk professionals stay ahead of changing regulatory requirements with access audits and tools to prove compliance. Leaders can quickly gain visibility into policies and access and streamline communications between business and IT around access decisions. Organizations can continuously customize the ideal governance strategy for easier audit cycles by tracking compliance in real-time.

Streamline the Future

“Identity is its own solar system. Its own galaxy,” said Robert Herjavec, CEO of global IT security firm Herjavec Group, as quoted by Dark Reading. “The problem with users is that they’re interactive.”

Enterprises need solutions to handle the growing complexity of governing users and identities. Both overprivileged frameworks and no-privilege solutions can present productivity and security risks in a complex network of mobile workers, smart devices and workplace apps. Identity is the new enterprise perimeter, and smarter access management requires silent solutions to balance security, productivity and compliance.

Read the e-book: Govern users and identities

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…