To scale more efficiently and serve customers better, companies are moving more workloads and services to the cloud. According to IDG, 37 percent of companies are increasing their digital business, and 45 percent are in the process of becoming digital-first businesses. In fact, almost half of executives believe the digital sphere will help drive bottom-line revenue growth.
But digital transformation also brings a new set of worries about security. Managing access to company information no longer means simply checking security badges at the front entrance. IT departments now have to deal with a multitude of remote users, including employees, partners, and customers.
Getting identity access management right is critical in the age of the cloud. Forecasts from Gartner predict worldwide spending on information security to hit $124 billion as a result of the increase in cybersecurity threats and the impact to organizations. Attacks are growing more sophisticated as hackers realize the money to be made from selling corporate data. Cybercrime is now more profitable than the global trade of all major illegal drugs combined.
Managing digital access requires you to create a new set of rules to monitor who does what, so that a bad actor is less likely to slip in. Here’s a basic outline of what you need to do:
1. Prioritize your risks
Do a thorough review of your existing cloud-based apps and determine which ones have the highest risk. If you collect personally identifiable information from customers, it should be at the top of your list.
That may sound like a no-brainer, but sometimes organizations are so focused on growth and the bottom line that they neglect security basics. Government hearings recently revealed that Equifax, whose massive breach affected more than 147 million people, failed to encrypt its customer data.
Don’t let your company become the next embarrassing headline. First, make sure your customer information is secure, then examine the rest of your apps, noting which would cause you the most damage if hacked. Fix any vulnerabilities you find as you move down the chain.
2. Write more secure apps
As the march to the cloud continues, you’re bound to develop new apps or revamp old ones. When you do so, be sure to secure them against the latest known threats. Micro Focus has a tool to simplify the process.
Use smart authentication
Some situations require more vigilance than others. Smart authentication systems use machine learning techniques to determine when additional access measures are called for.
For example, if your employee, Sarah, logs onto an enterprise app every day from her New York office, a simple username and password may suffice (depending, of course on her access privileges — but that’s another story. If Sarah tries to log on from a coffee shop in Jakarta, your authentication system should call for additional controls, such as a code delivered by text message or a fingerprint or voice scan.
As the authentication system gets to know where users tend to be and which apps they normally use, it makes smart decisions about providing access. If Sarah repeatedly tries to get into the corporate financial database, which she doesn’t normally use and where she does not have access privileges, the system should cut off her access to all company apps and notify the security team. Her account may have been hacked, and the hacker could be testing the waters to see which corporate databases he can get into. Someone on the team needs to call Sarah and ask what’s going on, denying access until the incident is resolved.
Your authentication system should also make sure that former employees, partners, and contractors no longer have access to company files. Many companies forget this important step. In addition to being a security threat, providing app access when it’s not needed costs you money, since you pay according to the number of users.
4. Keep on top of updates and patches
Beyond doing an initial security assessment, you don’t have much control over the third-party apps and software your company uses. Nevertheless, you should make sure updates are implemented as quickly as possible throughout the organization. Though the providers don’t say so, many updates don’t just add new features — they patch newly-discovered security holes.
The Equifax breach resulted from failure to patch a two-month-old bug in the Apache Struts web application framework (though if the company had encrypted its data, the breach would have provided the hackers only a meaningless string of numbers, letters, and symbols.)
Equifax isn’t alone here. Just about 60 percent of businesses that incurred a breach in the last two years note that it happened as a result of failing to patch vulnerabilities. If your IT department can’t keep up with patches, think about hiring outside help. It’ll cost you a lot less than a breach.
It’s no surprise that companies are moving more apps and services to the cloud. Digital transformation can jumpstart products, accelerate growth, and improve customer relations. But if you don’t control access properly, it can also create a security nightmare. Before you leap to the cloud, you need to make sure you have a secure identity access management system in place.
Culled from Infosec News Ireland