Unsurprisingly, Verizon’s 2019 Data Breach Investigations Report doesn’t make for comfortable reading.

In 2018:

• 43% of security breaches involved small businesses
• 52% involved hacking (69% of the attacks proved to be the work of outsiders)
• 33% were through social media
• 28% involved malware.

(Verizon, 2019)

What’s also important to note is that C-level executives were 12 times more likely to be the target of a social engineering incident and nine times more likely to be the target in a breach caused by social engineering. Given this much higher target rate, it’s clear that modern cybercrime organizations are deducing that there’s higher value in a more targeted, high level attack (Barth, 2019).

Unfortunately, for many businesses, and despite the increased risks and chances of hacking, they are still using outdated methods and approaches. What’s worse is that some are even following the same approach to cyber security today as they were a decade or so ago.

As we mention in our Anatomy of a Cyber Attack white paper, that’s simply not going to work in today’s business theater. So much so that

Businesses Should Assume They Have Already Been Hacked and Are Currently Under-Siege

Seriously, that is the best, easiest, and most practical way to look at your security efforts to date.

Suffice it to say that, if information security is something you’ve been lackadaisical with up to now, today’s the day… [you need to change that]. You need to get wise to what’s happening. Before it’s too late.

Yes, there is a lot of information out there (much of it false), and though not having enough information can be fatal, the opposite is also true.  Either one can lead to 3 critical issues:

• ineffective planning
• insufficient mitigation of risks
• inability to recover quickly following a breach.

With that last point, above, you don’t need us to tell you how important your customers are to your business.

In terms of numbers, Bryan Littlefield, CISO of Aviva, said that following a customer data breach, research suggests that of those customers who are thinking of cancelling their account with you, 50% of them actually will (Out-law News, 2015).

That long-standing relationship you’ve been building… destroyed.

That trust level you hold so dear to your heart and have painstakingly nurtured… gone, In an instant.

Cyber Security is Not Something That Only Others Do

Moreover, the days where security was considered to be extraneous or a separate arm of the business are long gone. Indeed, security must work as a  “…flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line.” (Sartin as quoted in Guta, 2019)

We do have more information on cyber-attacks (and you can download our paper at the bottom of this page), but for now we advise you to take this approach:

1. Assume you’re already under-siege. You need to fight back.
2. Work inside out. Adopt a defensive posture, start from the core, and ‘clear and secure your lines’, all the way to the external perimeter of your organization.
3. All the while, rethinking your security approach and how you’re going to make it as hard as possible for the hacker/attacker in the future.

That’s what you need to do.

Naturally, you’re here on our webpage, on our site, so we’re going to offer advice on what works for us (‘us’ being our clients, customers, and partners) and what we ourselves recommend.

Identity Access Management and Zero Trust

We recommend Identity Access Management. In particular, what we call Zero Trust.

Zero Trust follows the 3 fundamental principles of never trust, always verify, and always enforce least privilege. (We have a white paper called Identity is the New Perimeter: Zero Trust is its Firewall where we talk more about that.)

In its simplest form, Zero Trust involves an identity verification and authentication portion. If these are incorrect then the rest fails.

With that in mind, let’s take a closer look at the anatomy of a cyber-attack (if you want to jump straight to the white paper, click here).

Caveat: before we go any further, we’re not for 1 second suggesting that you haven’t been taking security seriously. It’s just that as someone for whom this is our ‘meat and potatoes’ (or bread-and-butter, if you’re British), we know full well how overwhelming security can be.

Not least because of the rate with which the tech is changing, but also because of the myriad of terms and definitions, and all the rest of it.

That’s one of the main reasons we created this white paper. Others include helping you to cut through all that noise, to eliminate that chaff, so you get an easy to read, understand and digest picture off what’s going on.

The Anatomy of a Cyber Attack

The Anatomy of a Cyber Attack white paper covers the following:

• An overview of cyberattacks and how the landscape is changing. One of the problems of today is that “As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed” (Sartin, 2019).
• The architecture of the modern attack, including phishing and social Engineering
• The danger of local admin privileges and cached passwords
• Attacks to Kerberos and Active Directory
• The consumerization of hacking
• Can we keep the hackers out?
• Assume breach – now what?
• Other tips to discourage hackers. These include preventing users from being local admins, avoid group nesting, and use dedicated secure admin workstations for admin tasks, etc.

Understanding what constitutes a cyber-attack is just 1 weapon that you will need in your arsenal: it’s only one of the steps you must take. I hope you’re like me and, when you see people reminiscing on or about the good old days, you smile. I’m happy for them–seriously happy. From my own perspective, life outside of cyber security must seem a trifle mundane. Admittedly, I don’t dwell long, because what we’re seeing and experiencing in cyber security now is unprecedented. Sure, today might be a great day, but let’s use that time wisely and prepare for tomorrow, too.

Click on the link below to download the white paper:

Download the White Paper\

 

“They came on in the same old way – and we defeated them in the same old way.”

Though it could easily be used today, that quote does have rather more deep-rooted origins. The speaker was Arthur Wellesley (though you may know him by his more common titles of The Duke of Wellington and, later, Prime Minister of Great Britain). He spoke those words after his and Field Marshall Blucher’s combined Allied forces had just defeated Napoleon at the Battle of Waterloo.

Without going into the details of the battle itself, the outcome was quite significant in several ways:

• Napoleon’s tactics at Waterloo were both out of date and inflexible
• His battle plan lacked finesse, consisting only of repeated ‘in your face’ brute force attacks
• The outcome of this helped shape the future of Europe for almost 100-years
• Given ‘The Battle of Waterloo’ was in 1815, it does, in fact, predate the on-going debate about RBAC v ABAC which still persists today.

Okay, that last point is stretching a little white lie (a hint of a joke, as it were). But If you’ll permit me, I’ll tell you 2 specific reasons why it does fall flat on its face:

• The RBAC v ABAC debate is now in its 22nd year (yes, it began in 1997)
• Like Napoleon at Waterloo, if you honestly expect to win today’s battle with yesterday’s tactics then you’re going to lose.

Unfortunately, and we know this firsthand, some companies still are using old systems, old methods, and old tactics.

(Please tell us this isn’t you, though?)

Your Attacker is Getting Cleverer

One glance at the news tells you that your attacker is getting cleverer. (It might also be a concern to know that there are a lot more attackers out there since hacker tools became more commercialized. If you want to learn more, then click here to get our The Anatomy of a Cyber Attack white paper.

Make no bones about it, your attacker is getting cleverer, more devious, and increasingly skillful–they’re evolving. And though steam rolling in with brute force methods might be just one part of their plan, unlike Napoleon on that fateful day, we both know they’ll adapt and move on to other means as soon as necessary.

This isn’t hyperbole, either.

You’ve likely seen or heard all of the scare tactics, the dire threats, the ‘end of the earth as we know it’ (if you haven’t, let us know and we’re more than happy to fire some your way).

But here at EmpowerID, where cybersecurity, RBAC and ABAC, and your security is concerned, we prefer to stay a little more grounded. A little more pragmatic.

The Cyber Threats Are Real

But make no mistake…

Don’t think for a minute that the threats aren’t real–because they are.

You and I both know, full well, that your attackers’ plans are evolving continuously.

Unfortunately, the very nature of cybersecurity is that they’re likely to be evolving far faster than you or any of us can ever react.

However, it isn’t all 1-way and isn’t all doom and gloom. There are steps we can take to mitigate this. To limit the chances of them being successful.

We can’t stop them from selecting us as their target, but our goal here, of course, is to make it so difficult that they move onto easier pickings. They turn their attentions and efforts elsewhere.

Let’s not get ahead of ourselves just yet, though…

What Is Your Battle Plan?

A question for you:

When the attackers’ beady little eyes do eventually turn to and focus on you, what exactly is your battle plan?

At Waterloo, Wellington had surveyed that ground years 2 or 3 years before.

We both know we’ll never ever have that luxury.

Then what?

“But we’ll be okay,” said every single security consultant or manager in the world ever. (All the while secretly praying that they’re okay.)

And then they weren’t, of course (okay, that is).

Reading this, you, may very well think that we’re wrong.

If that’s the case, then tune into the media and watch or listen. Turn on your TV or radio, or tune in via your PC, whatever it is you use.

Because if the next security breach is not all over the news today, then it’ll be tomorrow or next week.

It’s only a matter of time.

As realists, we both know it’s coming.

We sincerely hope they’re not talking about you.

White Paper: Identity is the New Perimeter: Zero Trust is its Firewall

To learn more about constructing your organization’s defenses and laying out your battle plans, we have a white paper called ‘’Identity is the New Perimeter: Zero Trust is its Firewall.

In it, we talk about how identity and Zero Trust are where the 21^st century battle will occur. Zero Trust is founded on 3 fundamental principles:

• never trust
• always verify
• always enforce least privilege.

Quite simply, when a user attempts to access to your system, they have to verify and authenticate themselves. If they fail either, then they’re denied access.

Click here to download the Identity is the New Perimeter: Zero Trust is its Firewall white paper

 

Citizens of Turkey woke up Monday with the knowledge that a Citizenship Database has been publicly dumped for anyone in the world to download and view.

The dumped database included:

• National Identifier (TC Kimlik No)
• First Name
• Last Name
• Mother's First Name
• Father's First Name
• Gender
• City of Birth
• Date of Birth
• ID Registration City and District
• Full Address

 

 

This database leak underlines why it is important to encrypt data at rest.  Most IAM projects implement 443 for access to the product, secure DMZ firewalls and Role Based Access Controls but neglect to implement encryption for the identity warehouse.  EmpowerID fully supports encryption of information in our identity warehouse and has been able to validate our latest release 2016 using these same encryption methods.

EmpowerID utilizes transparent data encryption (TDE) which provides full database-level encryption. TDE is the optimal choice for bulk encryption to meet regulatory compliance or corporate data security standards. TDE works at the file level, which is similar to two Windows® features: the Encrypting File System (EFS) and BitLocker™ Drive Encryption, the new volume-level encryption introduced in Windows Vista®, both of which also encrypt data on the hard drive.  This means that the identity and attribute information stored within EmpowerID will stay secure even if someone gets access to a backup of the database or gets access to the flat files from a server.

To learn more about how EmpowerID can utilize a fully encrypted database just click below.

 

Internal employees continue to pose biggest risk in security breaches.

Latest Experian security forecast - Cost of breaches in the healthcare industry could reach $5.6 billion annually.

How will the next identity spill happen?  The latest Experian data breach industry forecast points to your employees being the biggest threat.  Stronger external authentication and tighter protocols continue to miss the mark.  Employee negligence will continue to be the leading cause of security incidents in 2015.

Experian goes on to state that Healthcare breaches will continue to grow this year.  With the huge challenge of securing such a significant amount of data, the problem becomes even more serious when organizations are faced with a shortage of internal expertise.  With the majority of breaches originating from inside company walls, the report clearly indicates business leaders need to fight the root cause of data breaches rather than buy the latest security widgets.

What are some steps that you can take in your organization to prevent the next identity spill?

• Perform regular certification or attestation of application or role access.
• Implement automated provisioning and deprovisioning of identities
• Implement Role Based Access Control and Attribute Based Access Control
• Control  access to applications via a central identity provider
• Provide Self-Service password reset
• Implement strong authentication, regardless of the application

Preforming regular certification/attestation of access – At any time you need to be able to snapshot the access granted to a resource by roles, locations and person accounts.  Security assignments should be automated, but access should be certified and routed to an appropriate authorized person for review.  This review should verify the access and certify if it is valid or not.  A tool like EmpowerID makes certifications easy for the organization with scheduled certification and attestation policies that can be run and audited.

Implement automated provisioning/deprovisioning – Role based or attribute based access needs to be automatically and immediately provisioned or deprovisioned.  When an employee’s role changes, the resultant set of access needs to be calculated instantly.  Some application and resource access will be taken away and some will be granted.  Absence of role based deprovisioning is a root cause of an employee having too much access.  EmpowerID takes provisioning to the next level by allowing you to provision and deprovision based upon roles in the organization.

Implement RBAC & ABAC controls - You need an RBAC/ABAC engine to continuously evaluate how much access someone should or shouldn't have.  EmpowerID uses a hybrid approach with RBAC and ABAC adding in rules and even Separation of Duties enforcement.

Control access to applications via a central identity provider - Having users log into apps with a separate username and password is a recipe for disaster.  An IdP allows you to centrally validate someone’s identity and then assert that identity into applications wherever they are.  The EmpowerID IdP allows employees to search for applications that are granted for their role, removes ones that are not granted and provides the SSO into the application.

Provide Self-Service password reset - Let's face it, this not only tightens up security, but saves a lot of money.  EmpowerID provides full detailed audit trails of anything account related such as who changed the password, who approved it and more.

Implement strong authentication, regardless of the application - There are a lot of ways to get into your network.  The VPN, the email server and SaaS applications are all exposed entries into the protected network.  Do they all have the same authentication capabilities?  You need an authentication service that supports all the protocols, not just those most used.  EmpowerID can step up authentication at any level for any service.  The VPN, the routers, the SaaS apps, SharePoint, it doesn't matter.

The bottom line is this, an ounce of prevention is better than a pound of cure.  According to Experian the average cost per lost record is just under $200 dollars, with average total impact cost to your organization just under $4 million.  Click through below and let us show you how easy it is to automate access and control privilege in your environment.

“Organizations need to have the tools to manage these new access silos,” he told the opening session of the 2015 European Identity & Cloud (EIC) conference taking place in Munich.

During his Keynote discussion on day 1 Patrick identified the many limitations when managing new access silos in AWS and Azure.  

During day 2 Patrick discussed the role of IAM in hack prevention highlighting the recent Sony Pictures hack.

If you're around on the 7th you can catch his IAM best practices discussion from 12:00-13:00 PM or stop by for a discussion or deep dive demo to see what makes empowerID the best IAM Suite in the market today.  For those unable to attend in person empowerID will be sharing the presentations in the near future.

 

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.

• What methods does the authentication support?
• Can I migrate users by groups in the back end rather than cut everyone over at the same time?
• What kind of logging and reporting is available?
• How scalable is the solution?
• How are the configurations stored?

So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

1. Multiple users go to login to the NetScaler
2. The NetScaler takes in a username and password
3. This information is passed to empowerID's Radius endpoint
4. empowerID looks at the group membership of the user
5. One user will go through 2-factor authentication
6. One user will go through Single Factor authentication
7. Both users will be presented with the same information after authentication

This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:

1. What methods does the authentication support?

• empowerID supports Radius, LDAP, SAML, WS-Federation, WS-Trust, OAuth and more

Can I migrate users by groups in the back end rather than cut everyone over at the same time?

• Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.

What kind of logging and reporting is available?

• empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.

How scalable is the solution?

• 3-tier architecture model means you can easily scale to millions of users.

How are the configurations stored?

• empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

Ready to learn more?

 

EmpowerID has been recognized as a three time leader in a recent KuppingerCole report evaluating Identity and Access Management (IAM) / Identity Access Governance (IAG) Product Suites.

The IAM/IAG Leadership Compass “focuses on complete IAM/IAG (Identity Access Management/Governance) suites that ideally cover all major areas of IAM/IAG as a fully integrated offering,” Martin Kuppinger wrote in the report.

KuppingerCole, a respected global analyst focused on Information Security, examined Identity and Access Management / Governance Suites for this report. They specifically evaluated products that are integrated solutions with a broader scope than single-purpose products. Martin Kuppinger concluded in the report, “With their Windows-based product they [EmpowerID] offer one of the best integrated IAM Suites. All components have been built by EmpowerID, allowing for tight integration into a well thought-out architecture. This integrated approach is a clear strength of EmpowerID."

To request an unabridged copy of the the KuppingerCole report on IAM/IAG Suites, please visit http://info.empowerid.com/download-the-free-kuppingercole-iam-suites-leadership-compass.

 

Security for identities.  Managing user access to applications.  Auditing user access.

“Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM.