Story image

Exclusive: Ping Identity on security risk mitigation

19 Feb 2019

Organisations of different sizes and functions face different risks and as such, need to have different security measures in place to mitigate them.  

Businesses need to make sure they are shoring up their cyber-defences in the current data breach climate, especially as more critical data gets stored in the cloud.

Techday spoke to Ping Identity chief customer information officer Richard Bird about the most reliable  authentication methods available and how organisations should be utilising them. 

What defines effective security controls for organisations of different sizes?

Effective security controls are measured and defined by the direct mitigation of inherent and residual risk. The value of aligning controls to risk reduction is that the size of an organisation isn't a determining factor for which controls and solutions to invoke.

A small law firm that specialises international high net worth clients might have huge risks to manage with advanced security controls while a massive call centre oriented company might have significantly less risk by comparison.

Effective security controls then are the ones that directly address those risks faced by each; whether that be a loss of client wealth data or a denial of service attack on an IP phone network.

What are the strengths and weaknesses of the most popular methods of authentication at the moment?

Two-factor authentication and multi-factor authentication are the two primary methods used today.

When two-factor authentication first arrived on the scene it was based on something you have (a token, for instance) and something you know (mother's maiden name).

The weaknesses quickly became evident when both social engineering and massive social media breaches made the "what you know" portion either easily knowable or easily guessable by someone other than you.

Multi-factor authentication seeks to replace the question component of two-factor authentication with device-based authentication confirmations like SMS texts, biometric recognition on your mobile or some other form of continuously changing data.

MFA has proven to be a much stronger authentication approach but its weakness is adoption, as many companies see it is onerous or burdensome for its users or customers.

How can organisations use this information to their advantage?

It comes back to risk.

If an organisation has what it perceives to be varying risks that their employees or customers may represent to the data or operations of the company, then applying stronger authentication or authentication measures that mitigate risk is a strategy to both improve security and user experience.

Adaptive authentication seeks to mitigate the friction faced by a user by applying the right authentication factors to a user based on their relative risk to the company.

The most important takeaway for an organisation is that acceptance by the user and an application of the right amount of control will yield a much better result in mitigating risk for a company than a blanket "one-size-fits-all" approach to the problem. 

How does this affect companies hosting data in multicloud infrastructures?

The inescapable reality for cloud-hosted infrastructure or applications that companies have to come to terms with is that the primary security control will become authentication.

Whether it be a multi-cloud infrastructure or a single tenant cloud, if a company cannot answer a simple question with 100% certainty, then their cloud deployments will be at even higher risk than their on-premises infrastructure and applications.

And that question is: are you who you say you are? And why is a failure to answer that question successfully a higher risk in a multi-cloud infrastructure?

Because companies that are hosting in the cloud are no longer directly monitoring or managing their infrastructures and cloud-hosting providers don't have the business background or context to adequately determine if a someone's credentials have been usurped by a hacker or bad actor.

Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
The impact of bringing biometrics to the door
"Despite the benefits of biometrics, there have been impediments to its broader enterprise adoption."