Story image

Exclusive: Ping Identity on security risk mitigation

19 Feb 2019

Organisations of different sizes and functions face different risks and as such, need to have different security measures in place to mitigate them.  

Businesses need to make sure they are shoring up their cyber-defences in the current data breach climate, especially as more critical data gets stored in the cloud.

Techday spoke to Ping Identity chief customer information officer Richard Bird about the most reliable  authentication methods available and how organisations should be utilising them. 

What defines effective security controls for organisations of different sizes?

Effective security controls are measured and defined by the direct mitigation of inherent and residual risk. The value of aligning controls to risk reduction is that the size of an organisation isn't a determining factor for which controls and solutions to invoke.

A small law firm that specialises international high net worth clients might have huge risks to manage with advanced security controls while a massive call centre oriented company might have significantly less risk by comparison.

Effective security controls then are the ones that directly address those risks faced by each; whether that be a loss of client wealth data or a denial of service attack on an IP phone network.

What are the strengths and weaknesses of the most popular methods of authentication at the moment?

Two-factor authentication and multi-factor authentication are the two primary methods used today.

When two-factor authentication first arrived on the scene it was based on something you have (a token, for instance) and something you know (mother's maiden name).

The weaknesses quickly became evident when both social engineering and massive social media breaches made the "what you know" portion either easily knowable or easily guessable by someone other than you.

Multi-factor authentication seeks to replace the question component of two-factor authentication with device-based authentication confirmations like SMS texts, biometric recognition on your mobile or some other form of continuously changing data.

MFA has proven to be a much stronger authentication approach but its weakness is adoption, as many companies see it is onerous or burdensome for its users or customers.

How can organisations use this information to their advantage?

It comes back to risk.

If an organisation has what it perceives to be varying risks that their employees or customers may represent to the data or operations of the company, then applying stronger authentication or authentication measures that mitigate risk is a strategy to both improve security and user experience.

Adaptive authentication seeks to mitigate the friction faced by a user by applying the right authentication factors to a user based on their relative risk to the company.

The most important takeaway for an organisation is that acceptance by the user and an application of the right amount of control will yield a much better result in mitigating risk for a company than a blanket "one-size-fits-all" approach to the problem. 

How does this affect companies hosting data in multicloud infrastructures?

The inescapable reality for cloud-hosted infrastructure or applications that companies have to come to terms with is that the primary security control will become authentication.

Whether it be a multi-cloud infrastructure or a single tenant cloud, if a company cannot answer a simple question with 100% certainty, then their cloud deployments will be at even higher risk than their on-premises infrastructure and applications.

And that question is: are you who you say you are? And why is a failure to answer that question successfully a higher risk in a multi-cloud infrastructure?

Because companies that are hosting in the cloud are no longer directly monitoring or managing their infrastructures and cloud-hosting providers don't have the business background or context to adequately determine if a someone's credentials have been usurped by a hacker or bad actor.

Five things MSPs need to keep in mind in 2019
A Datto APAC channel exec outlines the most important factors for MSP to being paying attention to in the coming year.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nozomi and RIoT to deliver advanced ICS security solutions to Australia
''As a specialised integrator of robust and resilient ICT and IoT solutions within Australia, we are delighted to be partnering with Nozomi Networks."
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.