Browsing category

Identity & Access

Access Management, IBM Security, Identity & Access, Identity and Access Management (IAM), Kuppingercole, Security Intelligence & Analytics, Security Products, Security Solutions,

KuppingerCole Report: Leadership Compass of Access Management and Federation

Part of fixing any IT issue is finding the right solution for the problem and ensuring the issue will not happen again. One of the major struggles for the IT industry is finding the right vendors to enlist as protectors.

KuppingerCole’s Leadership Compass report on access management and federation aims to close the gap between the right solution and the right vendor.

Emerging business requirements, such as onboarding business partners, providing customer access to services and adopting new cloud services, require IT to react and find solutions to these communications and collaboration conditions. Access management and federation vendors are closing in to address these needs and enable business agility.

With many vendors in this market segment, the KuppingerCole Leadership Compass provides a view and analysis of the leading vendors and their strengths and weaknesses. The report acts as a guide for the consumer to compare product features and individual product requirements.

Read the KuppingerCole Leadership Compass report

Breaking Down the Leadership Ratings

When evaluating the different vendors and products, KuppingerCole looked into the aspects of overall functionality, size of the company, number of customers, number of developers, partner ecosystems, licensing models and platform support. Specific features, such as federation inbound, federation outbound, backend integration, adaptive authentication, registration, user stories, security models, deployment models, customization and multitenancy, were considered as well.

KuppingerCole created various leadership ratings, including “Product Leadership,” “Innovation Leadership,” and “Market Leadership,” to combine for the “Overall Leadership” rating. With this view, KuppingerCole gives an overall impression of each vendor’s offering in the particular market segment.

Product Leadership is based on analysis of product and services features and capabilities. This view focuses on the functional strength and completeness of each product.

Innovation Leadership focuses on a customer-oriented approach that ensures the product or service has compatibility with earlier versions, as well as supports new features that deliver emerging customer requirements.

Market Leadership is based on market criteria, such as number of customers, the partner ecosystem, the global reach and the nature of responses to factors affecting the market outlook. This view focuses on global reach, sales and service support, and successful execution of marketing strategy.

KuppingerCole Leadership Compass: Access Management and Federation

How IBM Ranks

IBM Security Access Manager (ISAM) is ranked as a leader in the Product, Marketing and Technology Leadership categories. This rating comes from IBM ISAM having one of the largest customer bases of all vendors in the market segment, a strong partner ecosystem, mature access management and strong adaptive authentication. ISAM is among the leading products in the access management and federation market and meets organizations’ growing lists of IT security requirements with broad feature support.

Read the Full Report

Check out the complete report to discover:

  • An overview of the access management and federation market;
  • The right vendor and right solution for your business; and
  • Why IBM ISAM is a leader in Product, Marketing and Technology.

Read the KuppingerCole Leadership Compass report

The post KuppingerCole Report: Leadership Compass of Access Management and Federation appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Lappin

Artificial Intelligence (AI), Certificate Authority (CA), Credentials Theft, Cybercrime, Dark Web, Encryption, Financial Fraud, https, Identity & Access, Identity and Access Management (IAM), Malicious Domain, Man-in-the-Middle (MitM) Attack, Network, Phishing, Privileged Access, Ransomware, Risk Management, Secure Sockets Layer (SSL), Single Sign-On (SSO), Threat Monitoring, Transport Layer Security (TLS), Website Vulnerabilities,

Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security

More and more, organizations and end users are embracing encryption to protect their data and traffic. By far the most visible part of this adaptation is the use of Hypertext Transfer Protocol Secure (HTTPS) for accessing websites. As opposed to the more basic HTTP, which is the plain text version, HTTPS makes use of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates to encrypt traffic between web servers and clients.

Does this mean that once you’ve implemented TLS/SSL certificates you should no longer worry? Not exactly. There are many cyberthreats that make it necessary to stay vigilant by following a zero trust security model.

Some of the latest threats originate from thriving dark web marketplaces for these certificates, which often come packaged with other cybercrime services. But before we get to that, a little more on HTTPS and TLS/SSL.

A Very Brief Introduction to HTTPS and TLS/SSL

HTTPS is HTTP with an extra layer on top, the TLS/SSL encryption layer. This layer ensures that both the client and the server can continue to speak HTTP with each other, but over a secure connection. Under normal circumstances, this serves three main purposes:

  1. Confidentiality — preventing others from reading your communications.
  2. Integrity — making sure the web content isn’t altered in transit.
  3. Authentication — ensuring that the client (your web browser, for example) connects to the intended web server.

Setting up a security layer on your web infrastructure and adding TLS/SSL certificates to your websites undoubtedly increases security and is in the interest of your customers and users. If there’s one key task you should tackle immediately it’s migrating all your existing HTTP-only sites to HTTPS versions. Although setting up HTTPS has now become a fairly easy process with the help of tutorials such as HTTPS Is Easy! and tooling such as Certbot, there are several key elements that you should be aware of.

When the secure layer is bootstrapped, a handshake happens between the server and the client in which, among other things, the server proves its identity via TLS/SSL certificates. This identity is included as a property of the certificate and describes which domain the certificate belongs to. During this handshake, the client will also check whether it trusts the certificate, or that the certificate is verified and trusted by a certificate authority (CAs) that it also trusts.

Proving Your Ownership of a Domain

To prevent people from acquiring a certificate for domains they do not own, a number of verification steps must be completed. These steps allow you to prove that you’re the rightful domain holder.

Depending on your certificate provider, you will need to prove that you control the DNS settings of the domain (by adding a TXT record, for example), have access to a specific email account belonging to that domain or are able to put up a text file on the public website of the domain.

The next level of identity checks of the domain holder happens with Extended Validation (EV) certificates. Previously, an EV certificate was represented differently in browsers via a green bar, but due to recent browser changes, these visual differences are no longer immediately noticeable for users. As such, because most users will not be able to visually differentiate between EV and non-EV certificates and because they are not necessarily more secure or cryptographically stronger than other certificates, there is really no extra value in spending on EV certificates.

HTTPS Doesn’t Mean Safe

A common misconception is that HTTPS automatically means safe. It doesn’t. It actually stands for secure, meaning that the underlying website that you access via that secure channel can still cause harm to you or your organization. This is very well demonstrated by Netcraft statistics on the number of phishing websites that make use of certificates.

But this isn’t the only threat you should be aware of when it comes to website security.

An Emerging Black Market for TLS/SSL Certificates

Research from Georgia State University and the University of Surrey, sponsored by Venafi, described the appearance of thriving marketplaces for TLS/SSL certificates on the dark web. This type of marketplace might sound strange at first. After all, you can get certificates for free, so why would you want to pay extra for obtaining TLS/SSL certificates, let alone do it on the dark web?

However, if you take a closer look at what exactly is for sale, it becomes clear that these sales do not only include a certificate, but a larger package deal.

According to the researchers, these packages include cybercrime services such as malicious websites and ransomware, but also aged domains, website design services and payment services. Some packages even offer deals that help the buyer set up a company, together with all the necessary company documents and a Data Universal Numbering System (DUNS) number. The deal is then complemented with an EV-SSL certificate from a known certificate vendor.

What Risks Are Associated With This Market?

The threats associated with these dark web offerings are not immediately linked to weaknesses in the certificates themselves, but rather to the services that are provided via the secure website that’s part of the offering.


Phishing websites that resemble legitimate websites remain a threat. But whether a phishing site was acquired via the dark web or not doesn’t immediately increase the threat. Cybercriminals can already register new domains that resemble existing ones and acquire a valid certificate from a legitimate certificate provider outside the black market. The added advantage of these marketplaces, from an attacker’s point of view, is the inclusion of web design services and support.

Financial Loss

Another potential consequence of black market TLS/SSL certificates is financial loss due to fraud. Website visitors who assume they are dealing with a legitimate e-commerce site might be inclined to buy goods and pay for them with their credit card or other payment information.

Illicit websites often present themselves as a real online store that is protected with a proper certificate and accepts money via a trusted payment system. Even trained security professionals sometimes have a hard time differentiating between a legitimate business site and a malicious one.

Credentials Theft

Although we warn our users not to reuse passwords and request they create unique, strong passwords, we know that in practice this is not always the case. This leads us to another risk: users signing up and creating detailed accounts on legitimate-looking business websites. The threat actors behind these fake sites can not only grab any entered passwords, but they also have access to any other personal information included in setting up the profile.

From an attacker’s point of view, this becomes increasingly interesting when a victim signs up with his or her business email account or other credentials used to access corporate networks or resources. This kind of threat is typically deployed on fake online dating or job listing websites.

Man-in-the-Middle Attacks

Another risk that comes to mind with black market TLS/SSL certificates is attackers spying on encrypted traffic or conducting man-in-the-middle (MITM) attacks. This has happened in the past due to vulnerabilities in cryptographic software libraries or protocol implementations, the most prominent examples being Heartbleed, BEAST and Logjam.

Besides abusing these vulnerabilities, skilled attackers can also attempt to steal the private keys of the certificate. The latter almost always involves a breach of the company infrastructure by an attacker with advanced capabilities.

BGP Hijacking

Yet another important threat you should be aware of is Border Gateway Protocol (BGP) hijacking to obtain valid certificates — valid in the sense that the certificates have not been stolen from their rightful owner and that, according to the CA, the verification process was successful. One method involves an attacker conducting a local hijack to make the CA believe they are the owners of a targeted domain. The hijack consists of redirecting the network, especially the path used for the verification, to a network under the attacker’s control. Although this only works well if the attacker is close enough — networkwise — to the CA and the victim is relatively far, your incident response plan should take this risk into account.

How Do You Defend Against These Threats?

There is no single solution that you can apply as a defensive measure against these attacks. Instead, these are threats you can only combat with zero trust security, a layered defense model and security best practices. Get started by checking off some of these quick wins:

  • Implement certificate pinning — note that this is being overhauled by Certificate Transparency, an open framework for monitoring and auditing SSL certificates.
  • Monitor for issued certificates that closely resemble the name of your organization or products. This monitoring can alert you if attackers start targeting your brand, sometimes even before a campaign has started.
  • Monitor and possibly block domains that have a high deceptive domain score.
  • Subscribe to the feeds provided by initiatives such as Phishtank or OpenPhish to proactively block access and review the proxy logs for access attempts.
  • Filter access to newly observed domains (NODs). Be aware that some offerings in the marketplace provide packages of “aged” domains, bypassing this protection measure.
  • Subscribe to a threat feed or collaborating closely with an information sharing and analysis center (ISAC) or computer security incident response team (CSIRT) to get timely updates about new malicious sites.

Further enhance your defenses with the following best practices for zero trust security:

  • Encrypt your internal traffic, especially in environments that utilize single sign-on (SSO). It’s important that every resource that requires authentication supports an encrypted communication channel.
  • Implement role-based access and make sure that users are only put in groups that are strictly necessary to do their job. Avoid having too many users with escalated privileges.
  • Lock down the environment in which users work, possibly giving them thin clients or systems that are restored to a known good image overnight.
  • Monitor your entire IT environment, including endpoints, servers and internal network traffic, and consider applying advanced technologies such as artificial intelligence to help.

The post Dark Web TLS/SSL Certificates Highlight Need for Shift to Zero Trust Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Koen Van Impe

Access Management, Authentication, Cloud, Cloud Infrastructure, Credentials, customer experience, Hybrid Cloud, Identity & Access, Identity and Access Management (IAM), insider threats, Multifactor Authentication (MFA), Password, password reuse, Single Sign-On (SSO),

Reap the Promise of One and Done Authentication With SSO

Every day, the average business employee inputs credentials to authenticate identity and access apps and sites several times — using one of the 8–12 passwords the average person has, according to the “IBM Future of Identity Report.” If you get your password wrong too many times, you’re locked out and you call the IT help center to reset it, again. Which leads you, the help center and the system administrator all to think there must be a better way. Fortunately, there is single sign-on (SSO).

What is SSO? It’s a user authentication technology that requires only one set of credentials to provide access to everything you need. Once you’re authenticated on a centralized platform in an enterprise, for example, you can use a range of applications — from on-premises programs to cloud resources to software-as-a-service (SaaS) apps such as Salesforce and Office 365 — without logging in and out again.

Eliminate the Problems With Passwords

A typical employee may start with only a few credentials, but after a few weeks or months, that number will quickly increase. Furthermore, according to the “Future of Identity Report,” only 42 percent of millennials use complex passwords (versus 49 percent of people over the age of 55) and 41 percent reuse the same password multiple times (versus 31 percent). Administrators may be sympathetic to password fatigue and interrupted user experiences, but security is an even greater concern. Verizon’s “2018 Data Breach Investigations Report” listed stolen credentials as one of the leading causes of data breaches.

What users are accessing with those passwords is also critical; another key factor behind many breaches is the abuse of access privileges. Many enterprises fail to implement access management solutions that ensure employees have only the privileges they need to do their jobs. This puts the organization at greater risk given that insider threats are at the root of 60 percent of cyberattacks.

If you’re an administrator, you oversee databases that hold passwords, permissions for access to applications and resources, help center troubleshooting and support to change credentials, and training to keep users from falling for phishing scams or other hacks that could result in a breach. That can be a lot, especially for larger companies with hundreds or thousands of employees.

The solution requires taking responsibility for security away from users by eliminating the need to have multiple passwords.

Implement SSO for Seamless User Experiences

Single sign-on changes how authentication and identity and access management work. Normally, when you want to sign up for an application, the server first verifies whether you already have an account. If not, the server securely stores your email and encrypted password in a database. The server then creates a session and sends a token confirming your identity. Your browser stores the token in a cookie that verifies your identity when you’re logged in. Next time you want to log in, the server compares your password to what’s in the database and you’re in or out.

With federated SSO, however, you get another option. You’ve probably been asked if you want to sign up for an app or site using Facebook or Google, for example. Various standards, including Security Assertion Markup Language (SAML), Open Authorization (OAuth) and OpenID Connect (OIDC), let these web giants give third-party apps and sites access to your information.

You choose your provider — say, Google — and the third party verifies that you’re already logged in to Google. If not, you log in and then choose what information you’re willing to share with the third party. Google verifies that both you and the third party are legitimate, then authenticates you based on its own password database and issues a token back to the site. The third-party site can now associate you with the user data you’re willing to share — such as preferences, previous sales and so on — and you can move seamlessly between applications for which you have access without logging in each time.

A Win-Win for Users and Administrators

It’s easy to see why users would love SSO, whether they’re at home or at work. In the enterprise, they can use one set of credentials to access all their apps instead of remembering, looking up and frequently resetting multiple passwords. New users can sign up for accounts easily and securely, using a provider they already trust.

Administrators, on the other hand, can securely provide access to resources and applications, whether they’re on premises, in the cloud or in a hybrid cloud. But to reduce risk, it’s critical to focus on security as well as convenience.

Ensure the Upside Isn’t a Downside

Forrester emphasizes that authentication is mission-critical infrastructure in “Now Tech: Authentication Management Solutions, Q3 2018.” If an SSO provider experiences a security breach or an authenticator goes down, users can’t get online. And if only one set of credentials is needed to access a multitude of apps and resources, the security around those credentials must be ironclad. After single sign-on implementation, compromised credentials give a threat actor entry not just to one resource, but all of them.

More secure authentication should include access without passwords, such as scanning a code with a user’s phone; frictionless biometrics, such as fingerprint, voice or face recognition; and geolocation. For example, IBM Cloud Identity provides seamless and secure authentication for native, web, mobile or cloud applications via biometrics, FIDO2, Universal Second Factor (U2F), FaceID, Touch ID, email/SMS one-time passwords or soft tokens. The solution can also reduce reliance on passwords by providing multifactor authentication (MFA) to any target system, including virtual private network (VPNs), mainframes, Linux or desktop.

An ideal solution will also incorporate risk-based authentication. For example, an employee logging in from her desktop at 2 p.m. on a workday may gain access with just a single password, but a user across the globe logging in on a new device at midnight may require MFA.

Evolving With Your Ecosystem

Perhaps the best feature of SSO is its scalability; you can future-proof access management, as this case study on POST Luxembourg showed. As your enterprise changes and grows, you can continue to provide a convenient sign-on experience to users, customers and partners and a centralized solution that gives them secure and integrated access to resources via almost any device, anytime and anywhere.

IT administrators, line-of-business managers and employees all benefit from an identity and access management solution like single sign-on. It allows registered users to access applications with one set of credentials, provides a centralized place for admins to manage all protected applications and configure access policy settings, and, best of all, the cloud has made single sign-on implementation more affordable and less time-intensive than ever.

Learn how an IAM solution can benefit you

The post Reap the Promise of One and Done Authentication With SSO appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Diana Kightlinger

CISO, Cloud, Cloud Adoption, Cloud Applications, Cloud Identity Service, Cloud Infrastructure, Cloud Security, Cloud Services, Cloud Services Provider, Identity & Access, Identity and Access Management (IAM), Identity Management, Identity Services, Software-as-a-Service (Saas),

How to Accelerate Your Cloud IAM Adoption

Cloud identity and access management (IAM) is quickly becoming a cost-effective and flexible model for modern IAM programs. According to the “2018 Gartner Magic Quadrant for Access Management,” by 2022, identity-as-a-service (IDaaS), also known as cloud IAM, will be the chosen delivery model for more than 80 percent of new access management purchases globally, up from 50 percent today.

Reducing the complexity and cost of managing and operating legacy, on-premises IAM programs often drives the need to move to a modern, cloud-based IAM architecture. Many organizations have quite a bit of technical debt: Their investment in IAM infrastructure is too low to keep their solutions up to date over time, and the cost of upgrading these on-premises deployments becomes prohibitive. As a result, cloud-delivered functionality becomes an attractive way to complement, augment and even replace legacy IAM functionality that is weighed down by this technical debt. Not to mention the many benefits to migrating IAM functionality to the cloud, including cost-efficiency, flexibility, faster deployments and simplified operations.

However, there are some significant challenges associated with moving to a cloud IAM solution, especially for larger organizations with complex operations, IT landscapes or organizational structures. Adapting to a technology platform with less room for customization requires trade-offs to make it the right solution for your organization, and your organization and IAM resources have to execute things differently than how they’re used to.

Your organization will need to plan, design, deploy and operate a cloud-based solution, often alongside existing architecture, in a hybrid manner, so the IAM processes and security policies will be completely different. These new challenges can depend on the requirements of your core IAM team, stakeholders and end users.

With all that in mind, let’s explore some steps you can take to make your transition to cloud IAM easier.

Find the Right Cloud IAM Strategy

To identify the right cloud IAM strategy for your organization, you will need to balance the requirements of many different stakeholders. First, many security and IT executives across industries are defining cloud initiatives for their organizations — these are the directives that govern how IT should navigate the evolution of its ecosystem, and they can look different for every organization. These initiatives are often shaped by compliance requirements, the privacy requests of strategic partners and other third parties, and the organization’s overall business strategy.

Next, understand the needs and expectations of your various user populations. Any major technology change in your organization will likely impact the way your end users access their resources, how IAM administrators perform identity management workflows and how auditors receive reports, just to name a few. That’s why you need to make sure any solution you design addresses these users’ most important requirements if you want to see successful adoption. This focus on user outcomes and how they relate to business goals is what drives Enterprise Design Thinking.

Lastly, these requirements must be balanced against the realities of your current business processes and IT architecture. Many organizations have requirements for IAM workflows, including approval, provisioning and onboarding, that drive heavy customization of the legacy on-premises architecture. Often, these customizations are no longer available in cloud-delivered services and teams must decide whether to keep these capabilities on-premises or adapt their business processes to the realities of the cloud-delivered tools. Many cloud-delivered solutions also have limited support for custom legacy deployments, which may make it difficult to integrate things like on-premises custom apps. In these situations, it’s important to assess the current IT landscape and build a technical solution to meet requirements.

Learn how to build and deploy a cloud IAM solution

After you know the answers to these questions, you can identify which IAM capabilities will stay on-premises and what will be delivered in the cloud and create a future-state, programwide architecture. For example, access management functions such as federated single sign-on (SSO) and multifactor authentication (MFA) may be delivered from the cloud, and functions like role management and provisioning might remain on-premises. It all depends on the requirements and feasibility of what can be migrated to the cloud.

Design and Deploy a New Cloud IAM Solution

There may be pressure from business leaders to migrate to the cloud as soon as possible to lower infrastructure costs and overall technical debt. But to do so without disrupting business operations and risking the success of the project requires a thoughtful approach to designing and deploying the right cloud IAM infrastructure.

First, stay closely aligned with users to make sure their requirements are captured at each phase of the project to help the technical teams design a phased project approach that is minimally disruptive to these users. Like in the previous step, Enterprise Design Thinking can help uncover these user needs and ensure they stay top of mind.

Second, leverage prebuilt use cases following industry best practices to help speed up deployment efforts and deliver a secure and usable solution. Combined with an agile approach, this can speed up the delivery of functionality.

Lastly, prioritize a rollout schedule to deliver success early. A good practice is to start with the easy integrations, such as SSO for Security Assertion Markup Language (SAML)-enabled software-as-a-service (SaaS) apps, to build trust in the project and keep stakeholders engaged and invested in its success.

Continuously Improve and Optimize Your Cloud IAM Solution

A successful transition to cloud IAM requires ongoing, day-to-day management of your new solution. These efforts should focus on driving continuous improvement in the new environment. An organization cannot simply adopt a set-it-and-forget-it mindset. As it expands its footprint, the IAM team should focus on prioritizing integrations and onboarding new assets in the new cloud-based IAM environment.

It’s important to consider how the organization will retrain and redeploy its IAM talent. Resources with traditional on-premises experience will need training and development on new cloud-based IAM architecture and processes. Especially during periods of dramatic technology transition, there is always a risk that employees will leave.

Therefore, it’s important to set up clear roles and responsibilities tailored to the skill sets of your current IAM talent. In doing so, you may help mitigate the loss of these important and limited resources for your organization.

Services such as IBM Cloud Identity and Access Management Services can facilitate a smooth IAM program transformation by helping security teams find, deploy and operate the right cloud IAM strategy and tools regardless of their deployment model. This insight enables IAM and security managers to focus on user outcomes, accelerate cloud IAM deployments and their integration with existing IAM processes, and optimize and continuously improve overall IAM operations.

Learn how cloud IAM can be the key to your digital transformation

The post How to Accelerate Your Cloud IAM Adoption appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Marc von Mandel

Application Security, Blockchain, Data Privacy, Data Protection, Data Security, Encryption, Encryption Keys, IBM Security, Identity & Access, Identity and Access Management (IAM), Identity Governance, Penetration Testing, Security Services, X-Force,

Blockchain: Making the Reward Much Greater Than the Risk

What is the first thought that comes to mind when someone mentions blockchain? Many of you may say bitcoin, which is what’s to be expected considering bitcoin was the first major cryptocurrency that made blockchain a household name. However, bitcoin is only one among a large variety of cryptocurrencies, and while it was the first large-scale implementation of blockchain technology, it is merely one application of many uses by which blockchain can aid society and commerce.

Blockchain technology provides a means to store data in a distributed ledger. The data is stored within a block, where it is digitally recorded and linked together with other blocks, forming a chain. The chain provides the entire history of all recorded data. Data is committed to the chain in the form of transactions. The transactions are only added after they have been validated by the blockchain network’s consensus protocol, so that there is only one version of the truth. Any data stored on the blockchain is “immutable,” meaning it cannot be changed. Also, all network participants have a copy of the data, meaning everything is transparent and everyone has the same version of truth.

The first major implementation of blockchain technology was introduced in 2008 with the release of bitcoin, but it’s only during the past few years that enterprises have come to grasp the technology’s potential. This is happening because the past decade has seen a tremendous reduction in the costs of secure storage, computation power and communications. As a result, more innovation makes its way into mainstream markets, served to average consumers.

The same applies to the business realm. Nowadays, we are starting to see more blockchain adoption across many industries, including financial, food services, healthcare, aviation, automotive and logistics. In 2017, the blockchain market was valued at $708 million. Two separate reports have estimated that by 2024–2025, the market could be valued between $20 to $60 billion. This significant growth represents up to an 8,300 percent increase in the span of less than 10 years.

We are still in the early stages of exploring this technology, and it will take time to fully realize its applications and potential. For example, it took almost 10 years for computers to reach an adoption rate of 80 percent. For enterprises, blockchain technology at scale has only been around since late 2015. So what does this mean, exactly? As we watch a new technology emerge and steadily grow, people who love to be on the cutting edge of technology are excited about the endless possibilities blockchain affords. That said, with new technology also comes new challenges, especially regarding security.

Big Implementations, Limited Experts

The people who deeply understand blockchain infrastructure are typically blockchain developers and architects, whose numbers are increasing, but are still few and far between. If you layer on blockchain security expertise, you will find that number to be even smaller. Hardly any published information or guidance exists about blockchain security.

So what are the implications of developing these full-fledged solutions with little knowledge about the potential attack vectors and risks that could bring the entire system crashing down? Inherently, the decentralized nature of blockchain, coupled with consensus protocols, helps to address some security needs, but the consequences can be dire if security isn’t fully explored.

Blockchain Is Code, and Code Can Be Flawed

As previously mentioned, at its core, the blockchain concept is simple: It is a distributed, immutable, cryptographically assured ledger that can have applications, often called “smart contracts,” interface with it.

A smart contract is made up of numerous lines of code, which are stored within the blockchain. These contracts automatically execute when predetermined terms and conditions are met. They are small programs that replicate processes or business logic and can be used to enforce an agreement between multiple parties in such a way that they can be certain of the outcome without any need for an intermediary.

For example, smart contracts may be used in the healthcare industry. Users’ data, such as blood pressure and other metrics, could be published to a chain, and once a metric rises above a specified threshold, the smart contract could execute actions such as notifying the user and/or processes such as further consultations with specialists to resolve their health problems. A flaw capable of compromising smart contracts could allow an attacker to modify critical details in the code. In the above example, what happens if an attacker is able to affect the business logic or introduce additional code to perform unintended actions?

But as with many powerful technologies, while blockchain is straightforward in concept, if improperly implemented, flaws and vulnerabilities can result in risk and security consequences. Think about what would happen if one could change the smart contract’s data before it is stored on the chain? Data on the chain is supposed to be trusted, right? What about a smart contract flaw that results in business logic not behaving as expected?

In the past few years, X-Force Red has seen a plethora of risks introduced into blockchain ecosystems where it was possible to abuse access controls at the user and administrative levels. For example, some vulnerabilities may enable attackers to inject malicious code into the network, effectively compromising all nodes.

Putting the technology aside, your standard everyday applications (i.e., web/mobile applications) still need to interface with the chain on some level. It has been possible for our penetration testers to compromise these components and pivot to backend systems where there is little to no security, giving an attacker the ability to insert data on the chain or execute any function that is exposed. Functions may include higher-privileged administrative access or accessing data that a user should not have access to. If that happens, how does an environment protect itself against malicious actions?

Raising the Bar on Blockchain Security

Security is about raising the bar high enough that attackers would be extremely hard-pressed to exploit any vulnerability. If they were to attack, they would make enough noise on the network to be detected and incident response procedures would hopefully slam the door shut. So, monitoring from both an application and network level is key to protecting blockchain implementations. Should an internal host be scanning your internal network? I think not!

Another precaution is to take a page out of the renowned television show, “The X-Files,” and trust no one:

  • Build a layered defense where each layer of the solution provides some level of distrust of all the layers above it.
  • Enforce strict access controls both at the application and blockchain layers to prevent overly permissive access and abuse.
  • Ensure there are strong governance controls and processes around the handling of all sensitive information, including key material. Should your certificate authority be disclosed to an unauthorized third party, then it’s game over; they would have full control of your blockchain environment.
  • Implement strong change control and a secure code review process to ensure all configuration settings and source code (i.e., smart contracts) are as secure as possible and do not contain any weaknesses that can be abused.

These are only a handful of basic actions that you can take to help protect the integrity, availability and confidentiality of your blockchain-enabled environment.

At X-Force Red, we have many experienced hackers with blockchain-specific skill sets to perform security assessments and penetration tests on anything within the blockchain technology and connected infrastructure.

IBM is an industry leader in blockchain technology and, as such, our X-Force Red hackers are exposed to numerous areas of the technology while working with leading experts in the field.

This all culminates into possessing a deep technical understanding and the ability to assess any blockchain-enabled solution from an end-to-end perspective. X-Force Red can review the environment from a design/architectural perspective and manually review smart contracts, access controls, configuration of critical components and more. We can also test all applications and technologies that interface with the blockchain, work with key stakeholders and developers to fully realize the potential risks they may face, and assist in reducing the risk of a compromise.

Learn more about X-Force Red’s blockchain testing services

The post Blockchain: Making the Reward Much Greater Than the Risk appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christopher Thomas

Access Governance, Access Management, Authentication, Authentication Systems, Data Protection, Fraud Protection, Identity & Access, Identity and Access Management (IAM), Identity Governance, Identity Management, Multifactor Authentication (MFA), Password, Password Management, Password Protection, password reuse, verification systems,

Are Passwords Killing Your Customer Experience? Try Passwordless Authentication

Creating a seamless, secure experience for your legitimate users is a challenge. Most users are good and deserve a frictionless experience, but the less than 0.1 percent of users that are suspected to be rogue actors, according to IBM Trusteer research, spoil the party for everyone. These are the users who commit online fraud, steal data, bypass formal application programming interfaces (APIs) and skew site analytics. The rest of us can thank them for the frustration associated with tedious login rituals.

We’re drowning customers in a sea of passwords and expecting them to stay afloat. Passwords are not only a pain, but incredibly easy to hack. So how is the industry combating these issues related to passwords and the pains of usability? Shockingly, many organizations are still relying only on passwords as a form of authentication, and we know they’re failing. According to a Javelin Strategy & Research survey, 1 in 5 customers fails to authenticate. This could be due to multiple factors, one of which is forgetting their own password.

How Can Companies Go Passwordless?

Let’s take a step back and think about it: As a consumer yourself, how many online accounts do you have, and how many different passwords do you need to create to outsmart fraudsters? All these credentials are nearly impossible to manage.

If we know a large percentage of our users are legitimate, then let’s deliver the seamless but secure experience they expect and, in the end, help drive digital sales. So what does going passwordless really mean, and how is it possible?

The passwordless experience is based on identifying unauthorized access to web and mobile applications and sensitive operations. Organizations can identify these issues by using risk-based authentication and continuous trust validation technologies, which provide services such as behavioral analysis, device identification and authenticity, phone number and email intelligence, identity linkages, and session and network attributes to build this trust. These forces are what make passwordless authentication possible because they identify positive users and question the high risk users.

Examples of a Passwordless Customer Experience

How does this work in practice? Below are some examples of how passwordless authentication can transform and improve your customer experience.

  • A new customer registers on a site or application by confirming his or her email or phone. For subsequent logins, the customer is auto-enrolled as a trusted user.
  • A registered user accesses a site seamlessly after the system detects no threats or compromises on the trusted device.
  • A user accesses a service from a new device by confirming the email or phone number associated with the account and entering his or her credentials. After the device is labeled as trusted, it is auto-enrolled for seamless entry.
  • A user accesses a service seamlessly and browses with continuous authentication in the background until he or she reaches sensitive information. At this point, the user is prompted to enter his or her two-factor authentication (2FA) information before accessing this data.

If you go passwordless, you’re guaranteed to improve your customer experience. A system free of clunky passwords helps streamline customers’ buying journeys and distinguish between legitimate users and fraudsters. Most importantly, it enables your users to enjoy a seamless experience on any digital platform. So what are you waiting for? Now is the time to give your customers the experience they deserve and the security they demand with passwordless authentication.

Register for the Feb. 27 webinar to learn more

The post Are Passwords Killing Your Customer Experience? Try Passwordless Authentication appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Lappin

Access Governance, Access Management, CISO, Identity, Identity & Access, Identity and Access Governance (IAG), Identity and Access Management (IAM), Identity Governance, Identity Governance and Administration (IGA), Identity Management, Security Leaders, Security Leadership, Security Professionals, Shadow IT, User Education,

Design Your IAM Program With Your Users in Mind

Identity and access management (IAM) should be a seamless part of employees’ day-to-day activities and your organization’s overall security posture. An IAM program controls and administers the access users have to an array of critical systems and data. If your users have difficulty accessing systems and applications with an IAM solution in place, your security posture can suffer. For example, employees may go around established security policies and leverage shadow IT applications to get their jobs done faster.

Many identity programs struggle to gain user acceptance because IAM is a particularly challenging field within security. If you don’t start by following IAM best practices and understanding the business’ goals and users’ needs and requirements, you may find it difficult to gain the levels of user adoption necessary to make an IAM program successful in the long term.

Infuse Empathy Into Your IAM Program Using the Enterprise Design Thinking Framework

Kevin Pratt, senior managing consultant in identity and access management at IBM, has heard countless stories from clients who tried to deploy an IAM tool without first considering users’ needs and their related pain points. I found his advice to be particularly insightful, so I asked him to sit down for an interview to talk about some critical considerations for designing a world-class IAM program.

Question: How would you explain Enterprise Design Thinking to a first-time client?

Pratt: Enterprise Design Thinking is an approach that helps us align IAM projects to the business by focusing on user outcomes. This approach helps us achieve better user experiences, delivers programs at scale and does this in a faster time frame.

With Enterprise Design Thinking for IAM, we first seek to understand what problem we are solving, the different stakeholders that are interacting with and impacted by IAM programs, then identify user needs, pain points and wants. These insights help us to work collaboratively with our clients to identify the right problem to solve, and secondly, correctly design and align user needs to the business. Understanding this convergence of needs across all three dimensions is key to designing a successful IAM program.

Give an example of a time a client used Enterprise Design Thinking to understand what users really want. What was the result, and how did it compare to clients that didn’t focus on IAM best practices?

IAM projects usually fail due to lack of user acceptance. IAM user acceptance can be especially challenging when balancing project and security requirements with the user experience.

So, if you take time, in the beginning, to align IAM work with the needs of your users and the business, you give your users a sense of ownership of the IAM work and build a foundation for a true partnership between the users, the business and IAM practices. As mentioned, these are key to building and executing a successful IAM program.

One client example that comes to mind is a health care organization that was adopting single sign-on (SSO) and wanted to leverage biometrics by using fingerprints. However, many users, like doctors and nurses, have to wear gloves at all times when working with patients and can’t always authenticate their identity with fingerprints.

We quickly identified in a design thinking session that these users needed a different way to authenticate, like a face or iris scan. Rather than deliver an authentication solution that met security requirements but did not meet critical end user requirements, we immediately identified that the end users’ needs did not align. These insights were leveraged to build a set of requirements which would result in seamless user adoption.

Tell me about a time when an organization didn’t obtain stakeholder buy-in.

We hear these stories over and over …

One example in particular comes to mind: A client was building an IAM product that would onboard and offboard users — essentially a robust identity governance and administration solution. A month before the go-live date, a human resources executive went to the C-suite and said that the IAM group forgot to include them at the right level in the conversations around the project requirements. In this situation, HR was particularly concerned about employee transfers, leaves of absence and other temporary leaves because of the access retained by the employees, which puts the business at unacceptable risk. These user requirements weren’t incorporated at the level that HR wanted.

As a result, the project was stopped by the business right before the go-live date, and the project hasn’t moved forward a year later.

Many times, IAM projects do not correctly involve the right stakeholders at the right level. Therefore, it becomes imperative that the right stakeholders are included from the beginning. As an IAM practitioner, it’s your responsibility to walk through the user life cycle process with line-of-business (LOB) executives and other key stakeholders.

All too often, IAM specialists are laser-focused on security requirements and user onboarding. Of course, IAM needs that particular information. However, where you encounter trouble is when IAM experts are not paying attention to what the lines of business are doing with the data.

If you’re only concerned with security, you’re missing an essential component. An Enterprise Design Thinking for IAM session takes you out of the security silo and immerses you, your IAM stakeholders and collaboration teams into the lives and personas of the users that will interact with the new IAM technology. Too many times it is missed during a deployment.

What’s one of your favorite Enterprise Design Thinking exercises? Discuss the approach and why it’s helpful for clients.

One of the most helpful exercises I’ve seen is the empathy map. It enables you and your business to gain a better understanding of the user and their specific needs. It starts with identifying the user that will interact with systems and asks a series of questions.

Ideally, impacted users, or what are referred to as “sponsor users,” are invited to the design thinking sessions, interviewed in advance or the design thinking work is “played back” to them on a regular basis. This results in the user’s voice being present throughout the collaboration process, and the insights which surface as a result of their involvement are continually infused into planning in an iterative manner.

These questions are not just about IAM. The questions get into the user’s life. Sample questions might be:

  • Do employees work remotely?

  • Do employees spend time traveling?

  • Do employees spend time at the office?

  • What is the office environment like?

  • What is your sponsor user thinking, feeling, saying and doing in the context of the problem you’re solving for?

The goal is to develop a robust frame of reference which accurately represents the user.

Then, you put your answers into a grid and identify what your users say, think, feel and do. In the middle of this, we have a picture of this person or user (see image below). The goal is to immerse ourselves into the lives of users.

Empathy Map showcasing what a user thinks, says, does, and feels

Design an IAM program optimized for your business

More often, it’s fairly easy to fill in the “says” section because we know what they said. But we have to take it further and understand what the users are thinking. This requires getting into the mind of the users and including them as a part of the exercise so that the entire team can understand and verbalize what the users are thinking.

Then you move into how they feel. Users often feel frustrated about security solutions, but nobody on the security side usually explores those frustrations. Lastly, what does the user do? If this solution causes a problem, what will the user actually do? This often includes users finding creative ways to bypass our security controls. You need to understand what the negative consequences are for an IAM program failure. You may be able to identify those risks and stop them before they happen.

Once we have these identified, we then start to cluster, remix and group the needs and pains on the empathy map. By grouping like needs and pain points for numerous personas representing users, you begin to see common issues across different users by what they’re saying, thinking, feeling and doing. This exercise allows you to first identify themes in common, then prioritize the problems and determine which ones to solve first. It helps you answer the question that most often comes up: “How do we best address this?”

In summary, an empathy map is a fantastic way to get a deeper understanding of these users that will interact with your IAM processes and technologies.

After you’ve completed this exercise, one thing that can happen is you can have information overload. There may be so many needs and pains that an organization doesn’t know where to start. That’s where the prioritization grid can come into play.

Essentially, you take all the information gathered from the empathy map and put it into a grid that measures the impact on the user. You want to understand the feasibility of each issue. Only having the information from the empathy map isn’t enough — it is only one piece to ensuring user understanding. You need to be able to prioritize the needs and pains, identify what are the real impacts and what the feasibility is for fixing these.

It is important to note that prioritization grids are not limited to use after an empathy map exercise. They can be leveraged as a next step in many other stages of Design Thinking iteration, such as for prioritizing ideas, identifying and managing risk, and developing initial road maps and action plans.

These two exercises are very effective as part of a wider Enterprise Design Thinking approach that drives the engagements from beginning to end. It’s important to realize that Design Thinking isn’t just a workshop and an exercise or two; rather, it’s a completely different way of working with clients.

Why do you think Enterprise Design Thinking helps to build a more successful IAM program?

Enterprise Design Thinking focuses on user outcomes instead of just security outcomes. IAM tools do not exist in a userless vacuum. So, it’s vital for IAM practitioners to include users in their IAM discussions and programs. There’s not a good track record of this happening to date — we can do better for our clients by leveraging the Design Thinking framework and beginning to practice first with our own teams. Try an empathy map in practice to get a start.

At the 2018 Gartner IAM Summit in Las Vegas, we had a workshop where attendees chose a user (CISO, IAM admin, incident response analyst or customer) framed by a design prompt or common problem experienced by those stakeholders to focus on while putting together an empathy map. We had mostly security practitioners in the room.

Unsurprisingly, the user that was chosen by the least number of attendees was the customer. It can be difficult for IAM practitioners to relate to our customers and users. This we are hoping to change by virtue of exposing our IAM practitioners to the framework and how best to leverage it.

With Enterprise Design Thinking, we don’t have to guess what each user wants. We take the time to get to know the users, and this allows us to identify the right problem to solve, correctly align with the users and business, and identify a solution that meets the security requirements, addresses user needs and the needs of the business.

Design an IAM program optimized for your business

The post Design Your IAM Program With Your Users in Mind appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Marc von Mandel

Identity & Access, Identity and Access Management (IAM), Identity Governance and Administration (IGA), Identity Management, Identity Services, Security Leadership, Voices of Security,

How ‘Mini CEO’ Laurene Hummer Engineers Better Identity and Access Management

There’s a common expectation that the higher you go in any business, the less you see of your customers. But Laurene Hummer, senior offering manager for identity and access management (IAM) services at IBM Security, makes a point of taking every opportunity offered to speak with end users.

Laurene works by a motto she learned during a course called Pragmatic Marketing: The answer to your questions are not in the building.

“Any time a seller pulls me in or a consultant invites me to a call, any opportunity to have a direct conversation with the customer, I take it,” she said. “And if you’re talking to only existing customers, you’re missing the input from all of the people who aren’t your customers yet, but could be — so it’s also important to talk to users outside of your current base to understand why they’re not your customers yet.”

Setting the Direction

Describing herself as the “mini CEO” for her specific line of business, Laurene said her day-to-day involves looking at the governance and performance of the IAM services business, evaluating the value provided to customers, understanding the market and closely examining how competitors go to market. Then, she develops new offerings to address client pain points and guides their go-to-market and delivery execution. She must consider how to enable all the various IBM functions to effectively deliver those services to clients and help them address their challenges. That’s quite a responsibility.

It’s all about setting the direction for the IBM Security IAM services business as a whole.

“Being an offering manager is making an impact through influence,” said Laurene. “We need to be able to articulate the mission and get people to agree to work together towards a common goal. It’s a lot of relationship building.”

Being at the helm of even a small part of IBM Security might mean lots of meetings, and lots of meetings also mean lots of internal conversations — and you can easily get lost talking to internal stakeholders and making sure you’re aligned, said Laurene.

“The most important thing, our North Star, really is the customer and what the market needs,” she said. “We need to let that guide us and be the reason why we’re having all these internal conversations, and not the other way around. You must keep in mind the true reason you’re doing it, which is solving customer problems.”

Answering the Big Questions

But Laurene is not only part business leader, part politician and part diplomat. She’s also part chemical engineer: After earning a Bachelor of Science in Chemical Engineering, Laurene spent time working in the oil and gas industry, and later in alternative energy, which is all quite far removed from cybersecurity at first glance.

The thing about physical engineering is that everything is quite straightforward — you apply well-established laws of physics and are constrained by them. Laurene looked at the business world and decided that was where she could find more freedom to be creative.

“Of course engineering can be very complex,” she said, “but the cool thing about business is there is more uncertainty, there’s really no right answer to things. I thought it was just a different way to have an impact.”

A guest speaker in one of her business classes introduced her to the world of cybersecurity, and Laurene was sold; it sounded like “a very pressing, important problem” for society.

“I started in energy, and energy is the foundation of our society, so that was a really big, important problem to work on, and I saw cybersecurity as something very similar,” she said. “As our digital lives are growing in importance and interfacing more closely with our physical lives, cybersecurity is starting to become integral to the fabric of society.”

IBMer Laurene Hummer

The Consumerization of IT

So, having made the transition from physical engineering, Laurene now leads the strategy and offering development for identity and access management (IAM) services, the part of IBM that helps organizations tackle their toughest IAM challenges. Most people’s experience with IAM is the interaction with the login screens they see when accessing, say, their work email or apps. But it also emcompasses all the stuff behind that login screen that allows each individual to have access to the right resources at the right time. The IBM services organizations help companies deal with consumers’ increasing expectation for things to be easily accessible from anywhere.

Laurene calls it the “consumerization of IT” — those changing expectations that how we log in to our work applications should mirror our personal applications — and businesses can struggle to deal with the change.

“A lot of the time, identity and access management can get in the way of employee productivity,” she said. “A lot of organizations’ security teams will say, ‘No, you can’t access this application from your mobile phone,’ or, ‘You can’t access it when you’re on the road or from your personal device because it’s not secure.’

“Having the right identity and access management policies in place can allow an organization to let their employees have much more flexible access to their assets in order to improve their productivity and make it a better experience. And that’s becoming more and more important as consumers have their own personal experiences with IT.”

Resilience and Strength From Two Cultures

Perhaps Laurene’s drive to answer society’s big questions and to make lives easier comes from her adolescence, when she was uprooted from her native France and brought to the U.S. at the age of 13. She believes her two worlds have helped her to be open to other cultures and to understand things are done differently all over the world — but it’s also made her very resilient, she said.

“When I was in France, I was a pretty bright kid and things came easily, so I didn’t have to work too hard, and I could goof around,” she admitted. “Then I moved to the States and I didn’t speak the language, so I had to work three times as hard to achieve the same outcome.

“That was a really hard adjustment. I had to show I may not speak the language, but I was very capable. That gave me the motivation to work hard, and I think that’s really carried through even today.”

Laurene ensures she speaks French at home to her two boys, aged four and two, to instill some of that multicultural open-mindedness. She then logs in to her work laptop using the very systems she helps clients implement at IBM Security, and goes to work making our digital lives a bit easier and more seamless.

Meet Machine learning researcher Irina Nicolae

The post How ‘Mini CEO’ Laurene Hummer Engineers Better Identity and Access Management appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff

Compliance, Governance, Identity & Access, Identity and Access Governance (IAG), Identity and Access Management (IAM), Identity Governance, Identity Management, Privileged Access, regulatory compliance, User Education,

Intelligent Access Certification Improves Decision-Making Around Compliance, Identity Governance and More

Co-authored by Fabrizio Petriconi.

In the ever-expanding digital ecosystem, having secure and efficient access to resources is critical to both using and delivering services. But if you’re a gatekeeper managing a large number of identities and resources, your primary concern is who has access and how that access is being used.

Identity governance is the intelligent management of user identities to support enterprise IT and regulatory compliance. By collecting and analyzing identity data, you can improve visibility into access, prioritize compliance actions with insights based on risks and make better decisions with clear, actionable intelligence.

Certify Access to Reduce Risk

If you use a business-activity-based approach to risk modeling, you’ll make life a bit easier for your auditors, risk compliance managers and, ultimately, yourself. The core aspects of identity management include automatic and manual provisioning, tracking user roles and life cycles, and understanding business workflow.

Most importantly, establishing accurate access certification at the start — and then continuously reviewing it — can help with your risk modeling efforts. You’ll want to prevent users from accumulating unnecessary privileges, so even if you have had an identity management solution in place for years, it’s a good idea to use certification campaigns as a cleaning tool to ensure everyone is only accessing what they need to do their jobs.

How to Avoid Common Access Certification Issues

It takes a certain amount of diligence for access certification to be useful. Approvers are often overwhelmed by too many certification requests, or those certifications are complex and difficult to parse out. It’s easy to see why an approver might simply “select all,” click “approve,” and conclude his or her activity.

Obviously, this approach should be avoided, and in some countries, it is not compliant with regulations. Let’s look at some recommendations for both static, or predefined, cadences and dynamic events, which occur in response to specific activities such as hiring, job shifts and similar user changes.

Recommendations for Static Events

  • Once a year, conduct a complete certification in which each manager certifies all the rights of the members of their team.

  • Group or divide access for certain applications or business areas to simplify and focus the reviewer’s attention.

  • Do not validate access assigned by automatic and/or default policies.

  • Delegate campaigns with a very technical and complicated access to skilled reviewers with subject-matter expertise.

  • Activate specific campaigns that include only different and nonhomogeneous users (for example, based on the same duties or departmental membership).

Recommendations for Dynamic Events

  • On a quarterly basis, delta certifications are available where managers only certify changes in authorizations from the last quarter.

  • Activate continuous campaigns to control access to specific events, such as moving a user from one department to another or changing business functions.

Improve the Content of Your Access Certification Campaigns

As noted, when a certification tool does not offer simple language descriptions that clearly explain the business relevance of roles, users, access permissions and resources involved in the process, approvers may not know what they are certifying.

To create quality descriptions, you should:

  • Rely on system owners, since they are the ones who have a thorough understanding of their resources.

  • Use definitions of rules with an explicit name. For example, if a role is assigned to a manager of engineering, use the definition “manager_of_engineering” and not simply “mgr” or “L3mgr.” This can be done manually or using role-mining techniques — that is, the tool itself proposes a name based on the attributes of the identity, department location or similar information.

  • Highlight the business activities to which users are contributing.

Get It Right

In any case, even after taking all the necessary precautions, access certification can be complex and time-consuming. It’s probably clear by now that to be effective in activating certification campaigns, you need to not only activate the technical solution, but also establish a compliance-oriented culture. Educating approvers on the importance of access certification is also critical to maintain regulatory compliance.

When you consider the commitment of stakeholders and adopt and enforce industry best practices, intelligent identity governance enables you to streamline full provisioning and self-service requests, eliminate manual audits, quickly identify compliance violations and risky behavior, and automate the myriad labor-intensive processes associated with managing user identities. With the digital ecosystem expanding every day, business and security leaders need this level of visibility and control to make better decisions about who can access what data and systems on enterprise networks.

Download the 2018 Gartner Magic Quadrant for Identity Governance and Administration

The post Intelligent Access Certification Improves Decision-Making Around Compliance, Identity Governance and More appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Domenico Raguseo

Banking & Financial Services, Career, Cybersecurity Jobs, Digital Identity, Fraud Detection, Fraud Prevention, Fraud Protection, IBM Security, Identity & Access, Identity and Access Governance (IAG), Identity and Access Management (IAM), New Collar, Security Professionals, Trusteer,

How Former Bomb Disposal Expert and Lighting Designer Shaked Vax Pivoted Toward a Cybersecurity Career

There’s no doubt that a cybersecurity breach can blow up a business, but it’s still surprising to hear Shaked Vax, worldwide technical sales leader at IBM Security, compare some aspects of his cybersecurity career to his time with the Israeli Army’s bomb disposal unit.

“One of the key things you are taught when approaching an improvised explosive device (IED) to dismantle it is to avoid coming from the obvious direction — the direction the attacker assumed you will come from,” Shaked explained. “Come from the back, from the side, from the top — however you can approach that is unpredictable.”

The same advice applies to cybersecurity, especially when it comes to the ways in which attackers target the users in their sights. The best way to identify them or launch a counterattack is by using the most innovative tools and approaching from the most unpredictable angle. According to Shaked, that’s how we can use attackers’ own methodologies against them.

Walking on Wires — and Cutting Them

Another link between Shaked’s two lives is caution. He believes, and has learned from experience, that being afraid actually helps to protect you because it makes you more alert. When you are bold and overconfident, that’s when mistakes may happen — whether that means using the wrong approach to dismantle a bomb, or being complacent with your company’s cybersecurity protocols.

“Newsflash: Stuff can hurt you, and you should be super alert when handling it,” the former bomb disposal expert advised. “Being cautious, on your toes and thinking of it as a rivalry allows you to be more in tune, and that’s something I took forward to in my role in cybersecurity. It’s how I operate and think now. It becomes ingrained in your veins and it really gets to be part of you.”

Shining a Light on Cybersecurity

Despite these strong threads between his past and present lives, a career in cybersecurity was not always in Shaked’s vision. He studied theater design at university and later went on to design lighting for rock concerts, operas, theater productions and TV studios.

While studying for his master’s degree, Shaked was offered a job working in an Israeli technology company that created lighting control boards — similar to the soundboards you see at concerts, but used to control the light show.

It was a great springboard for the budding lighting designer because he was hands-on in quality assurance and involved in new features and designs. A chance promotion saw him move into product and marketing management at the company, where he got even more engaged and started leading new offerings and feature designs.

“It was exciting because going to visit a customer meant I was going to meet lighting designers and lighting operators in a rock concert or an opera house or a disco club, which was awesome,” he recalled. “It was a great way to do market research.”

This area of theater design is “very, very technological,” Shaked explained. “You can imagine how much computing power is required to manage hundreds of lights that move and morph in real time, and how many innovative UI concepts need to go into a system to allow the operator to really interact with the show.”

So while he was working with his first love, he was developing another — technology — and becoming fascinated with how it interacts with our world. The dot-com bubble and the rise of the Israeli startup scene in the 2000s excited Shaked, and he wanted to push his technology career further, outside of lighting design. Colleagues recommended him for a role at cybersecurity firm Check Point, and thus his passion for lighting became just a passion again; his career was now cybersecurity.

Shaked moved up the ladder again at Check Point, where he worked in research and development and helped to innovate new security information and event management (SIEM) and Secure Sockets Layer virtual private network (SSL VPN) products, and later jumped around the tech scene as a product manager. He arrived at Trusteer just a few months before it was acquired by IBM Security in 2013.

“Trusteer got acquired by IBM, which gave me a great career path,” he said. “I got to expand in offering management, learning a lot about how a big business manages products and portfolios, and many more business perspectives.”

Shaked Vax approached his cybersecurity career from an unexpected angle

A Positive Spin on Fraud Prevention

As a product manager, Shaked had always been focused on the technology, the customers and the sellers. At IBM, he got to learn the business perspective of what he was doing.

He moved from Israel to Boston with his family three years ago to take on a strategic role, looking to expand the Trusteer business to new markets and solve new problems with the advanced fraud prevention technology. Although it was traditionally focused on banking and financial fraud, Trusteer’s technology is branching out.

“We call it trusted digital identity instead of fraud prevention,” said Shaked. “We’re looking more positively at how we enable businesses to do digital transformation and engage better with their customers over digital channels.”

Shifting focus from the negative implications of fraud and into more positive trust-based messaging is a market evolution, Shaked explained. Many technologies previously used for fraud detection are becoming increasingly intertwined with identity and access management (IAM) tools because identity fraud prevention centers on transparently ensuring that users are who they say they are.

Taking Identity Trust to New Places

“At the end of the day, authentication solutions were designed to correlate and prove digital identities,” said Shaked. “However, what was initially created as fraud solutions does that transparently. It does this without asking you anything, which is where everyone wants to be — passwordless, frictionless.”

Shaked now leads Trusteer’s technical sellers across the world as part of his mission to take the identity fraud prevention technology to new places. Although it’s a relatively new role, he is building the team and driving improvements in how it operates, ensuring that sellers have the tools and knowledge they need across the entire portfolio.

And if you’re wondering, yes, Shaked still occasionally has his hands in lighting design. The bomb disposal work, though, has stayed firmly in the past. These days, he just works hard to stop businesses from blowing up.

The post How Former Bomb Disposal Expert and Lighting Designer Shaked Vax Pivoted Toward a Cybersecurity Career appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff