MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security

Transcription

1 MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security

2 You re more connected, but more at risk too Enterprises are increasingly engaging with partners, contractors and customers, giving them access to information systems. The aim is to generate more business. But more data sharing can also mean more risk. Your employees, customers and partners are demanding more access to your systems from both computers and smart devices. But if their digital identities fall into the wrong hands, your systems are more prone to compromise and customers to becoming the victims of fraud. Organizations are becoming more dependent on connected systems to drive business growth and improve the customer experience they offer. To meet growing customer expectations, they re offering new ways to interact online, from websites to apps, sales to aftercare. And to increase productivity they re providing employees with new tools to access corporate systems, often from employees own mobile devices. These are great developments, but they come with risks. The explosion in the number and diversity of systems makes securing data increasingly difficult. And that challenge is made harder by the need to keep the experience as frictionless as possible for the user. An increasing number of individuals and organizations are falling foul of identity fraud. And much of that involves misuse of stolen credentials to access customer or corporate information. Over 80% of all identity fraud in the UK in the first quarter of 2015 was attempted or perpetrated online, according to UK fraud prevention service Cifas 1. And according to our latest Data Breach Investigations Report (DBIR), over the past four years credentials have been used more often than any other technique to compromise data or systems 2. $ COST Fraudsters stole $16 billion from 12.7 million US consumers in NO OF RECORDS According to our 2015 DBIR, a breach involving the loss of 1,000 records could cost as much as $1.4 million. If you lose 1 million records, you could be facing direct costs of $27.5 million 2. The costs to organizations of stolen digital identities can be massive. If this leads to a breach, you could lose priceless intellectual property, be faced with a public relations nightmare as you have to explain the loss of customer information, damage important business relationships having facilitated the compromise of partners systems, and suffer severe disruption to business availability. Organizations could also find themselves in breach of industry or government regulation. Even if the loss of identities doesn t result in a breach, companies helpdesks may be faced with the huge task of resetting passwords and productivity can be affected company wide, probably for days. Overall, the potential for damage to your business is significant if you fail to properly manage digital identities and authentication it s an issue that you can t afford to ignore. And with identity fraud a growing threat, it s clear that many of the approaches organizations are currently taking to protect their data aren t working. New analysis from our 2015 DBIR shows that in 75% of cases, the motive for stealing credentials was financial 2. 2 VERIZON ENTERPRISE SOLUTIONS

3 Managing access risks Your customers and employees want fast and easy access to your systems and information. But faced with the threat of identity theft, users also need confidence that those systems are protected. You need to balance cost, risk, and convenience when you re making decisions about how to protect your systems and data. Security teams are now faced with authenticating access into a growing number of critical business systems, by employees, partners and customers. It might come as a shock then that many organizations don t have a robust identity and access management (IAM) program in place. While authentication solutions have been available for some time, adoption of more advanced, more secure solutions has been relatively slow either due to cost or inconvenience to consumers. But the maturing trends of mobile and cloud have facilitated the development of cost-effective, secure, user-friendly solutions. And that s making it easier for organizations to manage the risk posed by digital identities. Nearly two-thirds of organizations do not have a well-defined and automated identity and access management (IAM) program 4. Quick view: Securing digital identities * The traditional username and password model is open to abuse. ** *** **** ***** ****** ******* Multi-factor authentication is a must to protect sensitive customer information, intellectual property and critical systems. The features and capabilities of smartphones are enabling the rollout of sophisticated and cost-effective multi-factor approaches. Federated identities enable consistency in your approach to risk and compliance. Adaptive authentication solutions are enabling organizations to match the level of security to the sensitivity of the systems and data being accessed. Cloud solutions and ID-as-a-service (IDaaS) have reduced the cost of implementing a robust IAM program. It s not enough to focus on authentication you need preventive measures and fraud detection techniques in place as well. MANAGING RISK: SECURING DIGITAL IDENTITIES 3

4 Passwords alone aren t enough???????? 69% of people in the US said that authentication failed one or more times over the past two years because they forgot a toolong or complex password 6. The majority of websites continue to rely on a username and password for authentication of users. But if criminals guess or steal these credentials, they could gain direct access to your systems and customer information. Passwords are often too easy to crack Despite increased understanding of the importance of security, is still the most common password today 5. Naturally, people select passwords that are easy to remember. But that means they re easy for opportunistic criminals to guess too. Many companies now require customers and employees to choose complex passwords that include letters, numbers and special characters. But users then find them hard to remember and record them somewhere often on a piece of paper left on their desk or on an unsecure digital device, thwarting the intent. Over time, people have developed coping mechanisms for creating stronger passwords like using common words with digits replacing letters, 4 in place of A etc. But just as we all know these techniques, so do the criminals. Powerful cracking tools are widely available as a quick internet search will show making it easy for anybody to become a hacker. 47 % of consumers are using a password that hasn t been changed in five or more years, and 77% have kept the same password for a year or more 7. 91% of attacks on credentials in 2014 involved hacking 2. People use the same password for everything How many passwords do you have to remember to access all the consumer sites you use? And how many do you have to enter each day just to do your job? Many people use the same passwords or variations of them for all their online services. Consumers have an average of 24 online accounts, but only about six unique passwords 7. If criminals steal credentials for one site or system you use, they potentially have access to more of them. Passwords aren t changed frequently enough Changing passwords frequently can help protect systems and data from compromise if credentials fall into the hands of criminals, they may be out of date before they can be used to compromise your data. But left to our own devices, how many of us would ever reset our passwords? When you want to access a system quickly to get some work done, the last thing you want is a prompt telling you to reset your password. Especially if that involves several attempts to find one that matches all the criteria. Many companies require their employees to change their passwords regularly, typically every three months, but even then employees naturally try to reduce the burden for example, changing just one character from their original password. And few consumer sites ever require an update, wanting to keep the user experience as frictionless as possible. 50% of users open s and click on phishing links within the first hour. And, on average, it s just 82 seconds before a phishing campaign gets its first click 2. People still fall for phishing Our 2015 DBIR found that social engineering is still a successful approach for stealing credentials. 19% of attacks targeting user credentials involved social engineering, with the majority of these using phishing campaigns 2. In 2014, we saw a shift from a reliance on default credentials to the capture and use of stolen credentials to compromise point-of-sale (POS) applications. And these weren t opportunistic attacks. Many incidents involved direct social engineering of store employees (often via a simple phone call) to trick them into providing the password needed to access the POS system. 4 VERIZON ENTERPRISE SOLUTIONS

5 Multi-factor reduces the risk You can defend your systems against the use of stolen credentials by asking users to provide something they have and something they know (and now, something they are) when they log in. Multi-factor authentication isn t new, but new options are making it more attractive. Questions and answers Personally identifiable information (PII) for example, your mother s maiden name or the name of your first manager can be used to strengthen the login process. Employees and customers are often asked for this type of information when they ve forgotten their passwords. 77 % of the hacking actions we ve analyzed involved the use of stolen credentials 2. Multi-factor authentication could have significantly reduced the risks. But for users this means having to remember yet more information on top of a complex password that s easy enough when it s your mother s maiden name, but what was your favorite band three years ago when you created that account? Often, users don t provide the real answers to the questions asked and then forget the false responses they gave. As with their complex passwords, many users keep a record of their answers somewhere. That s not very secure or a good user experience particularly when you have to answer a whole series of questions to register with a site. It also means you re holding more PII. One-time passwords One-time passwords provide an additional layer of security on top of a username and password. As they re generated for each login and delivered to users out-of-band (over a different medium for example, SMS), they make hacking much more difficult. Hackers would have to intercept or crack the password and use it in the short window that it s valid. Hardware tokens While this is a highly secure option and a favored enterprise solution over the last two decades it s costly. Hardware tokens need to be purchased, distributed and replaced. And they re not particularly user-friendly. If users lose their tokens, they go through the wash or the batteries die, users will have to wait for a replacement before they can access services. And having to carry around yet another device and find it whenever you need to log in creates a disjointed user experience. Software tokens Software tokens are more cost-effective. Instead of relying on a new dedicated piece of hardware, this typically uses the smartphone that most people carry around. A small app installed on the device generates the token. This reduces the inconvenience of carrying around a separate device, and you can install the same application on multiple devices, simplifying the user experience. SMS Another technique used by many ecommerce companies is sending a one-time password to the user s mobile phone by SMS. Many users find this simpler, and it s effective in places without widespread mobile data connectivity or where feature phones are more common. 67 % 67% of US consumers strongly agree or agree that they prefer authentication that doesn t require personal information 6. ALMOST 60 % of organizations have implemented or are planning to implement strong authentication based on a one-time password generated by a mobile device application, according to Forrester Research 8. MANAGING RISK: SECURING DIGITAL IDENTITIES 5

6 Security and convenience If your login process is too complex, people will stop using your services. But they ll also desert you if their privacy is breached. Users could soon be accessing systems simply by scanning their eye with their mobile phone. Mobile is enabling simplicity Smart devices have opened the door to more user-friendly and secure login experiences. Some smartphone-enabled authentication solutions allow users to log in without having to type in any information for example, by scanning a QR code on the login page with a device that s been registered with the service. Mobile is also at the heart of new solutions based on biometrics. High-end smart devices can recognize voices, faces, fingerprints, ears, or retinas. Even your heartbeat, which is as unique as a fingerprint, can be used to identify that it s really you. Most activity in biometrics has been from the major banks, with bespoke solutions. But given the adoption rates of smartphones in most major markets, mobile looks set to revolutionize both the cost-viability and usability of biometrics, in the near future. Providing consumers with authentication tools on their own devices lowers costs and encourages take up. As well as introducing systems that adapt based on security needs, you should also consider providing users with choice about how they can authenticate and from what devices. 50% By year-end 2017, about 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations up from about 20% today 9. Federated identities reduce risk The best user experience is provided by facilitating single sign-on to your services. Federation of identities takes this further and enables users to sign in to the services of a number of organizations with a single set of credentials. Many national governments are rolling out federated identity services so that citizens can access services with a single digital identity improving the experience and taking out cost, while decreasing risk. Federated identities provide a consistent approach to authentication across different applications and lines of business, making compliance easier to achieve. That helps organizations meet the security challenges of an increasingly connected environment. And standardizing administration and authorization makes it simpler to monitor use. Adaptive security If users are simply accessing a magazine subscription, they want easy and quick access. If they re accessing personal information or carrying out a financial transaction, they accept that a further stage of verification is needed. And, in fact, the feeling of additional safety can add to your brand perception. Adaptive authentication processes match the complexity of the access controls to the sensitivity of the data being accessed. Here, again, mobile is proving the answer to improved user experience. For example, it s possible to track the location of someone s mobile phone when they re making a payment. If their phone is somewhere other than where the payment is being made, the transaction can be escalated for additional verification. Cloud-based solutions Rolling out and managing a secure, multi-factor authentication process, which is both adaptive and offers choice, can be a major and costly undertaking. That s a big issue for security teams that often have a flat or decreasing budget. But protecting your, and your customers, data from the threat of credential misuse is critical. For this reason, a growing number of organizations are turning to cloud-based ID-as-a-service (IDaaS). IDaaS is available as a co-managed or fully-outsourced solution, removing the burden of verifying new users identities and managing authentication. It enables users to access your systems securely from computers, smartphones and tablets. IDaaS can also improve oversight by offering a real-time view of authentications. And organizations don t have to invest in maintenance and equipment. 6 VERIZON ENTERPRISE SOLUTIONS

7 More than just authentication A comprehensive strategy to deal with identity access management needs to go beyond authentication. Organizations need to understand the threats and put in place techniques for fraud detection. Multi-factor authentication can safeguard your services and data in many instances. Simply having stronger security in place will deter many opportunistic criminals who ll look for easier targets elsewhere. But no authentication solution is 100% effective. And that means you also need to look at measures to prevent criminals from stealing digital identities and to detect any signs of fraudulent activity. Focus on people People are often at the heart of security incidents be it falling for a phishing campaign or failing to dispose of sensitive material correctly. You can have a big impact on data security simply by training staff about the importance of maintaining strong passwords and never sharing them, and on how to spot social engineering. Authorization procedures Of course, training staff will only go so far in reducing the risks you face from people using credentials to access your systems for malicious purposes. There are many instances where disgruntled employees use their privileges to access data for personal financial gain. 1 in 10 data breaches in 2014 involved insider and privilege misuse 2. Making sure you have authorization processes in place so that, following login, employees can only view sensitive data if it s needed for their jobs can prove key. You also need a quick way of removing access rights when employees roles change or they leave. Ensuring you have strong network segmentation can limit the impact if a criminal does gain access to your systems using stolen credentials. 98% of the companies we looked at when compiling our 2015 PCI Compliance Report, used firewalls, or a combination of firewalls and routers, to segment data 10. But this is specifically required under compliance requirements, so are they applying the same approach for all the sensitive data they hold? Monitoring activity It s critical that organizations monitor their systems to look for any suspicious activity, which might indicate that their systems have been breached. Setting up controls to watch for data transfers out of the organization has, in our experience, caught many incidents of insider data theft that would otherwise have been missed. And these controls should help identify any breaches by criminals using stolen credentials. Even if you don t detect an incident until data has been stolen, the information that you collect can help you improve your defenses. Putting in place this type of fraud detection procedure and analyzing the intelligence you collect is likely to require the help of third-party security experts. They can also set up sophisticated detection techniques such as honeypots, whereby fake user credentials are made available. This enables them to trace the IP of any system that uses these credentials and block it. DBIR The Missing Section: Stolen Creds sheds light on how credentials are compromised and used in breaches. MANAGING RISK: SECURING DIGITAL IDENTITIES 7

8 Verizon Enterprise Solutions Our business relies on understanding and managing risk. As the first identity provider to earn Level 3 Identity Credential and Access Management (ICAM) certification, we re well equipped to address your most pressing identity management requirements. Our Universal Identity Service (UIS) meets the requirements for National Institute of Standards and Technology (NIST) Level 3 credentialing and authentication. We re also a founding and Executive Member of Open Identity Exchange. We have nine security operation centers on four continents and manage security devices in over 45 countries. And our security team has delivered over 5,000 security consulting engagements in the past three years. Find out more about managing risk: Read the other titles in our Managing Risk Series See how Verizon can help you: Managing Risk: Securing Digital Identities Verizon Solutions References 1. ID fraud first quarter (27 May), Cifas, May Data Breach Investigations Report, Verizon, May Identity Fraud: Protecting Vulnerable Populations, Javelin Strategy & Research, March Get ahead of cybercrime, EY s Global Information Security Survey 2014, EY, October Maintains the Top Spot on SplashData s Annual Worst Passwords List, SplashData, January Moving Beyond Passwords: Consumer Attitudes on Online Authentication, Ponemon Institute, sponsored by Nok Nok Labs, April Consumer Account Security Report, TeleSign, June Forrester Research, Market Overview: Employee And Customer Authentication Solutions in 2013, Part 1 of 2, December Magic Quadrant for User Authentication, Gartner, December PCI Compliance Report, Verizon, February 2015 verizonenterprise.com 2015 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. WP /15