Daily Archives: January 2, 2020

Three Big Takeaways from the Gartner IAM Summit You Need to Know

Undefined

They say what happens in Vegas stays there, right? Well, that may not always be the case. Especially when it comes to the Gartner Identity & Access Management Summit last December. In fact, we are pretty sure the more than 2,200 attendees will take back with them new identity and access management insights, strategies, and intelligence to address their biggest challenges in their own organizations.

Core Security was a featured exhibitor at the Gartner IAM Summit, and our Director of IGA Product Management, Bill Glynn, presented innovative thoughts to a packed session—‘Finally! An Intelligent Approach to Access Governance, Role Management, and Access Reviews.’ This session examined how an intelligence-enabled, visual approach to the creation and management of roles and access reviews simplifies otherwise complex processes and helps enhance security.

So what were the top takeaways from the summit? We’ve identified three of the biggest items you should know in relation to your own business:
 

1) The IAM Struggle Is Still Real 

During the event, we heard story after story of companies disappointed that their existing IAM solution had not solved all of their identity and access management challenges. Many attendees expressed their ongoing struggle with manual and error-prone approaches to role design, role governance, and role classifications.

Regardless of the solution they used for provisioning, including access requests and approvals, and access reviews, many organizations at the Gartner IAM Summit were still struggling to build roles in a manner that truly captured the roles needed by the business. Several attendees we spoke to are still relying on traditional role mining techniques, including spreadsheets or their web version counterparts—basically just automated lists of who has access to what, providing little context or intelligence of what the access really should be.

For many attendees, role-based access seems too far out of reach and is instead targeted for last stage deployment objectives. This limits the value an organization can realize from their IAM vendor solution and overlooks an important side benefit of proper contextual role development. However, during the conference, Gartner emphasized that the likelihood of IAM program success can be impacted and improved through analytics and data cleanup.

The ongoing frustrations from organizations attending the Gartner conference underscored the importance of a visual-first approach that creates the most intelligent and efficient path to a successful IAM program. It also emphasizes the importance of mitigating identity risk by leveraging tools like the identity governance solutions offered by Core Security.
 

2) Intelligence and Identity Governance Go Hand-in-Hand

Another theme that emerged during the Gartner IAM Summit was the importance of intelligence and analytics in driving and informing the entire identity governance and access management process. In other words, intelligence should be the cornerstone for your identity and access management strategy. Numerous speakers and even keynotes during the conference highlighted the need for organizations to turn toward intelligent governance-led IAM programs to manage identities and uncover potential hidden access risks in the business.

So how does this work exactly? One way is by leveraging intelligence-enabled context to simplify identity governance through an intuitive, visual-first role-designing tool, with a key feature being a graphical matrix display that groups like-access privileges together. This enables users to easily understand the access and context that individuals have in common and identify what outliers might be present. Another way is by incorporating intelligence to enhance access certification accuracy by providing context and guidance so that users can better understand what they are reviewing. When users are confident in the intelligence of the access review process, they make smarter, better decisions, making it easier to avoid rubber-stamping access as a default action. 
 

3) IAM Is a Journey, Not a Destination

Organizations more mature in their approach to identity governance and access management view IAM as an ongoing initiative, with focused, achievable goals along the way. At the Gartner IAM Summit, those companies showcasing the greatest advances in improving security and boosting efficiencies leveraging IAM have strategically identified, prioritized, and addressed their biggest pain points. Most importantly, they do not rely on a prescribed approach to IAM.

These companies also recognize that partnering with leading-edge providers that are flexible at any phase of the identity governance journey, and can tailor their solutions, is an essential element for success. This enables them to do more with less, enhance organizational security, and prepare for growth and change—no matter what form it takes.


So Where Do You Go From Here?

These three big takeaways from the Gartner Identity & Access Management Summit have exciting applications for your organization in building a more intelligent, efficient, and impactful IAM strategy. But they can also seem overwhelming at first. We would love to show you how the right solutions can solve your most pressing challenges, fuel intelligence-driven identity governance, and support your identity and access management journey. Because our solutions are based on your needs and priorities—not the other way around.

 

cs-what-we-learned-at-gartner-700x350.png

gartner-iam-summit-2019
Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Ready to learn more about intelligent identity governance for your organization?

Get a live demo of our industry-leading solutions and learn how you can solve your top identity governance challenges.

What’s In Your Business Plan? California’s Privacy Law Goes Into Effect

California’s groundbreaking privacy law went into effect January 1, 2020.

The California Consumer Privacy Act (CCPA) requires businesses to inform state residents if their data is being monetized as well as to provide them with a clearly stated means of opting out from the collection of their data and/or having it deleted. Businesses not in compliance with CCPA regulations may be fined by the state of California and sued by its residents.

The CCPA requirements only kick in for companies that have collected the personal data of more than 50,000 California residents and/or show more than $25 million in annual revenue. The primary exception to the CCPA are companies subject to California’s Insurance Information and Privacy Protection Act (IIPPA). 

Under the CCPA, companies are allowed to sell “anonymized” user data. This exemption has drawn heavy criticism from privacy advocates due to several studies showing that anonymized data can be re-identified with personally identifiable information relatively easily.

While the protections of the law only applies to California residents, businesses such as Microsoft have implemented its provisions for all customers.

Much like the European Union’s General Data Protection Regulation, many of the details of the implementation of the CCPA have yet to be determined and will most likely require further clarification in court cases. 

“If you thought the GDPR was bumpy, the CCPA is going to be a real roller coaster,” said privacy and cybersecurity legal expert Reece Hirsh in an interview with The Verge.

The post What’s In Your Business Plan? California’s Privacy Law Goes Into Effect appeared first on Adam Levin.

Landry’s Restaurant Chain Suffers Payment Card Theft Via PoS Malware

Landry's, a popular restaurant chain in the United States, has announced a malware attack on its point of sale (POS) systems that allowed cybercriminals to steal customers' payment card information. Landry's owns and operates more than 600 bars, restaurants, hotels, casinos, food and beverage outlets with over 60 different brands such as Landry's Seafood, Chart House, Saltgrass Steak House,

Cyber Security Roundup for January 2020

A roundup of UK focused cyber and information security news stories, blog posts, reports and threat intelligence from the previous calendar month, December 2019.

Happy New Year!  The final month of the decade was a pretty quiet one as major security news and data breaches go, given cybers attack have become the norm in the past decade. The biggest UK media security story was saved for the very end of 2019, with the freshly elected UK government apologising after it had accidentally published online the addresses of the 1,097 New Year Honour recipients.  Among the addresses posted were those of Sir Elton John, cricketer and BBC 'Sports Personality of the Year' Ben Stokes, former Conservative Party leader Iain Duncan Smith, 'Great British Bakeoff Winner' Nadiya Hussain, and former Ofcom boss Sharon White. The Cabinet Office said it was "looking into how this happened", probably come down to a 'user error' in my view.

An investigation by The Times found Hedge funds had been eavesdropping on the Bank of England’s press conferences before their official broadcast after its internal systems were compromised. Hedge funds were said to have gained a significant advantage over rivals by purchasing access to an audio feed of Bank of England news conferences. The Bank said it was "wholly unacceptable" and it was investigating further. The Times claimed those paying for the audio feed, via the third party, would receive details of the Bank's news conferences up to eight seconds before those using the television feed - potentially making them money. It is alleged the supplier charged each client a subscription fee and up to £5,000 per use. The system, which had been misused by the supplier since earlier this year, was installed in case the Bloomberg-managed television feed failed.

A video showing a hacker talking to a young girl in her bedroom via her family's Ring camera was shared on social media. The hacker tells the young girl: "It's Santa. It's your best friend." The Motherboard website reported hackers were offering software making it easier to break into such devices. Ring owner Amazon said the incident was not related to a security breach, but compromised was due to password stuffing, stating "Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services."


Ransomware continues to plague multiple industries and it has throughout 2019, even security companies aren't immune, with Spanish security company Prosegur reported to have been taken down by the Ryuk ransomware.

Finally, a Microsoft Security Intelligence Report concluded what all security professionals know well, is that implementing Multi-Factor Authenication (MFA) would have thwarted the vast majority of identity attacks. The Microsoft study found reusing passwords across multiple account-based services is still common, of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behaviour puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.

BLOG
NEWS 
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

The Paper Password Manager

Michael Allen // Every year around the holidays I end up having a conversation with at least one friend or family member about the importance of choosing unique passwords for each web site or service they use. Usually, it’s after they’ve received a phone or a camera or some other “smart” device for Christmas and […]

The post The Paper Password Manager appeared first on Black Hills Information Security.