Diluting the threat of identity pollution

Opinion by Luke Forsyth

Identity pollution has created a breeding ground for fraudulent activity.

Identity pollution has created a breeding ground for fraudulent activity.

That is, the number of online identities we must now maintain to ensure access to each area of our virtual existence is growing at a phenomenal rate. So too is the incentive for criminal behaviour.

Identity at it simplest level usually means a user identity and a credential; most frequently a password but sometimes a smart card or other device. Smart cards and other authentication devices are expensive and unpopular, because they are yet another thing to carry and often difficult to use.

Additionally each new identity can require an additional device, for example a friend of mine has three different authentication devices for just one bank. As a consequence we find ourselves drawn back to the first obvious answer - passwords. Deloitte recently claimed that over 90 per cent of user generated passwords will be vulnerable to hacking this year, including even those deemed ‘strong' by IT departments.

There are three key problems with passwords:

  • How do we make them sufficiently complex and difficult to guess or force using hacking techniques?
  • How do we make them sufficiently memorable or can we develop mechanisms to make them accessible if they need to be complex? 
  • How do we prevent identity recycling as most people commonly use the same email address as a user identity on every portal with the same password? 

If one portal of communication is compromised, every aspect of that person's virtual existence is now vulnerable with manifold impact on their daily life. Both the incentive and the opportunity for online criminals have never been greater, but the competition among businesses to provide a high level of service is fierce.

In the recent economic turmoil, the carnage amongst retailers and service providers whose online strategies failed has been profound. In particular, we are currently seeing mobile application strategies as not only a tool of convenience or marketing hype, but a genuinely business changing and potentially failing strategy.

The ease of use of online and mobile tools is as critical a consideration as the security of the transactions. The introduction of federation, including the use of social network identities, for logging into other accounts or applications is controversial, but the reality is that it provides a potential solution to some of the challenges of identity pollution and more importantly a segue to more effective solutions, in particular risk-based authentication.

From a security point of view, having fewer logins means credentials are shared less online, minimising routes for hackers to monitor. More importantly from a human point of view, there is a need for smooth movement between portals with fewer delays and inconvenient requests to log in.

Equally, the continued growth in multiple device usage in the workplace to enable remote working calls for greater restrictions on how, where and by whom sensitive business information can be accessed.

Human error, negligence and temptation play a significant role in security violations. While having the right technologies in place is imperative, businesses also need to ensure employees are educated to understand the risks – and implications – associated with handling sensitive data.

More so, with the implementation of identity and access management tools, businesses can control exactly which data employees can access depending on their role and business requirements – allowing all employees to access all information will inevitably open the door to security glitches.

An automated identity-related control across physical, virtual and cloud environments is fundamental to improving business efficiency, security and compliance. As employees connect to networks through different devices – searching for documents and information – automated systems act quickly to understand the trustworthiness of the device, enforcing the necessary security measures.

Implementation of an automated identity management system helps make IT more flexible; being quick and adaptive in response to change is a must in today's innovative, fast paced world.

Where we are increasingly seeing successful criminal activity is exploiting the gaps between environments and devices. Each device and environment may of themselves be secure, but if the security strategy is siloed, the criminals exploit this vulnerability.

Viewing these points as silos in which information exists is where many organisations fall foul of achieving control and security. The fluidity of today's economy, driven by the sharing of information means it's never dormant or in one fixed position.

Taking a comprehensive approach to data protection and data loss prevention significantly reduces the risks associated with a lack of enterprise security. One of the interesting aspects of a holistic risk-based authentication strategy is that the heuristics of the multiple devices and locations can actually be used to start to improve both the security and user experience.

Establishing and governing identities so that appropriate access rights are granted for different job functions is the first step to improving the overall security of information within a business.

The next is to ensure that identity management is automated to improve employee efficiency and productivity of the entire organisation. Not only will this reduce risks, but it will ultimately simplify the processes behind information access.

Throughout these processes, it is critical to continue to consider the humans who will be using the technologies and how they will consider this experience. Bad experiences actually lead to security compromises as well as the inevitable loss of both staff and customers.

Luke Forsyth is vice president of security services EMEA at CA Technologies


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events