Story image

Exclusive: Ping Identity on security risk mitigation

19 Feb 2019

Organisations of different sizes and functions face different risks and as such, need to have different security measures in place to mitigate them.  

Businesses need to make sure they are shoring up their cyber-defences in the current data breach climate, especially as more critical data gets stored in the cloud.

Techday spoke to Ping Identity chief customer information officer Richard Bird about the most reliable  authentication methods available and how organisations should be utilising them. 

What defines effective security controls for organisations of different sizes?

Effective security controls are measured and defined by the direct mitigation of inherent and residual risk. The value of aligning controls to risk reduction is that the size of an organisation isn't a determining factor for which controls and solutions to invoke.

A small law firm that specialises international high net worth clients might have huge risks to manage with advanced security controls while a massive call centre oriented company might have significantly less risk by comparison.

Effective security controls then are the ones that directly address those risks faced by each; whether that be a loss of client wealth data or a denial of service attack on an IP phone network.

What are the strengths and weaknesses of the most popular methods of authentication at the moment?

Two-factor authentication and multi-factor authentication are the two primary methods used today.

When two-factor authentication first arrived on the scene it was based on something you have (a token, for instance) and something you know (mother's maiden name).

The weaknesses quickly became evident when both social engineering and massive social media breaches made the "what you know" portion either easily knowable or easily guessable by someone other than you.

Multi-factor authentication seeks to replace the question component of two-factor authentication with device-based authentication confirmations like SMS texts, biometric recognition on your mobile or some other form of continuously changing data.

MFA has proven to be a much stronger authentication approach but its weakness is adoption, as many companies see it is onerous or burdensome for its users or customers.

How can organisations use this information to their advantage?

It comes back to risk.

If an organisation has what it perceives to be varying risks that their employees or customers may represent to the data or operations of the company, then applying stronger authentication or authentication measures that mitigate risk is a strategy to both improve security and user experience.

Adaptive authentication seeks to mitigate the friction faced by a user by applying the right authentication factors to a user based on their relative risk to the company.

The most important takeaway for an organisation is that acceptance by the user and an application of the right amount of control will yield a much better result in mitigating risk for a company than a blanket "one-size-fits-all" approach to the problem. 

How does this affect companies hosting data in multicloud infrastructures?

The inescapable reality for cloud-hosted infrastructure or applications that companies have to come to terms with is that the primary security control will become authentication.

Whether it be a multi-cloud infrastructure or a single tenant cloud, if a company cannot answer a simple question with 100% certainty, then their cloud deployments will be at even higher risk than their on-premises infrastructure and applications.

And that question is: are you who you say you are? And why is a failure to answer that question successfully a higher risk in a multi-cloud infrastructure?

Because companies that are hosting in the cloud are no longer directly monitoring or managing their infrastructures and cloud-hosting providers don't have the business background or context to adequately determine if a someone's credentials have been usurped by a hacker or bad actor.

Why the retail industry has misplaced network priorities
“For retail organisations unplanned network outages can impact both revenue and reputation significantly."
How open source distribution accelerates Drupal development time by 30%
Acquia Lightning has adopted Drupal’s support for JSON:API, delivering out-of-the-box support for building decoupled or headless applications.
Qualtrics aims to help organisations master experience management
Experience Basecamp helps users master XM products, including CustomerXM, EmployeeXM and Research Core.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.
Huawei and IBM rank top in new cloud market analysis
360Quadrants has released a managed services report that also names Atos and Accenture as leaders in its new managed services report.
Cloud innovation driving NZ IT services market, says IDC
Managed services makes up the largest portion of total IT services revenue. However, the project-oriented market achieved the highest YoY growth.
DDN completes Nexenta acquisition
DDN holds a suite of products, solutions, and services that aim to enable AI and multi-cloud.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.