Story image

Exclusive: Ping Identity on security risk mitigation

19 Feb 2019

Organisations of different sizes and functions face different risks and as such, need to have different security measures in place to mitigate them.  

Businesses need to make sure they are shoring up their cyber-defences in the current data breach climate, especially as more critical data gets stored in the cloud.

Techday spoke to Ping Identity chief customer information officer Richard Bird about the most reliable  authentication methods available and how organisations should be utilising them. 

What defines effective security controls for organisations of different sizes?

Effective security controls are measured and defined by the direct mitigation of inherent and residual risk. The value of aligning controls to risk reduction is that the size of an organisation isn't a determining factor for which controls and solutions to invoke.

A small law firm that specialises international high net worth clients might have huge risks to manage with advanced security controls while a massive call centre oriented company might have significantly less risk by comparison.

Effective security controls then are the ones that directly address those risks faced by each; whether that be a loss of client wealth data or a denial of service attack on an IP phone network.

What are the strengths and weaknesses of the most popular methods of authentication at the moment?

Two-factor authentication and multi-factor authentication are the two primary methods used today.

When two-factor authentication first arrived on the scene it was based on something you have (a token, for instance) and something you know (mother's maiden name).

The weaknesses quickly became evident when both social engineering and massive social media breaches made the "what you know" portion either easily knowable or easily guessable by someone other than you.

Multi-factor authentication seeks to replace the question component of two-factor authentication with device-based authentication confirmations like SMS texts, biometric recognition on your mobile or some other form of continuously changing data.

MFA has proven to be a much stronger authentication approach but its weakness is adoption, as many companies see it is onerous or burdensome for its users or customers.

How can organisations use this information to their advantage?

It comes back to risk.

If an organisation has what it perceives to be varying risks that their employees or customers may represent to the data or operations of the company, then applying stronger authentication or authentication measures that mitigate risk is a strategy to both improve security and user experience.

Adaptive authentication seeks to mitigate the friction faced by a user by applying the right authentication factors to a user based on their relative risk to the company.

The most important takeaway for an organisation is that acceptance by the user and an application of the right amount of control will yield a much better result in mitigating risk for a company than a blanket "one-size-fits-all" approach to the problem. 

How does this affect companies hosting data in multicloud infrastructures?

The inescapable reality for cloud-hosted infrastructure or applications that companies have to come to terms with is that the primary security control will become authentication.

Whether it be a multi-cloud infrastructure or a single tenant cloud, if a company cannot answer a simple question with 100% certainty, then their cloud deployments will be at even higher risk than their on-premises infrastructure and applications.

And that question is: are you who you say you are? And why is a failure to answer that question successfully a higher risk in a multi-cloud infrastructure?

Because companies that are hosting in the cloud are no longer directly monitoring or managing their infrastructures and cloud-hosting providers don't have the business background or context to adequately determine if a someone's credentials have been usurped by a hacker or bad actor.

Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
SAS partners with NVIDIA on deep learning and computer vision
“By partnering with NVIDIA, we combine our strengths to augment human intelligence and realise the true potential of AI.” 
Why businesses must embrace automation to ensure success
“For many younger workers, the traditional view of a steady job at one company, perhaps for life, simply doesn’t reflect reality."
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Microsoft appoints new commercial and partner business director
Bowden already has almost a decade of Microsoft relationship management experience under her belt, having joined the business in 2010.
How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."
Kinetica launches a new active analytics platform
"With the platform now powered by NVIDIA DGX-2, customers can build smart analytical applications that combine historical data analytics and ML-powered analytics."