sb-as logo
Story image

Exclusive: Ping Identity on security risk mitigation

19 Feb 2019

Organisations of different sizes and functions face different risks and as such, need to have different security measures in place to mitigate them.  

Businesses need to make sure they are shoring up their cyber-defences in the current data breach climate, especially as more critical data gets stored in the cloud.

Techday spoke to Ping Identity chief customer information officer Richard Bird about the most reliable  authentication methods available and how organisations should be utilising them. 

What defines effective security controls for organisations of different sizes?

Effective security controls are measured and defined by the direct mitigation of inherent and residual risk. The value of aligning controls to risk reduction is that the size of an organisation isn't a determining factor for which controls and solutions to invoke.

A small law firm that specialises international high net worth clients might have huge risks to manage with advanced security controls while a massive call centre oriented company might have significantly less risk by comparison.

Effective security controls then are the ones that directly address those risks faced by each; whether that be a loss of client wealth data or a denial of service attack on an IP phone network.

What are the strengths and weaknesses of the most popular methods of authentication at the moment?

Two-factor authentication and multi-factor authentication are the two primary methods used today.

When two-factor authentication first arrived on the scene it was based on something you have (a token, for instance) and something you know (mother's maiden name).

The weaknesses quickly became evident when both social engineering and massive social media breaches made the "what you know" portion either easily knowable or easily guessable by someone other than you.

Multi-factor authentication seeks to replace the question component of two-factor authentication with device-based authentication confirmations like SMS texts, biometric recognition on your mobile or some other form of continuously changing data.

MFA has proven to be a much stronger authentication approach but its weakness is adoption, as many companies see it is onerous or burdensome for its users or customers.

How can organisations use this information to their advantage?

It comes back to risk.

If an organisation has what it perceives to be varying risks that their employees or customers may represent to the data or operations of the company, then applying stronger authentication or authentication measures that mitigate risk is a strategy to both improve security and user experience.

Adaptive authentication seeks to mitigate the friction faced by a user by applying the right authentication factors to a user based on their relative risk to the company.

The most important takeaway for an organisation is that acceptance by the user and an application of the right amount of control will yield a much better result in mitigating risk for a company than a blanket "one-size-fits-all" approach to the problem. 

How does this affect companies hosting data in multicloud infrastructures?

The inescapable reality for cloud-hosted infrastructure or applications that companies have to come to terms with is that the primary security control will become authentication.

Whether it be a multi-cloud infrastructure or a single tenant cloud, if a company cannot answer a simple question with 100% certainty, then their cloud deployments will be at even higher risk than their on-premises infrastructure and applications.

And that question is: are you who you say you are? And why is a failure to answer that question successfully a higher risk in a multi-cloud infrastructure?

Because companies that are hosting in the cloud are no longer directly monitoring or managing their infrastructures and cloud-hosting providers don't have the business background or context to adequately determine if a someone's credentials have been usurped by a hacker or bad actor.

Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Snyk powers forward following financing round, expands leadership team
Snyk has closed its Series E financing round, totalling $300 million, and has expanded its leadership team to deliver advanced security to companies around the globe.More
Story image
Cloud services top threat vector for healthcare industry
"The coronavirus pandemic continues to highlight the unique cybersecurity needs of the healthcare industry, even as it has increased the number of threats these organisations face."More
Story image
McAfee brings on new partners in push for zero trust security
"Together with our SIA partners, we are strengthening security for the critical apps that enterprises rely on every day."More
Story image
ESET reveals APT groups exploiting Microsoft Exchange vulnerabilities
A number of advanced persistent threat (APT) groups are exploiting the latest Microsoft Exchange vulnerabilities, according to new ESET research.More
Story image
Infrastructure-as-code, and how it can secure the cloud
Bridgecrew recognised IaC early on as one of the best ways for modern teams to delegate security ownership to individual contributors while distributing it across existing frameworks within CI/CD pipelines. This attribute meant that IaC was invaluable in securing cloud-native environments.More