For IT professionals trying to lock down information and keep the bad guys out – hackers, cybercriminals, ‘rogue’ governments, competitors, or disgruntled current and former employees –security is a losing game. It’s not if you will be victimized, but when, and how quickly you can recognize and resolve the problem. Yet organizations – at least at the senior management level – still don’t give cybersecurity the respect (and resources) it really merits.
“The bad guys are already in your network,” said Richard Clarke, former special advisor to the president for cyber-space and national coordinator for security and counter-terrorism, in a recent interview [http://www.eweek.com/security/former-cyber-security-czar-says-network-perimeter-defenses-dont-work.html]. He is not an alarmist trying to drum up speaking engagements: my inbox was flooded with doom-and-gloom cybersecurity studies [http://wp.me/p2FWwi-1le] for the just completed annual RSA 2015 security conference, with findings like the following:
- 54% of breaches remain undiscovered for months;
- 60% of data is stolen in hours;
- 100% of companies connect to domains that host malicious files or services; and,
- The cost of data breaches will increase almost 400% from 2015 to 2019, to $2.1 trillion [http://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion].
These numbers only represent the tip of the iceberg threat environment. At its recent enterprise conference, HP reported that the average breach is undetected for at least 200 days, with most of these breaches from governments stealing intellectual property. HP told me that thefts involving identities or fraud tend to be caught much sooner, but still, those numbers should be alarming.
While tightening access security, including passwords and the increasingly popular single-sign on, won’t solve today’s security woes, it is a good start, according to a new report from Forrester Research (Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen) [https://www.forrester.com/WakeUp+Call+Poorly+Managed+Access+Rights+Are+A+Breach+Waiting+To+Happen/fulltext/-/E-res122204]. “At the core of any agile business are highly productive and efficient employees who possess the necessary access to key applications and data to do their jobs. However, in their quest to maximize employee productivity, firms are exposing themselves to unnecessary risks and increasing their chances of a data breach by using outdated approaches to verify employee access.”
People still tend to be the weakest link in cybersecurity, both in causing the breaches or in having to dig through mountains of data to recognize that breaches have occurred. Organizations are starting to catch on to the critical nature of secure access. Earlier this year, it was reported that the Identity and Access Management (IAM) market will almost double during 2014-2019 from $9.16 billion to $18.30 billion [http://www.marketsandmarkets.com/Market-Reports/identity-access-management-iam-market-1168.html].
The need to connect and manage continually increasing number of distributed digital identities across organizations has always been a key challenge. IAM benefits can include: assured and secured access to real time sensitive data; protecting organizations from internal and external threats; and ensuring visibility over the data at rest and in motion and data loss prevention.
If IAM security has been a challenge up to now, the accelerated growth in cloud, mobility, and the Internet of Things (IoT) is just adding injury to insult. Total cloud IT infrastructure spending will grow 21% year over year to $32 billion in 2015, accounting for approximately 33% of all IT infrastructure spending [http://www.idc.com/getdoc.jsp?containerId=prUS25576415]. A total of 336.5 million smartphones shipped worldwide in the first quarter of 2015 (1Q15), up 16.7% from 1Q14 [http://www.idc.com/getdoc.jsp?containerId=prUS25589215].
IoT looms even larger for IAM. Gartner predicted 4.9 billion devices would be Internet-connected in 2015, posing a challenge when it comes to the subject of authentication because existing solutions cannot meet the scale or complexity that IoT demands [http://www.securityweek.com/iot-requires-changes-identity-and-access-management-space-gartner].
With the number of things to be connected to the Internet expected to skyrocket to (at least) 30-50 billion things by 2020, managing identities will become even more complex. “IAM leaders must reconsider how traditional approaches to cybersecurity and IAM work in a world where devices and services are so abundant, in so many different forms and positioned at so many different points within the IT ecosystem,” said Earl Perkins, research vice president at Gartner, in a statement. “Existing identity data and policy planning give IAM leaders and technology service providers (TSPs) a narrow view of entities leading to a static approach that does not consider the dynamic relationships between them.”
Gartner suggests that the Identity of Things (IdoT), a new extension to identity management meant to encompass all identities, regardless of whether it is a person or device, can be used to define relationships among the entities — between a device and a human; a device and another device; a device and an application or service; or a human and an application or service. All we do know for now is that identity and access management as we know it needs to change radically.
The cybersecurity environment has been worsening over the last decade and the ‘bad guys’ seem to show no signs of slowing down. They’re more professional, have more to gain, and are willing to devote huge resources to steal your information. If the public and private sectors don’t devote more resources to protecting the information that constitutes their crown jewels, then the situation will only deteriorate.
Steve Wexler, Wordslingers Ink (firstname.lastname@example.org) and IT Trends & Analysis (www.it-tna.com), has been writing about business technology since IT was called DP/MIS, and telecommunications was handled by the office manager (AKA the Big Iron Age). He has written for all the major IT publishers and vendors, and for all the IT audiences – builders, sellers, and buyers.