Monthly Archives

May 2018

Another day, another data breach…are you kidding?!

By | IAM | No Comments

Insider breaches…outsider breaches…. breaches are breaches. Both can be serious, and both can be prevented. However, one of these breaches falls back on a company’s leadership and management as a serious breach in trust.

The insider breach is almost more serious in its threat because employees may feel betrayed by their own organization for not being vigilant and taking steps to ensure that former employees are locked out of any system they had access to. And of course, companies prefer to keep the unsettling news quiet because of how unsettled insiders in the organization and outsiders could become. (When Target was breached a few years ago, even though I did not have a Target card that could have been breached, it took me years as an outsider to go back to shopping at Target.)

So, this week we hear that Coca Cola had a data breach by a former employee. And we hear that Sun Trust Bank had a data breach by a former employee and these are the ones we hear about. How many more are being kept under wraps for obvious PR reasons?

The ability to expose any information about a company comes from access. And in order to be secure in order to know that access is appropriate…a company must know who has access to what and check on that access periodically with a secure way of checking.

  • How much information does an employee need to do the job they are assigned to.
  • And how many accesses does an employee have when reassigned…what has been retained but not needed in the new role.
  • And how efficient is the system to shut down those accesses when an employee leaves.

At ILANTUS Technologies, we hear many stories about companies who understand the seriousness of access but may do not take access review seriously enough. Accesses are assigned but then reviewed manually. And here comes the problem with manual review…unintentional mistakes which lead to audit failures.
Risks are inherent in user access simply because people can be vindictive or can make mistakes as the access holders or the access reviewers. The access reviewers have to have a process that is risk free and efficient to ensure each employee has the proper freedom of access to the company and that the company is not at risk because of those accesses.

Many companies look at the automated process as expensive. Expensive compared to what? Expensive as compared to the salary of the manual reviewers. We meet with people who tell us that they don’t want to pay any more than what they currently pay. But how much do those manual reviewers cost the company when mistakes are made, be they unintentional or intentional?

According to Bill Gates:
“The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.”

Automation does incur cost. However, the ROI is accuracy, efficiency and security. It also requires a mindset shift. How much more of a mindset shift do you need to prevent your company from hitting the front page in the “Today’s Data Breach Report” section.

There is no doubt that user access reviews can protect a company’s greatest asset…it’s information. Is that worth the risk a manual process can pose or is that worth the determination to find an automated security system to keeps the data doors locked tight because proper accesses are keyed into the security system.

At ILANTUS, we know companies need to engage in secure access management. We’ve been in the Identity and Access Management domain since its inception and have never branched away from this core. We take this seriously. Let us show you how that translates into a system that will work for your company.

 

Capital One: “What’s in your wallet?”

By | IAM | No Comments

We often hear that small businesses are more of a target for cyber-attacks because they don’t have the resources to combat it. There will always be thieves targeting data.

How do you choose to protect your data?

One of the most obvious ways is with an Enterprise Password Management solution with multi-factor authentication. However, it’s the strong password that you create that is vital no matter what solution you are using. But what constitutes a strong password.

You see suggestions like this:
“Create strong passwords. Don’t use the four-letter, easy-to-remember passwords. Make them strong and long: not a word; random with symbols, numbers, capitalization.”
In 2003, that was the suggestion.

National Institute of Standards and Technology published a document with password guidelines. It was an eight-page password document titled “NIST Special Publication 800-63. Appendix A.” It advised people to use irregular capitalization, special characters, and at least one numeral. We are all familiar with that pattern because we can’t change a password until we satisfy those parameters. But what kind of passwords do we actually create?

The author of this publication has revealed that he actually ended up directing computer users towards lazy mistakes and easy-to-predict practices. And with the suggestion to change passwords at least every 90 days, a parameter adopted by organizations, users ended up creating easy to crack passwords. Take a look at your own passwords…that list of how many applications….and how many passwords to remember…and how you chose what is the easiest password for you to remember. Even when changing your password, don’t you try to stick to something familiar, similar to what you have used before and easy to remember?

The author of the 2003 guide is now saying that it was a misguided guideline because it trained us to use passwords that are hard for humans to remember, but easy for computers to guess.

In 2013, a new guideline was published by NIST which did away with those 2003 parameters (although it seems many sites have not caught on yet). New concept: create a password that a computer cannot guess, and a human can remember. Create a phrase. It is longer and more random than a single password. It is a phrase that you are familiar with…a phrase that means something to you which makes it a phrase that is easy to remember…a passphrase that may be crack-proof!

In the United States, we associate the Capital One credit card with marketing the phrase “What’s in your wallet.” It’s easy to remember and we connect it with Capital One credit cards (which of course was the whole point).

ILANTUS has a Password Management solution with user verification but the user needs to start creating stronger passwords with phrases…easy to remember for the human and becomes a stronger line of defense against cyberattacks. Strong passwords are the key to keeping your data doors locked.

Fish, phish, spear phishing…not catch and release!

By | IAM | No Comments

According to research, 91% of cyberattacks and the resulting data breach begin with “spear phishing.”  And who do you think has been identified as the weak link in IT security that enabled those breaches?  Research pin points you…one of the company’s end users.

Spear phishing is a targeted attack (against specific groups such as employees of a company) in an attempt to undermine that company by using tactics to convince employees to do something to gain access to proprietary data or company systems.  Usually the message may appear to come from a recognizable authority from the company who may ask for information such as IDs and passwords.

Spear phishing success means that your brand and trust in your brand can be destroyed if news of the data breach reaches the public. And when that happens, according to research, 60% of your customers will think about moving their business and 30% will actually do so.

A few years back, The Wall Street Journal carried a story about a former New York State CIO’s use of fake phishing emails to test the awareness of some 10,000 New York state employees.  What he found was that even after training, about 15% of the phished recipients access the fake URL and tried to enter their passwords…yes…even after training.  You may say to yourself…it is so obvious that no one should provide that kind of information.  And yet, the evidence of firms losing money points to the fact that phishing methods work.  Put simply, there are people who inevitably click on links in phishing emails.

So, what do you do when you’ve been hooked by a spear phisher? 
As a general rule of thumb, the affected users’ passwords need to be changed…whether or not there’s evidence of a serious breach because you’ll never be 100% sure that the victims were not completed compromised.   An attacker who now has the keys to open the data doors, can open them at any time…and probably not when you expect them to be opened.

So how do you keep your business safe?
For most emergencies, there are protocols. What is the protocol in this emergency?  The protocol is proactive protocol.  Invest in a password management system.  Make sure you have a password solution with multifactor authentication. It is the most basic way to prevent hackers from breaking into your accounts with a stolen password.   And with those inevitable “clickers,” with a true enterprise system in place, if there is a suspicion of an attack, the company can quickly notify end users especially with end users who may be unware that they compromised the company or shy in reporting such a misstep.

ILANTUS has a multi-factor authentication password management tool that admins can access immediately send a message to the entire AD base with a URL for each user to immediately change their password.  The beauty of this product is that it is self-service – all users can change their passwords in a small amount of time unlike users who are forced to use a Service Desk.  Recently, we heard about a company breach that sent 1000 users to their Service Desk.  Those password changes took time, backed up the service desk, backed up the end users ability to continue to work and ended up costing the company a lot of money per service ticket.

If you think your organization is safe from a phishing attack because you haven’t yet been targeted, think again.  Think about protecting the company with a true enterprise password management solution.

WORLD PASSWORD DAY – It’s time to #LayerUp

By | IAM | No Comments

Passwords are critical gatekeepers to our digital identities affecting both our personal and professional lives. The Registrar of National Day Calendar has designated the first Thursday of May of each year as “World Password Day” to promote better password habits.

However, it is well known fact that people are notoriously bad at setting passwords leaving their data exposed to vulnerability and threat from third-parties. Layering up passwords with features tools like “multi-factor authentication” (also known as two-factor authentication) provides an additional layer of protection beyond your password. This additional layer provides a much better and secure way of authenticating a user to any application. This extra step to your login process gives a powerful protection against cybercrimes like identity theft and social media account hijacking.

IAM solutions like Password Management and Single Sign-On provide multi-factor authentication features like SMS OTP, email OTP, soft token, fingerprint ID, etc. Such solutions enable users to have a seamless single sign-on experience with more powerful password management benefits.

Think about it…and then ask yourself…why aren’t we doing this?

Why Multi-Tenancy Application Architecture Matters in 2018

By | IAM | No Comments

 

The global public cloud market will reach $146 billion in 2018, a $59 billion increase over 2016. A big chunk of this market is enterprises with a core product built on top of Multi-Tenant Application Architecture. Yet, despite the clear indications multi-tenancy has been a game changer in the tech industry, many are uncertain of exactly what makes an application “Multi-Tenant” or why it matters.

Multi-Tenancy Defined

Multi-tenancy is an architecture in which a single instance of a software application serves multiple customers.” the core of multi-tenancy is the idea of resource maximization. It’s a rather common objective of most business endeavors to maximize available resources. So what makes multi-tenancy special?

The Problems Multi-Tenant Application Architectures Solve

Colocation data centers, virtualization, and middleware sharing are some examples of resource sharing with similar ambitions of reducing cost while maximizing efficiency. What differentiates multi-tenant application architecture is its effectiveness in achieving the same goal in a scalable and sustainable fashion.

Multi-Tenant Application Architecture helps optimize the use of hardware, software, As an alternative to a multi-tenant application, many technology vendors are tempted to enter the market with a solution that simply creates a virtual appliance from existing code, sell a software license, rinse and repeat. There are lower entry costs this way and it seems like a reasonable option for organizations looking to create a cloud offering of a software that already exists. Each upgrade of the application will require each customer to upgrade and the ability to implement tenant management tools and tenant-specific customizations is significantly limited. With multi-tenant architecture centralized updates and maintenance are possible and the level of granularity possible using tenant management tools is significantly higher.

Multi-Tenant vs. Multi-Instance

Making a choice between multi-tenant and multi-instance application architectures will depend almost entirely on your position and the business problems you are trying to solve. As a user, it’s probably best to focus on the end product, meaning evaluating SLAs, functionality, and meeting any relevant requirements for data integrity, security, and uptime as opposed to basing a decision on the underlying architecture.

As a solution provider, your focus should be on which architecture allows your product to add the most value to the marketplace. Will there be more benefit in your team being able to leverage the extensibility of multi-tenancy or the portability of multi-instance? Taking a step back, why not both? A fairly popular approach is to implement groups of tenants across a number of instances. The focus should always be on delivery of the best product possible.

In conclusion, Multi-Tenant Application Architecture is an architecture that allows resources to be centralized and leads to benefits in the form of various technological economies of scale. Multi-tenancy has contributed to a disruptive change in the market over the last 10 years and continues to be at the core of many applications today. While there are alternatives and, in practice, applications may be a bit of a hybrid between multiple architectures, multi-tenancy is a core concept of cloud computing and seems likely to be so for the foreseeable future.


Raghavendra Subbanna

Director-Infrastructure & Managed Services
LinkedIn