Meeting the Digital Identity ChallengeSecurity Panel: Improving Authentication, Access, Governance
Security leaders across enterprises observe that the digitization of the customer experience has taken the market by storm, and it is imperative for CISOs to adapt to these changes immediately.
Indian enterprises have started uncovering their digital strategies and are finding new ways of creating a positive customer experiences with personalized service and efficiency.
The digital shift, instigated by a nexus of technologies -- cloud, mobile, social media and IOT -- threatens existing businesses. Improving corporate governance through a strong information security framework is critical to protecting the digital identities.
This challenge was discussed in a recent live event, "Business Transformation Through Trusted Identities and Secure Transactions," hosted by ISMG. Experts debated security challenges around securing digital identities with identity and access management becoming an evolving threat. Participating in the panel were Rajendran N, CTO, National Payments Corporation of India; Ravikiran Mankikar, CGM, Shamrao Vithal Co-op Bank; Arun Gupta, former CIO, Cipla; Devendra Parulekar, practice leader-India, cyber security, Ernst & Young; and Chris Taylor, senior product manager, Entrust Datacard.
Chris Taylor, senior product manager, Entrust Datacard, sponsor of the ISMG event, says a paradigm shift has occurred because of advances in security technology. "It's no secret that digital identities are evolving," Taylor says. "From how they're used, managed and deployed, digital identities are one of today's most critical and sensitive assets."
Security leaders agree that business stakeholders apply increasing pressure on security teams to allow greater access to services, systems and information.
Observing an increase in the number of people accessing email on their mobile and tablets, Dr. Rajendran, chief technology officer at National Payment Corporation India, says a huge task for CISOs is to protect user identity.
As banks undergo major transformations, Ravi Mankikar, CGM-IT of Shamrao Vithal Co-operative Bank, argues that prevalent methods of authentication are unsafe, only requiring a username and password. "While there is no one complete solution available to protect the identity, the only way CISOs can handle is to be conscious about managing security effectively, given that the people are the weakest link in the organization, as the system does not establish that the person who is given access is the genuine user of the application," Mankikar says.
According to Arun Gupta, former CIO of Cipla Ltd, providing access and identity to users on multiple devices within organizations is a major challenge. "Conventionally-adopted protection technology solutions have been compromised; new vulnerabilities are being discovered every day," Gupta says. "Patching remains the solace of the susceptible which lags the threats and their discovery."
However, he also feels that evolving defense strategies offer new ways to safeguard data. But implementation may be hard for enterprises with limited budgets.
Devendra Parulekar, Practice Leader-India, Cyber Security at Ernst & Young, mentions three critical aspects to securing identities: identity, authentication and authorization. "While much hype is built around identity and authentication, the security leaders forget the fact that hackers are after the authorization part, which gets compromised.
"Once the hacker enters the network as a genuine users, he taps the weaknesses of the applications which are huge in number across every enterprise," says Parulekar. The entry could be through mobile devices, cloud or using IaaS.
Experts agree that opening access to information and services enables business stakeholders to improve performance. However, securing digital identities and information through messaging, data and identity management used across the extended enterprise is required.
They recommend that practitioners develop the ability to audit the use and enforcement of policies, governing the actions of the enterprise and its stakeholders.
Taylor considers the core digital business to be identity, which enables security access to digital and physical resources.
Establishing user authentication is key to fueling digital business, says Taylor, as native features can enhance security. User authentication can be established with device and location attributes, application sandbox, crypto, 'out of Band' channel and biometrics.
Parulekar recommends use of industry standards for login and passwords during transaction processes.
Securing Digital Identities
According to Dr. Onkarnath, security consultant for banks, it is important to have a governance structure in place to secure digital identities.
Rajendran says while there are good regulatory frameworks available, the challenge is around compliance. Rajendran sees biometrics becoming a standard on smartphones, enabling customers to initiate a transaction using their finger prints, which will be cross-checked with the biometric database.
Mankikar agrees that audit and compliance go hand in hand and recommends CISOs establish strong corporate practices via an information security governance framework in digital work, maintaining centralized control and auditing the enforcement of corporate policy.
Gupta strongly believes that, as a first step, security leaders should think beyond their roles and establish whether the customer feels safe and secure in transacting with their organization. "Once the CISO knows where the security lapses are, they can build a strategy around that, protecting users' digital identities and convey it to the board and the necessary requirement," says Gupta.
Some of the best practices that can help in securing the digital identities, as Taylor recommends, are use of Force PIN/biometric access, Find my phone apps, block jail broken phones, mobile device authentication, MDM for control over mobile and the use of secure work partitions.
Experts says that use of digital identities and security technologies should ensure security services such as:
- Authentication to determine whether users accessing applications and information are valid;
- Authorization so that information is only accessible to those who have a right to see it;
- Digital signature to generate information that can be used to improve accountability;
- Encryption to protect information so it remains private and confidential while traveling across the network and wherever it is stored.
Parulekar advises, "If you have limited budget, focus on protecting the digital identities of users and the data and which is consistent and auditable."