Peter Hunter, territory manager for South Africa and Africa at SailPoint Technologies, discusses information security and the upcoming ITWeb Security Summit.
Provide a brief on your company and discuss your involvement in the Security Summit
SailPoint is the market-leading provider of on-premises and SaaS-based identity management solutions, which help the world's largest organisations mitigate risk, reduce IT costs and ensure compliance. The company's innovative solutions - IdentityIQ and AccessIQ - provide superior visibility into and control over user access to sensitive applications and data, regardless of where they reside.
SailPoint's product suite provides customers a unified solution for risk-aware compliance management, closed-loop user life cycle management, flexible provisioning, cloud access management and identity intelligence - all based on an integrated governance model. Founded in 2005, the company is headquartered in Austin, Texas, and has offices in Germany, Great Britain, India, Israel, the Netherlands, Singapore and SA.
SailPoint is proud to be an exhibitor and participant in the 8th annual ITWeb Security Summit. The company will share best practices and provide product demos with information security professionals and practitioners from around the globe.
What do you see as the single biggest information security risk this year?
Cloud adoption is accelerating faster than anyone imagined. More and more enterprises are aggressively adopting cloud and mobile solutions for mission-critical applications, but often without involving IT. In fact, through a recent Market Pulse survey conducted by SailPoint, the company found the selection and deployment of cloud applications is increasingly becoming a business-led process. By not involving IT in the cloud adoption process, the enterprise is failing to control access to sensitive applications and data that can leave an organisation at risk for fraud, misuse of data and privacy breaches, not to mention negative audit findings.
What is the one key risk mitigation step enterprises need to take this year?
Specifically within their identity and access management (IAM) strategies, it's wise for organisations to compile inventories and classify cloud applications by risk, rather than taking a one-size-fits-all approach to policy and control. Based on the potential risk or criticality a particular cloud application represents, different levels of management and control are required. For mission-critical cloud applications such as financial services and customer relationship management applications, an organisation needs complete visibility and oversight as to "who has access to what."
Therefore, for this class of cloud applications, it's important to implement preventive and detective controls over the processes that grant, change and remove access to cloud applications to ensure that compliance and security guidelines are being followed.
What, in your view, was the biggest security breach of the past year?
Today's organisations are seeing a blurring of the lines between personal and professional applications, and it's becoming increasingly common for workers to use the same passwords to access their personal accounts and their business accounts.
Case in point: the LinkedIn security breach last June, in which hackers stole 6.5 million customer passwords (that had only been lightly encrypted) and posted them to a Russian hacker forum. As a result, every company with employees using their LinkedIn passwords for other corporate applications became at risk. This is a common example of how a password breach in one application can easily cascade to myriad other applications, if passwords are reused.
This breach demonstrates the exposure end-users are causing by using their personal passwords for professional applications. Hackers know full well that people tend to use the same password across multiple sites and will test those passwords on Web mail, bank, corporate or brokerage firm accounts, where precious personal and financial data is free for the taking. Fortunately, implementing the right access management solutions can help organisations provide secure log-ins and minimise sharing of passwords in a simple, convenient manner.
What is the biggest information security weak spot in the enterprise?
The adoption of cloud and mobile computing is big - and getting bigger due to the demand for quick and easy access to applications. However, the benefits of the cloud, from cost savings, to speed, to flexibility, can be negated if they leave a business exposed to security breaches and compliance issues.
While IT is convinced that the cloud is too risky for core business applications, business units within the same company are already procuring cloud applications without IT's involvement - even for critical and sensitive applications. This is leaving a big gap in IT's ability to have a centralised view into users and their access privileges and answers the critical questions of "who should have access to what", "who does have access to what", and "how did they get it?"
Successfully managing the adoption of cloud applications now requires a shift in IT's role from that of a "gatekeeper" to becoming a security service provider. At the end of the day, IT needs to manage and govern who has access to these mission-critical applications - proprietary or private data, no matter where it resides - or they are exposed to a wide variety of security risks, from insider threats, to unauthorised access, to sensitive data.
In a nutshell, how has cyber crime changed in the past year?
As recent high-profile security breaches at major companies like LinkedIn and Dropbox have made clear, security is a very real and growing concern for everyone as hackers, even including some inside employees, are continuously looking for new ways to steal passwords and gain access to propriety information. This is especially a concern because companies are still struggling to get their identity house in order to manage "who has access to what", regardless of whether that access to key applications is on-premises or in the cloud. Failing to control access to sensitive applications and data can leave an organisation at risk for data loss, theft, misuse, or for a security breach or abuse of corporate resources.
SailPoint's Market Pulse survey found that, although approximately 60% of IT leaders realise that IAM plays a significant role in the prevention of security breaches, almost two thirds of IT leaders say they are not very confident in their companies' ability to prove the effectiveness of internal controls over access privileges in an IT audit. For the prevention of these security breaches and protection of data, organisations need an IAM strategy that governs access across the entire IT environment while allowing both IT and business to collaborate over security, user life cycle management and compliance.
What are cyber criminals targeting now, and what will they target in the future?
Cyber crime continues to show no signs of slowing down. In fact, 2012 marked a year of new advanced threats and an increased level of sophistication in the attacks witnessed around the globe. Nowadays, cyber crime is diverging down a different path due to the proliferation of cloud applications and mobile devices such as smartphones, tablet PCs and e-readers, which business users have adopted to transact their day-to-day work activities. As business users continue to demand fast, easy access to new technologies and applications, IT departments are constantly battling to stay ahead of the game to ensure they are supporting business users while at the same time mitigating the risks associated with these evolving technologies.
In fact, SailPoint's Market Pulse survey found that less than a third of companies are fully locked down when it comes to personal application usage at work. The majority of businesses now allow workers the freedom to access personal cloud applications or Web sites while at work. Yet, in order to make this more open environment secure, IT must have visibility and control over those applications that are considered to be mission-critical or high-risk. Having an IAM solution that allows IT and business to once again collaborate and regain control of the myriad new technologies means an organisation has the safeguards in place to combat these new security threats.
SailPoint will be participating at this year's ITWeb Security Summit, taking place from 7 to 9 May 2013 at the Sandton Convention Centre. For further information, click here.
Share