It feels like Identity Management, whether we are discussing managing employee or customer identities, that it’s not just about managing user names and passwords. Of course, this has been the case for several years. But those of us in the industry are realizing there is a new paradigm where suspicion is the new normal, and this means that everyone involved needs to find new ways to manage and operate in this new model.
The recent Scattered Spider and related attacks are hitting
us where we are most vulnerable, the intersection of customers and support,
using social engineering to get organizations to reset passwords, along with
standbys such as adversary-in-the-middle tactics.[i]
Microsoft
has also done a great job of describing its tactics and overall strategy.
As a result, the efforts of the Scattered Spider group have
done an excellent job of making anyone involved in IT Support and Security very
concerned, and have left their customers feeling overwhelmed with doubt and
insecurity. “Is this user who they say they are?” is a bigger concern than ever
before.
There is one thing that has become abundantly clear for both
organizations and customers: Suspicion must be the new normal. It’s a
sad, but true reflection on the state of things right now. For customers, it
means manual verification of information requests. Do not submit or provide
data over the phone without independently verifying that they are communicating
with the right people. Of course, this means separate phone calls or other
interactions, which means in complicated scam scenarios that this might not be
enough, and of course, it slows everything down. It’s really nothing less than
a new form of digital terrorism.
For the large organizations, it means that ensuring both
employee and customer security is even more critical than ever. Ensuring that employee
and customer data is properly segmented and that proper entitlement governance policies
are in place is more essential than ever. Additionally, new patterns should be
considered for verifying incoming user requests. The most promising method is
using stronger identity verification mechanisms, such as liveliness checks, and
when the strongest measures are called for, submission of government documents
such as ID Cards, Driver’s licenses, and passports. This, of course, can
unfortunately increase authentication and authorization friction in areas where
there had been motivation to reduce or eliminate it.
There is hope that the use of concepts in Self-sovereign
identity will make this verification easier through the encapsulation of identity-related
data via an identity wallet secured by technologies such as blockchain. However,
this is still an evolving, niche technology.
While we wait for this technology to mature, it is crucial for
organizations and individuals who digitally interact with them to exercise
caution and remember that when it comes to protecting one’s digital identity, “Paranoid
people live longer.[ii]”
No comments:
Post a Comment