Blog by Bjarke Alling, Group Director of Liga and member of the National Danish Cybersecurity Council.
This article was first publised at the Open Horizon Magazin – https://ohmag.net/a-new-foundation-for-it-security/
It is becoming increasingly demanding for companies and public authorities to handle IT security as more tasks are digitised. Therefore, there is a need for a whole new approach in the way we think about IT security, and for secure digital identity to replace uncertain analogue identity control.
Combining effective user management and cyber security can eliminate many of the security vulnerabilities that are causing havoc for companies and public organisations. The combination of user management and cyber security can give users a secure digital identity that, among other things, makes passwords entirely redundant. As a result, many IT security threats become irrelevant or reduced to a minimum. This applies to:
Ransomware can incur high restoration costs and downtime losses. With a secure digital identity, this risk can be reduced by:
- Minimising rights to machines, IT systems and data, such as read-only rather than full access
- Disabling accounts during leave, maternity, holiday, etc.
Fraud with cash payments, extortion and espionage, can be significantly reduced with secure digital identity because:
- User rights are micromanaged via roles
- The digital user ID cannot be copied by a colleague or others
Loss of data
The risk of loss of citizen data due to hacking and accidental data loss due to human error is minimised with secure digital identity through:
- Robust control of both physical and digital access
- Using encryption
- Use of a user ID method where the ID cannot be found out or stolen
Common to all three is the continuous loss of citizens’ confidence in public authorities.
The traditional approach to IT security, which is prevalent in most organisations today, cannot deal with the above problems. Therefore, there is a need for a shift to a new security basis that includes user management.
There are two primary reasons why we now require better secure digital identity rather than traditional password-based protection and access systems:
1. The threat has become too great
Internationally, cyber threat is rated as one of the top five global threats. In the ‘Global Risks Report 2019 14th Edition’, the World Economic Forum has placed data fraud and theft and general cyber threats on the top 5 list of global threats, and this is just one of many high-credibility assessments describing the cyber threat as topical and extremely serious.
2. The EU requires two-factor authentication
Legislation and international standards require changes: The current password-protected access to electronic information no longer meets international standards and European legislation in the field, including the ISO/IEC standard “Information Security Management – (ISO/IEC 27001)” and both of the EU’s “General Data Protection Regulation (GDPR), Articles 25 and 32” and the “electronic IDentification, Authentication and trust Services (eIDAS)” regulation.
Therefore, a new approach to IT security must be based on a new approach to the fundamental issues.
Today, digital identity is based on analogue identification points. In practice, this means that we take a physical identification and convert it into a digital one. It can be fingerprints, facial recognition, iris identification, voice recognition or the even more widespread – and insecure – password.
Analogue to digital = fail!
Common to these identification models is that the starting point is an analogue input that is converted to a digital key. This process has one crucial weakness: You cannot be 100% sure the input comes from the right person. With the right ingenuity, all these methods can be hacked or bypassed.
International reports estimate that 81% of all hacking-related data breaches are due to either stolen and/or weak passwords. Today, passwords are no longer a security, but a symptom of a larger complex problem that can only be tackled through a reorganisation of the way we digitally verify ourselves. Where the password solves only the one task of giving an individual access to one service, today we are in a situation where a new employee in a company must have access to a selection of hundreds of IT systems.
The problem lies in the conversion from analogue to digital. The vast majority of our IT security problems are based on the fact that we cannot fully trust the digital identity of individuals and companies.
The solution is right in front of us. We must change the way we digitally identify ourselves from having an analogue starting point to having a digital starting point. Fortunately, there are many solutions in the market that can do just that.
Identification is at the heart of IT security
Secure digital identity is based on a 100% digital identification and based on the person. To achieve the goal of regulatory compliance and effective security procedures, larger companies and organisations should look at the entire user management process as a whole. This means introducing a simple, circular process consisting of four steps:
Each time an organisation gets new employees, temporary workers or consultants, the organisation, traditionally needs to spend time giving the new faces access to a variety of systems. In many places, the IT department will assign each employee one login to first Windows and Active Directory, and then individually to many other internal and external systems. It’s not just a time-consuming procedure for the IT department. It can also delay when an employee is fully ready to take on their new duties and cause mistakes that, in rare cases, can even have serious or fatal consequences.
On the other hand, if an organisation chooses to use a centralised user management solution (Identity Management IDM), new users are automatically created in the IT system, and users that leaves are automatically deactivated or deleted. One of the benefits of automatically managing user access is that the IT department saves a lot of resources on having to create and delete employees manually. With an efficient/effective automatic creation process, each user will be granted access to systems and information based on their role in the organisation.
The advantage here is not only that the user has just the right access. It also eliminates a significant risk of employees being wrongfully granted rights that they should not have had in the first place.
To comply with current legislation, a user system will also ensure that the creation of the user is documented in relation to/terms of requirements for any physical appearance and presentation of identity documents.
Issuance is a short-lived but crucial act in the work of ensuring that the natural person also becomes the corresponding digital person. For this to work well, this process step must be done by users themselves. The user must:
- confirm their identity themselves
- enter their password and PIN for a smart card themselves
- authorise their employee photo themselves
- generate their digital key themselves
Only in this way can the organisation and the outside world know for sure that you are who you say you are.
Forming and issuing the digital identity is done through a self-service process where each employee can easily issue and possibly also print their own access card with an employee photo, name, title and the like. Each employee also provides an employee photo for the access card and issues their own digital access.
The process is easy for the individual user, it releases resources in the IT department and ensures that the organisation complies with applicable legislation and internal procedures.
With a good self-service process, a company or organisation such as a hospital, bank or municipality can ensure that the employee has correct, secure digital IT access.
All large organisations work in many different systems, and it is inconvenient and time-consuming for employees to handle individual logins for each system.
Security procedures become more agile and efficient with automated and integrated security access based on secure digital identity using smart cards. At the same time, these procedures are no longer perceived as an inconvenient and delaying element for employees.
Following the process’s first two steps of creating and issuing is the quick way of ensuring that employees use two-factor log in every time they log in to their PC. With two-factor login, there is no longer a risk that employees’ login information will be known by others due to accidental sharing or phishing. You cannot share your access or copy a smart card.
Two-factor login also ensures rule compliance when HR staff must have access to sensitive personal material, and when employees must work with or share documents that contain sensitive information. Overall, the risk of one’s internal computer systems being compromised is reduced when access to the systems requires two-factor login.
The final step of the process assesses whether the previous three steps of the process comply with national and international laws and standards, as well as the organisation’s own internal policies. The area is very broad, but in general, digital management tools are required to both keep an overview and at the same time be able to carry out the necessary and desired controls.
Compliance management is a process that ensures that the right people have the correct rights and follow the correct rules. The key is that the organisation regularly reviews, and in some cases, continuously evaluates whether rules and rights are being respected. The process must ensure that rights owners systematically authorise or re-authorise the users who have been granted access to the IT system(s) for which the rights owner is responsible. This is also where you look at log files, incorrect logins and similar other anomalies.
The process point provides an excellent basis for the organisation to routinely evaluate whether:
- rules and rights must be adjusted
- users must be deactivated or deleted
- applicable rules and laws are being complied with
- current processes and hence technical setup for a secure digital identity have the desired robustness and necessary capacity to withstand current and future cyber threats
How to get started with secure digital identity
We recommend that the process is done in small steps. Step one is is get two-factor authentication to work within the boundaries of the network, step two is to setup a more comprehensive Identity Management system, step three is to setop single sign-on etc. Using this step-by-step approch will help the orginzation to accommodate the changes needed to complete the single process steps succesfully.
The conclusion is that with the use of secure digital identity and smart cards, you get a very high degree of IT security. The organisation also gets a much simpler and smoother operation because the hassle of passwords, rights and manual handling is removed. So, the “application” element in the four-phase cycle: Create, Issue, Use and Review becomes an asset to ensure compliance and a high level of security.
This is a crucial step in the process of ensuring that new, secure methods that are easy to use andthat comply with European data security laws are implemented and applied.
CEO, Liga Software