Yin and Yang: Two Views on IAM - Global Risk Standards or States & Nations Policies

Jun 27, 2017 | by Chris Williams

By Steve Mowll and Chris Williams

POINT:

Chris Williams - Advisory Architect, RSA Identity

In our last blog, I stated the following about why we most commonly engage in security practices. And these two items were represented:

  1. We embrace identity projects because we need to satisfy compulsory mandates.
  2. We need to provide competitive protective services in order to deliver against customer or industry expectations.

However, if you really want to boil it down, it simply attributes to the fact that digital theft and malfeasance has become an incredibly profitable and political industry as operated by both independent criminals / criminal organizations, digital terrorists, and destructive nation-states. As example, there is a current investigation underway in which U.S. Federal prosecutors are looking at North Korea, who may have played a role in last year's $81 million theft from a bank in Bangladesh and accounts at the Federal Reserve Bank of New York.

We can speculate a few different scenarios which may have included faulty IT standards, the possibility that strong and effective standards were not enforced or executed well, or that the practices in place may have been antiquated and eventually overcome (antiquated in this age could simply be a matter of weeks or months). The latter may be all too true in many instances since we know the cyber-criminal population is constantly increasing their capabilities.

How much so, you may ask? Last year over 164.4 million access Identities were attacked and compromised. The attacks varied from highly-prized corporate identities to personal mom-and-pop bank accounts. And much of this occurred because of a lack of consistent prescribed standards.

We can postulate that localized standards with limited control coverage provide exploitable chinks in our IT armor. We might also speculate that the large body of standards, frameworks, regulations, mandates, and other prescribed control processes create even more variances in coverage and protection. This leaves one to believe that we, as a whole, need to provide a more unified international effort against cyber crime at the individual, local, and national level.

Recently, the European Union reexamined the EU Directives on privacy, bringing the General Data Protection Regulations (GDPR). A step in which a larger set of standards is being supported by, and for, a larger populous. The idea here is that this collective should be able to create a larger set of more effective safeguards. But is this enough?

If we really wish to have demonstrable impact in the data war, then there needs to be a new approach to evaluating the global threat level, new consortium that leverages the most recent and cutting-edge technologies and processes (regardless of the country of origin), and the willingness of international leadership to support and enforce an expanding set of mandates (regardless of borders and jurisdiction), whose singular goal is to jointly protect the digital citizens of the world. Consider a global "IT" version of NATO.

Yes, this is a tall order given the fact that we usually can't agree (internationally) on how to eliminate other global concerns, such as famine or pestilence or other more visceral forms of terrorism. But since it addresses the borderless and cultureless world of IT, it may be one that is more achievable and more sustainable.

COUNTER POINT:

Stephen Mowll - RSA Identity Architect

Who are we and what are we doing here? That is what so many people working with IT systems are thinking every time they login. They are concerned about their job, their home, making money, feeding their children, but things they are almost certainly not concerned about include information security, complying with standards and safeguarding data privacy. This is highlighted in the SAN 2017 Security Awareness Survey which shows organizations are spending large sums of money, but communication and engagement is still the biggest problem. Another Survey from MediaPro found that 88% of respondents lacked the necessary awareness to stop a preventable security incident.

Every year a survey comes out saying 1 in 7 employees would sell their passwords while the other 6 just write them on the front of their laptops and give them away for free. In the 2017 RSA Consumer Cybersecurity Confidence Index, 40% of people admitted to writing down their passwords on paper.

If we think about data privacy, the EU GDPR is concerned that we must have a consent for every way personal data is used. Ironically, those people whose data is to be protected by these requirements are posting it on Facebook, in random websites to win competitions, or clicking on links in unsolicited emails and providing it to anybody who would have it.

I believe we are in a state of human evolution where a large part of the global population does not understand all of the consequences of the use and misuse of digital information - especially their personal data. In this, standards and regulations do NOTHING to help.

Furthermore, if we look at the existing standards that are out there, companies are generally compliant with them anyway. A standard may say that consent is needed and a company will say "Okay, we will write a 50-page consent form that nobody will read asking for anything we want and people will just agree."

When there are gaps in these regulations it may take years to update, leaving them ineffective. So will more regulation really make any difference to the security and privacy of our data? I think not, in fact, I know it won't!

The way to solve this problem is education in schools, companies and governments. Educate the people as to why it is important to manage digital information in a secure and protected way, what the consequences could be and what the benefits are. They will come to the right decisions.

In the UK and other countries, this is already happening and I see a future where the digital community is more aware and secure, but it will take time.

As we move towards that future, we need to provide users with a frictionless experience, one where they can easily access the things they need while we provide the level of security required to stop breaches and assure access. Check out RSA's secure authentication and identity assurance solutions to see how RSA is leading the way in the next generation of modern identity and access management technology.

Author: Chris Williams

Category: RSA Point of View

Keywords: Counterpoint, HR, Identity & Access Management, Identity Access, Point, RSA Identity Governance and Lifecycle, Yin Yang