Reasserting control


Sue Tabbit

February 22, 2016

The only way to keep malicious users from someone else’s data is by being absolutely sure who is doing what, how, where and when


As vigilant as businesses are about digital security, if someone really wants to access data they will. This situation will only be made worse once quantum computing becomes a reality – as the power and speed of processing squares up to the most sophisticated of encryption codes.

But if control is an illusion, where does this leave digital technology users who are increasingly being encouraged to share more about themselves in return for a better, more targeted service and faster access to what they need?

Research by New York’s Columbia Business School, concludes that high volumes of users (consumers, employees, etc) are sharing data with abandon, despite not being entirely comfortable about it. The perception is that if they do not share data they will miss out or receive a poorer service.

Trust plays a significant role here, so when breaches occur it is a major blow to digital consumers. Stricter regulations are helping, by forcing organizations to be more vigilant, but in a dynamic market where new threats emerge daily, it’s far from easy to maintain the level of control needed – especially without detracting from the user experience.

Context is key

Analyst firm Garner predicts that 2016 will see organizations move towards an ‘adaptive security architecture’, because of what it calls the growing ‘threat surface’. “Relying on perimeter defense and rule-based security is inadequate – especially as organizations exploit more cloud-based services, and open APIs for customers and partners to integrate with their systems,” it notes.

The upshot is that businesses need a more rounded and agile response to security – one that combines traditional detection and response measures with advanced user and entity behavior analytics, for example.

“ID has become the last remaining security control,” says Andrew Critchley of Capgemini’s cybersecurity unit. “But it needs to be sophisticated, which means next-generation identity and access management. It’s about having more context- and risk-based technology in place.” But this mustn’t result in long and costly security projects, because these just aren’t sufficiently responsive, he warns.

Monitoring human behavior

Biometrics is playing an increasingly important role as part of next-generation ID controls. IDC predicts that by 2020, at least 50% of mobile devices will be accessed by biometric means. And that doesn’t have to mean fingerprints or retinal scans.

Swedish security specialist, Behaviosec, has developed biometric technology which tracks a user’s subliminal hand motion each time they engage with a digital service. For example, if they are using a bank’s mobile app, the software seamlessly monitors their touch pressure and rhythm/speed – both while entering their PIN number and throughout their time interacting with the online service. If the software detects atypical touch or typing patterns for an individual, it triggers an alert – leading to further action, depending on the organization’s rules and processes for ID management and access.

Behaviosec’s technology is proving popular with banks, offering their customers an additional layer of ID and access protection without any detriment to their service experience. “The only difference is a change to the bank’s terms and conditions, to get permission to monitor users’ behavior,” explains Olov Renberg, Behaviosec’s co-founder. “Once the software has built up a strong enough pattern for an individual, the bank can start monitoring their account for fraud.”

It’s this kind of innovation that will help organizations future-proof their security, Behaviosec believes. “It’s about bringing users themselves into the mix; putting the human at the center of security – if you do that, it’s much harder for someone else to pretend to be you,” Renberg says.

Acting swiftly

But avoiding breaches demands hyper-vigilance at multiple levels. Increasingly, organizations are realizing that this is more than they can achieve internally – not if they are to simultaneously meet the brief of the business to facilitate greater agility and accelerated innovation, for example by leveraging cloud-based applications, for example.

“If your aim is to be digitally disruptive, you can’t afford to wait for a long, drawn-out security implementation,” warns Capgemini’s Critchley. “You need to be able to move and scale quickly. This is only really possible through a federated, integrated approach to ID management – one that spans internal enterprise systems, cloud solutions and all types of use scenario.”

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter