Skip to main content


Protecting Employee Data is an Organization’s Legal Obligation or Is It?

In today’s world, countless organizations fall victim to data breaches that involve employee data. In 2014, I was engaged to lead the remediation efforts of a data breach for a Pennsylvania-based client.  Hackers gained access to the company’s employee payroll information containing the salaries, social security numbers and other Personal Identifying Information (PII) through an insecure email system. It was crucial to develop and execute a corporate security strategy along with the tactical tasks of remediating the breach.

During 2013 and in 2014, infamous cyberattacks resulting in significant data breaches occurred against notable companies such as Target Corporation, Home Depot, JP Morgan Chase, along with many others.

The legal repercussions from those events set off an avalanche of employee and customer lawsuits. Many banks subsequently filed suits against the afflicted organizations citing negligence and other allegations. Organizations did not view protecting employee data was…

Identity Access Management Visionary Trends

When I look at the Information Security landscape of all the current state-of-the-art infrastructures in place at many organizations what is evident is a tectonic shift toward consumerization. The advent and explosive use of the cloud, BYOD (Bring Your Own Device), organizations are going full bore with mobile and remote telecommuting. This tells us that employees of all organizations work inside and outside the traditional firewall. From an architectural security point of view, why do we need a perimeter network when the thing virtually has disappeared for all practical purposes? Apparently, security is of paramount importance more so than ever, and the challenges are innovation and adaptation to the future trends of protecting the consumerization shift paradigm we are now experiencing.

Indeed, when you think of how difficult it is to capture and control a fast-moving object that is physically and logically detached from its mother ship, then the challenges are even more significant to secure mobile devices circulating around the world. When data is removed from an organization’s control, and it resides in a device be it a laptop, tablet or smartphone which is taken outside the protective confines of a network perimeter what assurance can we say the data is secure? We have no means of surveillance and is an elevated risk factor that data can be compromised by breaches undetectable through our SIEM (Security Information and Event Management) systems. To the layman, SIEM is our current monitoring and response integration system, command and control, of all security infrastructure operating within an organization.

My primary focus is to look into IAM and view it from an ideological perspective where this consumerization is taking it. The topics I will cover are:
  1. Challenge of Remote Workforce Access
  2. Context-Based Authentication and Federated Trust
  3. Adaptive Access Control (Identity, Risk, and Context)

Challenge of Remote Workforce Access

Remote workforce logins are open to the same types of misuse, and abuse as consumer-based applications with potentially far greater business risk and is a significant challenge. Cyber-criminal logging into an employee’s account using stolen credentials can do far more substantial damage to a company than a customer using a stolen credit card. When I look at a mobile device, the endpoint trustworthiness is poignant for any bring-your-own-device (BYOD) scenario. Because of workforce demand and popularity, organizations opt not to use mobile device management (MDM) software to help secure workforce mobile devices. As a result, employee phones and tablets may look very much like consumer devices, and the nervous decision how much to trust the user, the credentials and the contextual information that they're transacting with. I feel for the security professional who must walk a fine line when it comes to securing workforce access to applications. It is one of the common friction points that I also have experienced in my career.

On the one hand, mitigating the risks of data breaches is a top priority, and no company wants to end up on the front page of The Wall Street Journal as a high profile data breach. On the other hand, security must strike a balanced with the user experience. Time-consuming authentication techniques erode overall productivity. Worse, the more onerous are the security measures, the more motivated the workforce will be to find ways around them. As electricity seeks a path of less resistance so do humans, the science of physics remains tried and true. Traditionally, companies lock down remote logins by deploying VPNs, requiring employees and business partners to use corporate-issued equipment, or issuing hardware tokens or one-time passwords (OTP) for secure authentication. These methods are getting impracticable in today’s consumerized IT environment.


Saying enough of the issues facing remote workforce access, the question is what would be a visionary perspective of the challenge I just described? One is biometrics which is currently an expensive proposition for the bulk of the global industry, add to it more difficulties with the federation that only a few think tanks are presently working on. However, It does two things well, and that is making the password obsolete along with two-factor authentication resulting in the absolute identity of an individual. Another concept is context-based authentication and federated trust which is discussed in the next section.

Context-Based Authentication and Federated Trust

Context-based authentication addresses two converging trends, the escalating need for establishing trust on the Internet, coupled with concerns about privacy in an age of massive data collection. Real-time technologies that analyze online personas, employee devices, transactional or application context and employee behavior. It is best described as a passive, network-based and is delivered from the cloud capable of recognizing all (BYOD) devices, whether they have authenticated in the past or not. In essence, a global policy network engine that all industries can tap into. In a biometric example, behavioral characteristics is a directory access protocol concept and used in application firewall technology today.

Just imagine a shared trust intelligence network that protects us from global Cyber-criminal rings and military adversaries. This concept is perhaps at the early stages where information so vital to its success is dependent upon the sharing of information, the coordination among industries and multi-national government law enforcement including allied militaries. The concept itself is not so unique, the FBI in recent years since 9/11 established the InfraGard for the fundamental purpose of sharing information to combat terrorism against physical and informational infrastructure in the United States. It is a loose confederation of willing participants with chapters in major metropolitan areas. Since the recent high profile breaches involving major retailers and major banks such as Target, Neiman Marcus, Home Depot and JP Morgan respectively the outcome is obvious. Forward-thinking organizations are now beginning to employ strategic individuals with the ability to acquire federal government top secret clearance to share this information. A big headache is who will control such an engine of this magnitude and what organizations are willing to share their knowledge. The best equipped to build and maintain such a federated trust database is the federal government and other governments around the world that are compelled to protect their infrastructure in a collective endeavor.

Adaptive Access Control (Identity, Risk, and Context)

Lets put access control, risk and context under one roof with the concept of dynamic, risk-based authentication and authorization decisions. The financial industry has been driving this for quite some time, and these techniques are beginning to be expanded to organizations for mobile devices where they are using broader sources of user context that affect both security and user experience. Each component is utilized in practice among industries but not as one cohesive access control. To paraphrase in a nutshell, adaptive access control is merely an end-to-end trust group.

Business risk and fraud have created new trends that include the following business processes:

Migration of risks of external platforms including cloud & SAAS

  1. Increased external collaboration: partners, consultants, foreign employees & customers
  2. Support for consumer-owned devices (BYOD)
  3. The Identity of users, methods, and services
  4. Conditions of trust, health, and verification of the devices, network transmission paths, policy requirements (e.g., privacy, confidentiality, data integrity, data storage)
  5. Actions (type, nature, and impact of the transaction)
The economic benefits for these new trends came from business process flexibility, infrastructure cost externalization, improved availability and improved the user experience. Overwhelming is the sheer demand to support mobile devices and the ability to work inside and outside the organization.
Adaptive Access Control (AAC) is a process that enables electronic business access requests, based on a range of attributes related to the application. The characteristics of a claim are generally classified into four categories: Subject (Requestor), Context, Resource & Action. In contrast to systems which rely solely on identity, adaptive access increases end-to-end trust by including multiple factors to spread the decision risk. Consider current IAM as a static method in a traditional sense – user ID, password, and a two-factor token. Add to that a biometric credential establishing who I am and the problem resides in provisioning and federation. It is the intelligence factor based on the identity, risk, and context to formulate decisions whether an authenticated individual can be trusted and authorized to access resources and determine what they can do with it without human intervention.

Identity access management is evolving from a static method to an intelligent and dynamic system. Current technologies are based for the most part by providing specific static credentials such as a user ID, password, and a two-factor token, or with the more advanced biometrics that eliminates passwords and the two-factor token authentication.

In this article, we described the trends of mobile devices that forces innovative methods of intelligent security that enables sharing with regards to IAM and today’s workforce demands that we face such as the ability to work inside and outside of organizations at any time. The heart of it is the user context-based actions that enable an intelligent IAM system along with federation establishing a trusted environment within the organization and with other situations that reside outside, a federated or trusted organization.