Why dynamic authorisation is the key to unlocking true zero trust security
Source: Finance Derivative
by Gal Helemski, co-founder and CTO, PlainID
In little more than a decade, ‘zero trust’ has gone from an industry buzzword to the cornerstone of every cybersecurity programme worth its salt. The concept is a simple but effective one – trust makes you vulnerable, so nobody/nothing should be automatically trusted – and in today’s fast-paced, highly data-driven business world, it makes a lot of sense. But like so many things in life, the true effectiveness of zero trust lies in its implementation, and it is here where there remains room for improvement.
Trust must be earned, not given
Security programmes based on zero trust are designed to remove some of the key assumptions that make alternative approaches weak by comparison. Perhaps the best and most common example of such an assumption is that if someone logs into a network with certified user credentials, they are indeed who they claim to be (and will therefore operate responsibly at all times). As many organisations find out to their detriment, user credentials are all too easy to steal and/or lose, meaning the longer a set is used unchallenged, the higher the chance that they may become compromised by someone with malicious intent.
Security should match the way we work today
With the rise of remote working over the last few years making modern workplaces more fragmented than ever before, zero trust has become increasingly important. This is because the ‘walled garden’ approach that traditional perimeter security programmes rely on is no longer applicable to most organisations, particularly those with large, highly dispersed workforces.
Instead, zero trust architecture focuses around one key decision – whether to grant, deny or revoke access to a resource, each and every time a user requests it. While there are a variety of ways to implement this, the U.S. National Institute of Standards and Technology (NIST) has set out a useful framework that emphasises zero trust should never be an exclusive agent of the network alone. Instead, for zero trust to be fully implemented, it must apply three levels of access control:
- Access to the network
- Access to applications
- Access to intra-application assets.
Without this kind of approach, true zero trust protection simply can’t be achieved. Why? Because of the dynamic nature of risk. Today’s digital enterprises are driven by intricate environments containing hundreds of applications, numerous different systems, hybrid legacy and “cloudified,” microservices-driven infrastructures. Such environments support hundreds — or even thousands — of continually evolving roles, which require the constant creation of new access scenarios.
Zero trust technology is still maturing
The good news for security professionals is that there’s an ever-growing range of powerful technologies now available that address some of the basic tenets of zero trust, particularly around advanced authentication and network access control.
However, these technologies still do not address each of the three critical levels of zero trust access control. In fact, the current focus of available zero trust offerings is primarily on the network and does not include adequate reference to, nor support for, zero trust at the application level, or within applications themselves.
For instance, the solutions that are most heavily touted as supporting zero trust include gateway integration and segregation, secure access service edge (SASE), and secure SD-WAN. The problem is, these are all focused on network-centric zero trust when what’s really needed is a solution that addresses each of the three access control levels in turn.
Dynamic authorisation holds the key
For many, the solution is dynamic authorisation – an advanced approach that grants fine-grained access to resources, including data assets, application resources, and any other asset based on the specific context of that session, in real-time.
Dynamic authorisation completes zero trust by powering two of the main processes that are vital to its full and complete realisation: runtime authorisation enforcement and high levels of granularity. When a user attempts to access a network, application or assets within an application, this initiates the evaluation and approval process that focuses on a range of key attributes, including:
- User level attributes – such as current certification level, role and responsibilities, and whether they can access confidential and personally identifiable information (PII)
- Asset attributes – such as data classification, location assignments and any relevant metadata
- The location that a user is authenticating from – including whether from an internal or an external system
- The number of authentication factors being used – i.e. with single, two factor or multifactor authentication
- Additional external attributes – such as the risk level of the system and more
The policy engine evaluates each of these and all other relevant attributes, before making a real-time decision on whether to grant access. Furthermore, each time access is attempted, a new decision is made. This process is designed to be extremely granular, evaluating all the attributes that are updated to that specific point in time, as well as the real-time context and environment, rather than attributes that were already predefined by the application.
The business landscape is rapidly evolving, which means cybersecurity must as well. Many organisations have already recognised the importance of a zero trust approach for keeping sensitive data safe in increasingly fragmented working environments. However, the way it is implemented is critical to overall effectiveness. By using dynamic authorisation to address each of the three levels of zero trust access control (access to the network, applications and intra-application assets) business leaders can be confident that users accessing sensitive data are not only who they claim to be, but that they also have the right to do so.
How to identify the signs that your IT department need restructuring
Source: Finance Derivative
Eric Lefebvre, Chief Technology Officer at Sovos
For firms to execute transformations and meet their overall vision, it is crucial that their CIOs are able to recognise the signs that their department is in need of some internal change. In the current economic climate, CIOs working to fulfil their organisation’s priorities and meet business goals might hesitate to acknowledge that their IT department needs restructuring, never mind be able to identify the signs.
However, these problems rarely fix themselves and organisational restructuring requires conviction and determination from leadership for it to occur successfully. So, what are some of the key signs that CIOs should look out for?
Struggling to keep up with industry demands
CIOs unsurprisingly are working in an extremely demanding environment at the moment. Meeting these evolving demands is crucial for companies. When demands are not met and not handled properly, this can have a lasting impact on organisational goals and objectives, and even impact the way in which transformations are put into effect.
Depending on the organisation’s structure, the way in which being unable to keep up with demands manifests itself can differ. Despite double digit reductions across the industry, the search for talent across the tech world continues, project costs continue to rise as the cost of labour has increased and schedules have been disrupted by significant attrition. Many companies will also find business costs, such as that of third-party software, are higher than planned and technology debt continues to pile up faster than it can be sunset.
Whilst leadership teams might dedicate their department’s attention on the factors discussed above, they may find that their team will fall short when it comes to timely deliverables and helping maintain your organisation’s tech stack and guide its business transformations. Looking beyond the immediate problems of high costs and considering an internal reshuffle may be the solution for many IT departments.
Internal conflict within the team
Organisational designs with underlying issues can cause constant friction, especially when they go unacknowledged. An IT department that lives in conflict will certainly be reflected in results and less than successful tech transformations. CIOs will find that by adopting an organisational design which works through staffing issues, will better innovate, especially if they can all work together.
Department leads should have a strong understanding of their team’s work environment and guide them through any long-term or potential problems. When an individual is working in a demanding or complex industry, working well with your team shouldn’t be the main impediment to innovation. By acting quickly to eliminate internal conflict, CIOs can better lead and ensure their team’s focus is entirely on producing more optimal outcomes.
Delays are commonplace
When a large amount of your team’s time is spent setting objectives, budgets and timelines for the projects they are working on, it is vital that they are met. When delays are coming from the IT department, they will inevitably hinder the development of any business transformation, especially if it prompts teams to spend excessive amounts of time rearranging budgets and timelines and therefore hindering innovation.
IT departments are a crucial aspect in many different parts of a company’s transformations, so remaining on track when it comes to timelines and innovation is critical to operational plans. If delays have become commonplace in an IT team, and external factors are impacting projects, CIOs should look at restructuring an IT department to solve these issues.
The strongest team relationships do not happen by accident and are the result of good planning, strong leadership and a motivated team. CIOs can ensure this by providing vision and long-term strategy with clear goals and objectives to produce high levels of quality output.
When internal issues are noticed in an IT department, and are noticeably impacting team morale or productivity, this should indicate the need for departmental restructuring. Be that due to an inability to meet market demands, issues with productivity and meeting deadlines or internal conflict, these issues all risk a department’s functionality and an organisation’s ability to achieve its goals. In short, don’t overlook the warning signs!
Why the future is phygital
Source: Finance Derivative
By Eric Megret-Dorne, Head of Card Issuance Services and Service Operations at Giesecke + Devrient
Digital banking has become increasingly ingrained in people’s everyday lives. Today, 73% of people globally use online banking at least once a month. Traditional bricks-and-mortar banks, which have long relied on the in-person experience with customers, are now having to step up their offering. With new ways of working blurring the work-home boundary, banks must ensure a fast, seamless connection between face-to-face processes and virtual customer experiences.
However, this does not mean that physical and digital banking are in competition with each other. In fact, many continue to use physical bank cards, with 1.12 billion in circulation in 2021, which provides the basis for digital payments and offerings. As a result, the benefits of digitalisation should converge with the comfort of physical touchpoints to create a holistic, “phygital” experience.
The path to phygital
Banks are accelerating their digital transformation strategies to keep up with the fast pace of fintech innovations. To meet the changing needs and preferences of customers, the payment world is leveraging new technologies to create personalised experiences through a range of different channels.
While the digitalisation of banking has been underway for quite some time – particularly for younger generations – events such as the Covid-19 crisis forced banks and customers of all ages to use digital tools and processes to compensate for branch, office, and call centre closures. With branches worldwide typically operating at reduced capacity due to social distancing requirements, consumers embraced online banking to avoid both the virus and potentially long queues.
However, some consumers still enjoy physical touchpoints, meaning a digital-only approach won’t suit everyone.
Striking a balance
It’s all about options – consumers now want to freely switch between traditional and digital channels without being forced into one. But how can banks achieve this phygital balance? One way is to equip physical channels with digital capabilities, so that online tools can augment the physical experience. For example, personalised bank cards with a bespoke design can be activated digitally, offering customers an extra layer of convenience. Having to wait for a new PIN to arrive in the mail is a common bugbear for consumers, so bringing card activation processes into the digital ecosystem will ensure a more seamless experience.
Greater automation in the card issuance and activation process enables the benefits of digital to be integrated into the physical banking experience without being intrusive. For instance, self-service kiosks empower customers to print their own cards, reducing the time between acquisition and card issuance, while still allowing for in-branch expertise if needed.
The personal touch
Phygital strategies also give banks a range of valuable data insights that can help them better serve their customers. This includes data on purchasing behaviours and habits, which can then be utilised to improve banks’ offerings and unify the physical and digital brand experience. Using omnichannel data helps to build a hyperpersonalisation strategy to provide real-time services.
In this way, digital solutions help banks maximise their user experience. Whenever a consumer interact with a bank, it creates data and behaviours. With fragmented databases, legacy systems and real-time data created by interactions with third-party partners through Application Programming Interfaces (APIs), it is not always easy for banks to streamline this data from different sources. By understanding patterns in that data and behaviours, banks can tailor and personalise unique experiences for each and every user.
Where security meets innovation
With big data opportunities abound, banks should be mindful of their consumers’ security concerns. Customers are now demanding much more transparency when it comes to how information is stored and collected. At the same time, they still desire greater personalisation via digital methods. Therefore, any successful phygital strategy requires a robust digital security to ensure customers have the same peace of mind as when they complete physical transactions.
To close the gap between innovation and security, banks should utilise tokenised infrastructure, which ensures the safe provision of payment credentials and securing of customer payments across all touchpoints. This is particularly important as regulations such as PSD2 and SCA demand strong authentication requirements.
The use of a token greatly enhances the consumer experience. For example, it allows for card details to be automatically updated for subscription services upon the expiry of an existing one, avoiding any service disruption. Multi-factor authentication can also ensure an additional layer of security, as it combines a password with verifiable human biometrics such as fingerprints or facial recognition.
Best of both worlds
Every consumer has unique preferences when it comes to banking. Therefore, banks must evolve by bringing both physical and virtual touchpoints into a ‘phygital’ world. Only a phygital approach can meet the needs of all end users – whether they favour an in-person experience, an online one, or a blend of the two. The holistic data insights, personalisation opportunities, and optimised security ensured at every touchpoint are also critical in building future-ready banks.
51% of Apprenticeships Axed: Alternative Ways To Secure The Future of SMEs
More than half of UK-based SMEs expect to increase their workforce numbers by the conclusion of 2023. However, many industries are experiencing a skills shortage problem, instigated by Brexit and a rise in economic inactivity.
One of the solutions has traditionally been the hiring of appearances. Unfortunately, due to the cost of living crisis, SME apprenticeships are under threat. Financial difficulties led to 51% of apprenticeships being axed in 2022, hindering both the job market and smaller businesses that rely on their talent.
Apprentices are valuable to SMEs for several reasons, addressing skills shortages, and allowing businesses to mould the ideal candidate whilst securing government funding.
Luckily, there are several other ways SMEs can dominate their market, with SME-focused digital marketing agency Add People providing their top tips:
7 Practices All SMEs Should Implement To Succeed:
- Invest In Employees
“Employees are obviously one of the most important elements of a successful business.
By investing in your staff, such as rewarding them for hard work, offering incentives and cultivating a space for them to flourish, you can help your SME succeed. From increased productivity and morale to a more positive workplace that attracts top talent, success often begins here.”
- Create A Strong Digital Presence
“The internet should not be underestimated as a tool for generating business. From allowing individuals to find out information, contact you and even purchase products and services, establishing an online presence is essential. Consumers are also more likely to trust and purchase from a business with a visible, credible online presence, so creating a user-friendly website is more essential than ever.”
- Diversify Revenue Streams
“If the last few years of instability have proven anything, it is that diversifying revenue streams is paramount to mitigating risks. Whether the blockage of the Suez Canal or the mass shipping delays caused by the Covid-19 pandemic, too much reliance on a single product can threaten your business.
Expanding into new products and services means SMEs are resultantly capable of reaching new audiences and new sources of revenue.”
- Collaborate & Form Partnerships
“Small-to-medium-sized enterprises can strongly benefit from collaborating with one another, especially across market sectors. These partnerships can provide your business with access to new resources, to enter new markets and improve your brand image within multiple markets.
Similarly, sharing your knowledge with another market can lead to increased innovation, allowing you to develop and improve both existing products and conceptualise new ones.”
- Use AI & Other Technologies
“AI is one of the most exciting developments of the 21st century and is set to revolutionise all industries. SMEs should be taking advantage of implementing AI into their offering, allowing them to stand out in their relevant markets and retain their competitiveness.
AI can also help to improve the decision-making made by a business due to analytics and insights. These can be particularly useful for any markets that are data-driven, but will ultimately help any business with regard to scalability.”
- Adapt To Industry Trends
“ World markets are continually changing, meaning industries are constantly having to evolve. By keeping on top of these changes, you allow your business to remain competitive and attract new customers.
This flexibility is one of the key tools to secure long-term success for any SME, and will allow you to capitalise on new opportunities for years to come.”
- Seek Feedback
“No business will get it right the first time, and the new and unpredictable changes to the market complicate this. Luckily, by always asking your customers and clientele for ways you can improve your business, you gain valuable insights into your consumer demographic and their needs. Learning from this information will allow you to become one of the most valuable and trusted providers within your industry.”
Peter Marshall, Chief Marketing Officer at Add People, a digital marketing agency specialising in small-to-medium-sized enterprises, had the following to say:
“While apprenticeships are a key feature of many SMEs, they are not vital for their success. One of the main reasons that apprenticeships are so popular is the funding that small employers can gain through their recruitment, allowing these smaller businesses to train staff that work to their standards and ethos. This means they are fully trained for a job role when the apprenticeship concludes.
Instead, businesses should focus on long-term solutions at the heart of operations. Making these changes will ensure a healthy future in any market, protecting both the business and the future workforce – including any apprentices!”
Simon Bell, Founder and Director at Careermap, the UK’s leading Early Career website also had the following to add about apprenticeships:
“’Apprenticeships are a win-win situation. Not only for the apprentice but for businesses alike. Training your workforce of the future is vital to keep businesses growing, helping to bridge the skills gap and offering unique perspectives. Reverse mentoring is a hot topic; apprentices can help your organisation do just that by re-energising current employees, encouraging creativity, open-mindedness and innovation.’