Identity holds a special place in cybersecurity for defenders and attackers alike. It serves as a prevailing mechanism to protect and streamline access to enterprise tools and data, and yet it also remains a top attack vector.
The FBI and international law enforcement seizure last week of Genesis Market, a cybercrime marketplace that facilitated the purchase and sale of data that allowed threat actors to impersonate legitimate users, exemplifies the high-level risk posed by digital identities and how they can be exploited for nefarious activities.
Designing an identity and access management system that provides a good user experience while preventing unauthorized access is a critical responsibility for cybersecurity professionals. Balancing those requirements is a tricky proposition fraught with challenges.
Target and other organizations addressed the importance of IAM to mark the third annual Identity Management Day, which was created to boost awareness among business leaders, IT professionals and individuals.
“We believe that considering security versus convenience doesn’t have to be a trade-off for our teams as we are developing solutions,” Tom Sheffield, senior director of cyber solutions at Target, said in a blog post published Monday.
The use of biometrics, which Target uses in its single sign-on program, can achieve security and simplicity together instead of competing with one another, Sheffield said.
“It’s not a trade-off,” Sheffield said. “It’s magnifying both the security and the user experience simultaneously to increase the value delivered instead of needing to promote one over the other.”
Adoption is the most important measure of success, and to hit that goal it’s important to consider the user’s perspective as much as the cybersecurity benefits that will be gained, according to Sheffield.
“When we deploy a new tool or process, we are asking them to change their behavior or do something differently. It must be enticing to them in order to convince them to take that next step to act,” Sheffield said.
Target also adheres to FIDO standards for authentication, which Sheffield describes as “phishing resistant, cryptographically backed and significantly stronger than a password.”
The National Security Agency and the Cybersecurity and Infrastructure Security Agency released IAM guidelines last month to help administrators prevent unauthorized access into their systems.
Sheffield prescribes many of the same recommendations at Target, including the use of multifactor authentication and unique, strong passwords across every site.
Identity can be a business enabler by supporting transitions to cloud computing, simplifying the login process and fighting fraud, Sheffield said.
Identity, which is at the core of every organization’s cybersecurity function, is “about making sure the person at the other end of the keyboard or the device is who we expect it to be, and they’re allowed to be there,” Sheffield said.
Target has made multiple changes to improve its security posture during the last decade. The retailer suffered a data breach in 2013 that exposed financial records on more than 41 million customers.