Recently, Robinhood shared they experienced a data security incident whereby someone gained access to the personal information of some customers.
The attack stemmed from a successful social engineering scheme to gain access to customer support systems via a phone call to the company’s customer support line.
This type of sophisticated attack is becoming increasingly common, particularly for organizations like Robinhood – a high-profile company in a highly-regulated industry. These businesses face threats on a daily (even hourly) basis and must be continually vigilant to avoid catastrophe.
This begs the question – if an organization with the regulations, sophisticated security stance and resources of Robinhood can be breached, what does that mean for organizations that are less high-profile in industries with fewer regulations?
Modern threats…same solution?
With threats becoming more sophisticated, enterprises should look at more modern, flexible approaches to their access management strategies, right?
Well…not quite. In the past decade, businesses have added protections to critical information and processes, however, we still have a way to go.
Take the recent data breach at Walgreens, where the personal data of millions of people who used Walgreens’ Covid-19 testing services was left on the open web for potentially anyone to see and for the multiple ad trackers on the Walgreens’ site to collect.
In addressing the leak, Walgreens added a new authentication screen, requiring anyone wanting to access test confirmation pages to enter additional information.
While the addition of more secure authentication strategies is a great step forward, it isn’t enough.
Social engineering attacks like the one at Robinhood are effective because they can get past authentication efforts. Authentication is necessary to validate “who” is accessing the system, but once identity is verified, it’s critical to determine what they should have access to.
Adding the developer layer
It’s a low-code or no-code world these days, which is great.
For years the low/no code movement has grown, culminating in exponential growth during the pandemic.
I think this is a positive development as people understand the value of well-designed applications and the important work done by developers.
Where the challenge arises is when business users leverage low- or no-code solutions to bypass corporate security policies.
While this seems like a pain when you consider one app developed in this way, if you think about a global enterprise that may have hundreds of applications running worldwide, if even a quarter of those bypass security policies, that is a very real and significant risk.
That leads me to the quandary I hear from customers worldwide – they want to enable citizen developers to manage some applications via low- or no-code solutions to focus highly skilled developers on their most valuable applications, but they want to ensure everything falls under the umbrella of carefully crafted corporate access policies.
It’s all about the attributes
More than ever, when enterprises contemplate their access management strategy they need to look beyond the “who” and address the “what/when/where” with each access request.
That’s really the sweet spot for attribute-based access control, or ABAC.
ABAC doesn’t need to replace authentication, rather, it adds an authorization level.
So, once you authenticate and find out who is looking for access to information or processes, ABAC explores whether they should have access to an asset based on specific attributes, including where they’re asking for access, when and what they’re asking to access (i.e., editing rights to an asset, etc.).
If we look back at the Robinhood example, it’s easy to see where ABAC may have helped thwart the attacker’s efforts even after they were authenticated.
For example, an ABAC platform would have looked at where the access request came from, what they were trying to access, at what time, and for how long.
And look – we know these attacks are going to continue.
I could write a whole other article on the ‘breach fatigue’ setting in when it comes to these things.
At the same time, even fatigued, end users have a much better understanding of the importance of data privacy and in some cases this awareness impacts purchasing decisions.
For instance, in a recent survey, nearly half of consumers said they would stop shopping with a retailer altogether if their credit card or personal information was leaked.
So, what’s the takeaway from all of this?
To me, even though attacks are getting more sophisticated, the answer remains straightforward – a layered approach to access management that adds context around each request.
Understanding not only who is asking for access but the context around their ask will enable businesses to understand if access should be granted and, if it is, for how long and in what capacity.
This additional level of detail not only serves to thwart hackers and other bad actors, but also ensures your business can comply with the increasing number of global privacy regulations and can be a catalyst to implementing a solid security methodology like Zero Trust.
Want to learn more? Reach out and let us share how Axiomatics can help your enterprise take access management to the next level.