Xplenty & Security

The Complete Guide to Data Security by Xplenty

Oscar sage
Chapter 4

Building a Security Strategy on Identity

Users tend to be the weakest point of any network. Cybercriminals often focus on stealing login credentials through phishing or social engineering attacks. When they succeed, they can virtually walk through the front door unchallenged. Rogue or poorly trained employees may also pose an internal threat to data security.

This threat is greater in an age of remote working and BYOD policies. To meet this challenge, we have to change the way of thinking about user security. Instead of being a weakness, user identity can be the primary perimeter for data security.

The Identity Perimeter
  • Users have a single login with strong authentication, including multiple factors
  • Analytics-powered systems monitor each identity for unusual activity
  • All data activity is tied to a specific user identify
  • Role Based Access Control (RBAC)
  • Compromised identities are easy to deactivate or delete
Key elements of an identity-based strategy

An identity strategy must respect all three elements of the CIA triad:

  • Frequency of movement: Data is at risk when it keeps moving between locations. Conversely, the risk decreases when the data remains encrypted in a secure repository and rarely moves.
  • Encryption and password protection: Additional measures can help lower risk, such as password protecting files or encrypting them in transit. It’s not always possible to encrypt in-use data, so this increases the potential risk.
  • Access level: The more people with access, the greater the risk. If data rests in a highly restrictive environment, it’s low risk. Data on a live system with multiple users is at a much higher risk.

Identity strategy is about finding a balance between these elements. If your measures are too complex and restrictive, users won’t be able to work with your system, which may force them to adopt risky workarounds. If your measures are too lax, you risk exposing sensitive data.

In practice, it’s often a matter of implementing a system and then fine-tuning it according to your business needs. Follow the best practices below to find a balance that works.

Identity strategy best practices
  • Offer single sign-on: Multiple logins can pose a risk. Users tend to forget multiple passwords, so they end up reusing logins or, even worse, keeping a list of passwords on their desk. Single sign-on means that one username, one password, and one user identity linked to all data activity.
  • Set strong password standards: Password best practice techniques include:
    • At least 12 characters
    • Variety of ASCII characters, including letters, numbers, and symbols
    • Forbid the use of names, dictionary words or dates
    • Check against a password dictionary to see if a password is commonly used
    • Use randomly generated passwords where possible
  • Use two-factor authentication (2FA): 2FA is essential in a single sign-on environment. By requiring two forms of authentication from two different sources, it adds an extra step that most hackers can’t replicate, even if they obtain a username and password. Typically you will use two of the following “factors” for your authentication:
    • Something you know (e.g. a password)
    • Something your have (e.g. phone, keys, etc)
    • Something you are (e.g. biometrics, fingerprints, etc)
  • Implement role-based access control: Each individual identity should be linked to a role, such as sales, analytics, customer service, etc. You can then implement a data access policy that reflects each role’s needs, giving everyone the data they require. In the event of an organizational change, you can then change the configuration for a role rather than updating individual users.
  • Take a “least privilege” or “need to know” approach: Each role should have access to the data they need, but nothing else. This approach limits the chances of unauthorized data access by a rogue user, or via stolen login credentials.
  • Communicate with your users: In the perfect identity-based strategy, users will have a seamless data experience, while unauthorized parties will find it impossible. It’s only possible to reach this level by working with your users and ensuring that they have the right level of data availability and an easy login process.

Education plays a vital role in this strategy. Ensure that everyone receives adequate training and support to understand how identity management plays a role in organizational security. Let them know what they need to do to keep data safe.

Continue reading
Chapter 5
Working with a Trusted ETL Partner