When in action, a social engineering attack could look like an email received from a government organization or your own organization asking your employees to divulge their credentials. The basis of social engineering attacks is to induce fear or urgency in unsuspecting users and employees into handing over sensitive information. Over the years, these attacks have become more sophisticated – even if you open a mail or message from a possible attacker, malware is immediately installed on your system. Continue reading Identity and Access Management for Social Engineering Attacks
Category: IAM
Overcoming the Challenges of the Media Industry With Identity
When the digital revolution started, media companies were among the first ones to embrace it. Today, most media companies create content targeted exclusively at online subscribers on digital platforms, pivoting their efforts to become more user-friendly for a digital audience.
In order to convert free digital users into paid users, it is also important to effectively profile them and target the right ads to the right users. Therefore, it becomes crucial to learn more about the users logging in to view media content – whether on an online magazine or a video streaming platform. At the same time, user information that is collected online needs to be safeguarded and the methods used for data handling must adhere to strict regulations. Continue reading Overcoming the Challenges of the Media Industry With Identity
Security vs. Usability
Security vs. usability – the debate has been around for quite a while now. Which one would you prioritize? Would you consider convenience more important than security when it comes to the identity management of consumers? What are your users more inclined to? Is there a way to find a balance between the two? Continue reading Security vs. Usability
Customer Identity and Access Management – How is it different from IAM?
For organizations, it is crucial to ensure data security and, therefore, IAM has become a crucial part of every network security effort. Identity and access management at the organization-level – mostly include IAM solutions for enterprise applications used by organizations to authenticate and validate employees and a relatively small number of users. But how different is the situation with B2C businesses and other organizations who have huge numbers of internal and external users using their online services every day? Continue reading Customer Identity and Access Management – How is it different from IAM?
Healthcare Data, HIPAA Compliance, and Akku
The Health Insurance Portability and Accountability Act (HIPAA) has been effective in the USA since 1996.
The Act actually has five different section titles, namely Health Insurance Reform, Administrative Simplification, Tax-Related Health Provisions, Application and Enforcement of Group Health Plan Requirements, and Revenue Offsets – however, the mention of ‘HIPAA Compliance’ most often refers to compliance to the second title – Administration Simplification.
This is the most challenging aspect of the HIPAA Act, as it comes with strict regulations on protecting the data of patients in an industry that is often a major target for data breaches and malicious activity. Identity and access management across applications used in a healthcare facility, therefore, becomes critical to HIPAA compliance.
Here’s how Akku can help in ensuring data privacy and preventing both outsider and insider attacks on patient data, and, ultimately, compliance to HIPAA’s stringent regulations.
Protecting your data
- Akku strengthens security around the login process by allowing you to set up and enforce a strong password policy as well as multi-factor authentication to reinforce password-based security
- It also employs a custom salted-hash encryption methodology – a combination of salting and hashing techniques – for user credentials and data
Preventing unauthorized access
- Akku allows you to exercise tight control over which users have access to what applications and data, so that access is not available to users who may not require it
- It prevents accidental and malicious data breaches by allowing access to applications only from whitelisted network IP addresses and devices
- The system also automatically blocks suspicious access attempts at abnormal times or from unexpected locations, and also enables the set up of time-based and location-based restrictions
Ensuring privacy and accountability
- Every Akku implementation is set up independently in a separate server instance, so privacy on the cloud is ensured
- Akku provides administrators with complete visibility by maintaining detailed logs maintained for every activity taking place across the apps and in the server
Beyond HIPAA
In addition to helping your healthcare facility become HIPAA compliant, Akku also makes it easy to set up integrations across your Hospital Information System (HIS), Lab Information System (LIS), Patient Management System (PMS) and more. This, in turn, improves collaboration between various departments and enhances overall productivity.
To know more about Akku’s complete set of features and their specific benefits to your facility, contact us today!
A How-to Guide to Privileged Identity Management
Privileged Identity Management (PIM) refers to the control and monitoring of access and activity involving privileged user identities within an organization. Privileged identities include those of superusers or super control users such as Chief Executive Officer (CEO), Chief Information Officer (CIO), Database Administrator (DBA), and other top management officials.
Usually, such accounts are given access to all applications and data within an organization, along with the highest levels of permissions. However, many times, such unlimited access has been the cause for data breaches. When an organization’s data is compromised from a privileged user or their account, it is known as Privilege Abuse or Privileged User Abuse. Continue reading A How-to Guide to Privileged Identity Management
What is advanced server access?
Advanced Server Access is a relatively new aspect of identity and access management system for the cloud. In fact, it fits better under the umbrella of privileged access management (PAM). PAM is built on top of IdPs and ADs, which are crucial for identity and access management for on-prem networks. By being used in conjunction with ADs, PAM has been able to successfully provide enhanced control over identity for administrators and other privileged users.
What is PAM?
Privileged access management helps to secure and control privileged access to critical assets on an on-premise network. With PAM, the credentials of admin accounts are placed inside a virtual vault to isolate the accounts from any risk. Once the credentials are placed in the repository, admins are required to go through the PAM system every time they need access to the critical areas of a network. For every single login, their footprint is logged and authenticated. After every cycle, the credentials are reset, ensuring that admins have to create a new log for every access request. Continue reading What is advanced server access?
The Importance of Single Sign-on for Educational Institutions
Let’s admit it: schools and universities today are not what they used to be back when we were growing up. Digitization has swept over almost every aspect of educational institutions. Classrooms have become “smart”, with blackboards being replaced or supplemented by LED screens. Students can simply log in to portals from where they can access information about grades, access lessons from learning apps, and more. Teachers don’t use physical attendance registers today; they mark the daily attendance of their students on tablets – data from which triggers automatic, customized messages to the parents of students who are absent from class.
With such revolutionary change taking over educational institutions, they are also under the rising threat of becoming the target of hackers. Therefore, it is important to ensure enhanced security across the network to prevent student and parent information from being exploited. What’s more, there are cases of students themselves becoming hackers these days – attempting to manipulate grades, using their fellow students’ information to bully them online, and engaging in other malicious activities.
Here are some ways in which a single sign-on solution can not only enhance security but also improve the efficiency of administrators in your educational institution.
Easy Provisioning and Deprovisioning
Every year, a set of students graduate and a new set of students are enrolled. This means that creating accounts and providing access to student portals is a never-ending process. More importantly, denying access to a student who no longer studies at the institution must not be overlooked.
With an SSO, administrators can view – in a single dashboard – all of the apps related to a particular user account and take action quickly and effectively without having to provision/deprovision accounts individually across apps or portals.
Instant Access to all Apps
A survey conducted in the USA showed that 25% of class-time is spent in troubleshooting and teachers trying to help students log in to their respective learning applications. In most cases, the use of multiple applications, and therefore multiple credentials, is the main problem here.
A single sign-on solution, as the name suggests, eliminates the need for multiple credentials, and with it, reduces the time taken to remember and correctly enter them. This also reduces the number of stray passwords, prevents users from writing down passwords and using other methods to remember credentials that are prone to compromise, and also reduces the time taken in resetting forgotten passwords.
Secure Password Policy Enforcement
Students of today may be sharp, but technology is sharper and acts as a double-edged sword. This is why, when it comes to protecting your network from brute-force attacks and other modern security threats, a strong password policy is essential. After all, a compromised password of a student could compromise the security of the entire network in more ways than one.
An SSO typically acts as the identity provider (IdP) to all the applications or portals used within the institution and, therefore, can be used to set up and enforce a strong password policy. This will ensure that passwords created by users of the institution’s applications meet a certain set of requirements with regard to length and complexity.
SSO and Beyond – Akku
Akku, by CloudNow, is an identity and access management solution that includes a powerful SSO functionality. But SSO is only one of many in a slew of features packed into this IAM solution.
Akku can also help you ensure safer interactions on the internet with filters, harness the power of YouTube for teaching/learning, use multi-factor authentication to restrict access to confidential data and more.
For more information on what Akku can do for your institution, get in touch today!
Hashing And Salting – The What And How
“irgvctxmsr” – sounds like gibberish, doesn’t it? But if you were to decrypt this string using a mono-alphabet shift cipher where each letter has been shifted to the right by 4 numbers, you would see that it spells “encryption”!
Protecting critical data and information by encrypting them was first performed by Julius Caesar in 120 BC. The art of encryption has been through several modern shifts, and currently most of the data on the internet is protected using sophisticated encryption algorithms like AES (Advanced Encryption Standard), RSA (Rivest-Shamir-Adlemen), ECC (Elliptic Curve Cryptography) and PGP (Pretty Good Privacy).
Deciphering an encrypted message requires a key. Nowadays, messages are encrypted using public keys and decrypted using private keys. The private keys are shared privately between two trusted parties. Losing a private key can be disastrous, as encrypted messages can then be read by anybody with access to the private key.
Password Hashing
While encryption is a two-way function and is primarily done with the intention of being decrypted, password hashing is a one-way function. Hashing allows us to use a mapping function to map data of any size to a fixed length. The resultant output is called the hash value. Technically, hashing is reversible – however, the computing power required to get the original message makes it impossible for the original message to be decoded. Simply put, encryption protects the data in transit while hashing is used to authenticate the data and lets you know if it has been tampered with.
Here is how it works – consider that you have a digital document that you have digitally signed and uploaded to your website for another person to download. Now, you will run a hash function on the document and another one on your digital signature and encrypt the resulting hash values. Once a designated person downloads the document, the browser decrypts the hash values using a key and runs the same hash function on the document. If the resulting hash values are the same for the sender and receiver, it means the document and signature have not been tampered with.
Modern hashing algorithms include SHA (Security Hashing Algorithm), RIPEMD, WHIRLPOOL, and TIGER.
Salted Passwords
Salting is the process of adding an additional layer of security to the hashing process by adding a unique value to the end of the password and hashing the new password. By adding even one letter to your password and hashing it, you can change its hash value and make it harder for interceptors to find your password. For example, if your password is “V67gHD92”, you can add a unique character or string to the end of it and make it something like “V67gHD92SPICE”. Here, the word “SPICE” is called the salt.
Salting a password protects any data from brute force attacks in which bots attempt every possible combination of letters and numbers until the password is cracked. However, if the attacker knows your salt, the entire process of salting becomes worthless.
In this day and age where network and information protection requires meticulous planning and dedicated resources, we at CloudNow Technologies want to make things easy for you. Our network security solution Akku is designed to protect your network against sophisticated and high-level attacks. To know more about how we can help you protect your network, get in touch with us now.
3 Important steps to improve network security against brute-force attacks
A brute-force attack is a type of cybercrime which involves automated hacking activity using bots. The primary aim of a brute-force attack is to crack a password in order to gain access to a user account in an unauthorized manner. Using the automation tool, an attacker repetitively attempts different alpha-numeric combinations at considerable speed – thousands per second – until the user’s password is determined and the account is unlocked.
With the advent of the cloud and the rapid innovations in technology, a brute-force attack has emerged as one of the most common types of outsider attack against web applications.
Here are three steps that will go a long way in improving the security of your network against brute-force attacks:
Enforce a strong password policy
A password is the first line of security when it comes to preventing unauthorized access. A strong password policy, therefore, can ensure that your users set up passwords that are strong and not easily compromised. Here are some important aspects you can regulate by setting up a password policy:
- Password Length
A brute-force attack typically works by continuously trying every possible combination using numbers, letters and special characters. The shorter the password length, the fewer the combinations and the easier it is to crack. If the password length is known (or is fixed), again, it becomes easy for the attacker to attempt combinations of that particular length, although it will take longer depending on its length.
- Password Complexity
A dictionary attack is a subset of the brute-force attack, which attempts to crack a password by trying all English words and then trying them with multiple combinations of other words and numbers. If users are setting simple passwords because they are easy to remember, they will also be easier to crack.
- Password Expiry
Periodically, the system must prompt the user to change their password so that any possible ongoing attack can be effectively guarded against. Moreover, this practice will also mitigate undetected breaches of privileged accounts.
Use multi-factor authentication
Multi-factor authentication puts an additional layer of security between the brute-force attacker and your data. With MFA, even if the password has been correctly identified by the bot, the attacker will be unable to proceed because the system will require either an OTP or a confirmation from a different device (such as a smartphone app).
Another way to set up an additional layer of security at the login point would be to use a captcha – a box showing warped text or images and require manual entry of a response. This will effectively keep out a bot that is executing automated scripts.
Set up an account lockout policy
Set up a policy wherein you can detect and block suspicious login attempts. Locking an account after three failed login attempts, or attempts to login from a different country or an unlikely hour can prevent intruders from entering into the system. To resume work, the authorized user will need to seek administrator intervention to unlock the account.
You can also set up a progressive delay lockout wherein an account is locked for a fixed period of time after a certain number of failed login attempts. The lockout period can progressively increase with the increasing number of failed attempts and helps keep out brute-force attack bots long enough to make them ineffective.
Akku is an Identity and Access Management (IAM) solution that comes equipped security features to accomplish all the steps described above. Whether you are working with cloud-based or on-premise apps or a combination of both, Akku can help you protect your data from brute-force attacks. Contact us today.