Selections from the top news items this week in the world of identity and application security.
How blockchain could solve the internet privacy problem
From ComputerWorld: Fintech firms, software makers, telecom providers and other businesses have joined forces develop a blockchain-based network that will enable anyone to exchange digital credentials online and without the risk of unintentionally exposing any private data.
Businesses Calculate Cost of GDPR as Deadline Looms
From Dark Reading: The bigger the enterprise, the more it's spending on GDPR, reports Netsparker. To learn how non-EU corporations are preparing for GDPR, the Web application security firm polled 302 C-level executives at US companies. Overall, they found, businesses are taking GDPR more seriously than PCI and HIPAA; 99% are "actively involved" in the process to become compliant. Ten percent of Netsparker's respondents say they will spend more than $1 million to become GDPR compliant.
Verizon DBIR: Ransomware Attacks Double for Second Year in a Row
From Dark Reading: The 2018 DBIR is the 11th edition of the report, and includes data not only from forensic investigations conducted by Verizon, but also 67 contributing organizations. In total, the report covers analysis on over 53,000 incidents and 2,216 breaches from 65 countries. Ransomware was found in 39% of the malware-related cases covered in the report. Dave Hylender, Verizon senior network analyst and co-author of the report, says he was "a bit surprised" at an explosion of that magnitude.
What you need to know to exploit the cloud
From Techradar Pro: Adoption of cloud computing technology has significantly increased over the last few years, promising a great opportunity for innovation amongst businesses if approached correctly, selectively, and at the right pace. And the cloud model provides some compelling options to assist IT as its fiscal priorities move from cost management to cost optimization.
Inside the Jordan refugee camp that runs on blockchain
From MIT Technology Review: Started in early 2017, Building Blocks, as the program is known, helps the WFP distribute cash-for-food aid to over 100,000 Syrian refugees in Jordan. By the end of this year, the program will cover all 500,000 refugees in the country. If the project succeeds, it could eventually speed the adoption of blockchain technologies at sister UN agencies and beyond.
89% of Android Users Didn't Consent to Facebook Data Collection
From Dark Reading: Following news of the Cambridge Analytica scandal, Android users began investigating the extent of Facebook's data collection. They learned the company had been recording their call history records and SMS data, which the majority of them did not consent to. More than 30% of 2,600 users surveyed in March say they plan to delete their Facebook account, Blind reports.
Mobile Phishing Attacks Up 85 Percent Annually
From Security Week: The rate at which users are receiving and clicking on phishing URLs on their mobile devices has increased at an average rate of 85% per year since 2011, mobile security firm Lookout reports. What’s more worrisome is the fact that 56% of users received and clicked on a phishing URL that bypasses existing layers of defense, the security firm says. On average, a user clicked on a mobile phishing URL six times per year.
Adobe’s CSO talks security, the 2013 breach, and how he sets priorities
From CSO Online: To protect Experience Cloud — or any other cloud-based program — authorization is critical. It’s also critical to better understand what normal is for particular accounts and then identify and react to anomalies. For basics like “a yes/no decision based on the characteristics of the login attempt,” Adobe CSO Brad Arkin says Adobe works with Okta, explaining the vendor’s “one component inside of a bigger architecture.”
Beyond Zero Trust: Next-generation access
From ZDNet: Access control technologies are critical, as is where they would and should apply to a Zero Trust approach. To keep things as simple as possible: Command and control over who accesses the network -- and ultimately the data -- is key to Zero Trust. Period. Just as the NGFW and microsegmentation/microperimeter technologies enable an organization to better isolate, segment, and control the network fabric, next-generation access (NGA) performs the same functions at the "people" layer. Vendors like Centrify, iWelcome, Microsoft (Office 365), Okta, and Ping Identity are just a few of those technology enablers that have solutions I would categorize as NGA and applicable to Zero Trust.
A Simple Proposal to Help Fix Corporate America’s Cybersecurity Problem
From The New York Times: The public’s confidence in the capability of companies to protect customers’ personal information has taken a beating in recent weeks. Customers of Sears and Kmart, Best Buy, Saks Fifth Avenue and Lord & Taylor, and Delta Air Lines recently learned that hacks have exposed their personal data, including credit and debit card numbers. And then there’s the disclosure that Cambridge Analytica harvested the personal information of nearly 87 million Facebook users. Despite these disclosures and others, we continue to entrust our personal information to businesses without any standard for judging how safe it is. It doesn’t have to be that way.
Securing the Cloud: Integrating Existing Infrastructure with Multiple Cloud Providers
From CIO: An exclusive IBM and IDG research study shows that the majority (77%) of respondents say the rise of multi-cloud makes them look at security differently. In addition, survey respondents believe multi-cloud adds another layer of complexity to the security equation, making it the top challenge related to managing multi-cloud environments.
Is the cloud a safe place for all your private data?
From NBC: Data breaches are down almost 25 percent this year — but it's no cause for celebration: Cyber thieves have simply changed their game, and are now holding your data ransom instead of selling it. Cyberattacks such as WannaCry, NotPetya, and Bad Rabbit “caused chaos across industries without compromising records,” noted the new IBM X-Force Threat Intelligence Index 2018, released last week. Global losses from WannaCry last year — including direct payments, downtime, and other business impacts — are estimated at more than $8 billion, according to a report by Reinsurance News.
Enterprise cloud adoption outstrips cybersecurity capabilities
From ZDNet: On Tuesday, cloud security firm iboss released a white paper documenting the rising adoption rates of software as a service (SaaS) applications, which while often valuable for companies, may also pose a risk when cybersecurity is an afterthought.
5 myths of API security
From CSO: Keith Casey, co-author of A Practical Approach to API Design says API security is a process mindset. Casey works as solver of API problems at authentication provider Okta — yes, that’s his real title — and points to the five pillars of API management: lifecycle, interface, access, consumption, and business.