This is how CISOs face the challenges of protecting identity

Protecting identity, as well as making access control secure, is one of the priorities of the departments dedicated to cybersecurity in organizations. However, there is not always a correct strategy, so Byte TI, together with the security firm VU, organized a face-to-face meeting with CISOs from various companies to test the situation regarding this problem.

The meeting was attended by Mario Moreno, Head of Safety at Metrovacesa; – Nestor Serravalle, Executive Vice President for Europe of VU; Gabriel Moline, CISO Leroy Merlin; David Moreno del CerroCTO of Tendam; Alvaro Ladoux, fraud expert; daniel damas, CISO of Nationale Nederlanden; Mayca Aguilar, Cybersecurity Identity Management & Compliance of Ferrovial and Joaquin Pano, DPO of Leroy Merlin.

It was Maica Aguilar, Cybersecurity Identity Management & Compliance of Ferrovial the first to intervene to analyze what are the rethos of digital protection. In his opinion, “the person is the center of security and the focus current tends to go over there because that the perimeter no longer exists. The entry point for an attack is the people. Before people were seen as a secondary point of attack, now they are not. Now we are in zero-trust models in which the control of people has become the central axis of a cybersecurity strategy of any company”.

In this sense, David Moreno del Cerro, CTO of Tendam, agreed with this opinion since for him, “the protection of the job is somewhat insufficient because the user accesses from multiple devices and locations. The link is now the user and it is the weakest element, so it is essential to ensure identity management.”

Néstor Serravalle, Executive Vice President for Europe at VU, considered that “it has been stated for some time that the only element to systematically protect is identity. The problem with this identity is that it is affected by different variables, such as accessing services through innumerable passwords. However, there will be a time when we will not have to worry about this series of aspects. In reality, with digital identity, it is about making sure that the user is who they say they are. Clearly there is a conjunction of technologies and a regulatory framework that must be respected. In this framework, Europe is aware and doing a good job because they consider it strategic and it is seen as a social good. The conjunction between what is happening in technology and the role of the states is going to lead to us meeting a different situation to the current one and in which value will be given to the fact that the identity is unique and belongs to a user. There is going to be a brutal change in or that refers to digital identity”.

One of the problems related to digital identity is that users do not know how to handle it. At least that is the opinion of Daniel Damas, CISO of Nationale Nederlanden: “We are not yet prepared for people to know how to handle digital identity. Technically we cover the devices, but the key is that people know how to use that digital identity. One of the problems we face is that if right now there are people who do not know how to handle the digital transformationHow are we going to require you to manage your digital identity?

The difficulty of passwords

Passwords occupied a dominant space almost from the first moments of the meeting. And it is that, as Mario Moreno stated, Head of Security at Metrovacesa, “passwords, at the moment, are a problem. Users have a professional environment and a personal one where they have different passwords and usernames. And in general, they do not show concern for their safety. They only do it if it affects their money and then they do take precautions and all the security measures that are implemented seem fine to them. However, if it is about company connections, people do not value it and do not realize that it is also about money, only that it is money from the company that pays them.

David Moreno del Cerro, CTO of Tendam, explained that in his organization they work with “tens of billions of customers in our profiles and validating those profiles is essential and we are constantly searching formulas to protect that data. We have access data of clients whose data is stolen and that means that in the end, they are compromising my own security. We have systems to protect all this and to notify the client every time we perceive that there is a risk or incident”.

Protecting identity, as well as making access control secure, is one of the priorities of departments dedicated to cybersecurity

In this sense, the European Vice President of VU stated that it is essential that the protection be as broad as possible: “This protection has to include customers, suppliers, the value chain, etc. All companies are going to go towards protecting the identity of all of them, because if not, they are going to have problems. Companies have to promote the customer identity, so that the identity is in one place and that the identity provider is consumed. We believe there should be more identity value network providers.”

For Gabriel Moline, CISO Leroy Merlin, “andhe challenge is with the big identity providers like Facebook, Google, etc. And this is a big concern for me as I think we are creating an identity oligopoly with these companies and the identity market is being transformed”. His partner, the DPO of the multinational, Joaquín Pano believes that “ensuring identity goes further. Everyone, companies and users, should make a significant effort to manage that identity. The problem is that there are many who want to maintain the current model, because otherwise, many suppliers would lose their business and their reason for being”.

Identity management issues

What are the main attacks? How do cybercriminals access data that should be protected? For Maica Aguilar, “the most common are phishing attacks since they represent the highest percentage of effectiveness. In addition, the attacks are becoming more sophisticated. We do tests with our workers to educate them and we see that people very easily fall for a more or less sophisticated phishing. We give monthly talks, seminars, we launch advice… I mean, our employees can’t say they don’t have information, and yet the problem is that cyberattackers are getting better and better and people fall for it. And the moment someone’s identity is stolen, you have a very serious problem.”

And the sophistication is increasing. In fact, phishing is becoming obsolete and is beginning to be replaced by techniques such as vishing, in which the voice is the protagonist and in which the attacker,using the conventional telephone line and social engineering techniques attempts to access financial data by stealing your identity. In this sense, Leroy Merlin’s DPO affirmed that “we carry out periodic vishing exercises and in the same way that users are more alert with phishing, with vishing they still fall a lot. For us, the report button is key because we see that users are reporting incidents faster and faster. In other words, people are more aware.”

The fraud expert, Álvaro Ladoux, faced with this situation, explained with data what the organizations face: “Spain is the second most attacked country in Europe and there are 400,000 daily attacks. The INCIBE only manages around 120,000 incidents per year, and that means only 2% of the total. And it all starts with a phishing, with which it is intended to obtain an economic benefit with the sale of data in which 70% of it is identity”.

Identity management strategies and silos

One of the problems in the strategy to carry out identity management is Shadow IT. In this regard, Gabriel Moliné, believes that “it is necessary explain to the departments that they have the capacity to hire services from outside, the risks they run in terms of identity protection and even in terms of fines they may receive”.

To improve this strategy, the CTO of Tendam believes that it is necessary to go to a pay-per-use model: “The investment you can make a hyperscalar It’s much bigger than what I can do. The cloud has evolved a lot and the resources that these companies have and their technology is very advanced. Today I cannot consider an on-premise model. If there is someone who does it better than you, you have to go with him”.

Néstor Serravalle agreed, but also stressed that “in these cases in which a model as a service is opted for, it must be taken into account that the responsibility for the protection of the data that has been taken to the cloud lies with the client. and here we must bet on the construction of hybrid systems to protect identities. I believe that the big technology companies are not the most suitable for managing identity management more comprehensively. I think that the SIAM and IAM models, which can already be contracted as a service, are a much more effective model.