Security Boulevard

75% of Mobile Apps Fail Basic Security Tests. Hackers are increasingly focusing on the mobile channel, making mobile apps a prime target for fraud and security breaches. With this growing threat, it’s essential for organizations and app developers to adopt a proactive approach to mobile application security. The OWASP Top 10 Mobile Risks outlines the […]

The post OWASP Mobile Top 10 2024: Update Overview appeared first on Kratikal Blogs.

The post OWASP Mobile Top 10 2024: Update Overview appeared first on Security Boulevard.

Identity Revolution: Welcome to the Dynamic World of IAM 360
madhav
Tue, 10/22/2024 - 05:02

It’s been quite the journey, but here it is—the first issue of IAM 360!

For too long, Identity and Access Management (IAM) has played a background role—a fundamental but ‘invisible’ part of digital transformation. That’s why I’m so excited to present IAM 360—the magazine where IAM shifts from a behind-the-scenes function into a dynamic, forward-thinking conversation.

Thales’ new publication could potentially redefine how we think and talk about IAM. Gone are the days when IAM was seen as a ‘dry’ technical detail—a footnote in IT infrastructure. It’s time to view identity and access management in a whole new light! And that’s exactly what this magazine is here to do.

We’re about to hit publish — and as the editor — I’m holding my breath, just a little. A tremendous amount of thought, expertise, and passion has gone into making this debut happen. Before you grab your copy, I want to share the inspiration behind IAM 360 and give you a sneak peak of what’s inside.

Why IAM 360?

“Identity is as diverse as the technology involved and the people who shape it,” writes Danny de Vreeze, Thales VP of IAM, in his Word of Welcome. His powerful statement emphasizes that identity is far too complex to be understood from a single perspective. Much like a 360-degree view, we must examine identity from every angle – and that’s what we’ll do.

Identity is at the center of everything. It follows us from birth, weaving through every milestone and daily activity—from earning a degree and joining the workforce to booking travel or filing an insurance claim. It’s an orbit that constantly circles around us – connected to everything.

We’ll explore how to manage and protect digital identities in today’s world—whether for employees, partners, or customers. But that’s just the beginning. We’ll also dive into unconventional topics, emerging trends, and technologies that are transforming IAM into a dynamic field, filled with challenges and opportunities.

Diverse industry voices, expert insights, best-practices, and fresh thinking

In this issue, you’ll find expert articles that challenge the status quo and ignite fresh perspectives around IAM and the concept of digital transformation. Here’s a glimpse of what’s inside:

• Martin Kuppinger: How the landscape is shifting
• AI in IAM: Can we trust it?
• Digital Twins: What’s IAM got to do with it?
• Passwordless workforce? How can your organization finally get rid of the password headache?
• What’s happening with digital identity wallets?
• What we need to consider around deep fakes.
• Identity at the Center: Inside conversations with Jim and Jeff
• Consumer and data privacy under an entirely new lens
• And much more!

AI as a conversation

AI’s role in IAM is one of the hottest topics in cybersecurity today, and we’re not shying away from the tough questions. We’ll examine whether AI is a tool that will help or harm us. One article provocatively state: “Within cybersecurity, AI is rewriting the rules as we know them, presenting significant challenges and immense opportunities.”

For those who are excited yet cautious about AI, I echo your sentiments, as many of us do. We share this mix of enthusiasm and concern about its implications. IAM360 dive into these critical conversations, examining the rapid evolution of AI and its impact on IAM – and society.

A ‘wallflower’ perhaps, but IAM was always significant

Before joining this industry, I didn’t think much about identity management; I just assumed it was there somehow. Sure, I’d be the first to flee a website with a poor onboarding experience, never to return, but I never considered the orchestration behind it.

I now understand that IAM is a make-or-break element in determining whether a customer actually stays or leaves. IAM was never just about the mechanics of access control, it’s about the future of digital interactions in an increasingly interconnected world – a subject well-worthy of its industry publication.

IAM 360 aims to shed light on a field that impacts everything from user experience to cybersecurity, and in doing so, it seeks to bring IAM from its shadows into the spotlight of innovation and relevance. So, while some (much like I did) still consider IAM as a ‘wallflower’ of digital transformation, prepare to see it in full color.

Everything begins with identity and the IAM conversation continues here

So, whether you’re here for the insights, the debates, or simply to stay a step ahead, we hope IAM360 can become your go-to resource for all things identity. On that note, I'd love to hear from you. What topics, people or tech features would you like to see in the issues to come.

Read the full first edition of IAM 360 Magazine, available now!

Identity & Access Management Cloud Computing

Sara Sokorelis | Product Marketing Manager, Thales
More About This Author > Schema {
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "Identity Revolution: Welcome to the Dynamic World of IAM 360",
"author": {
"@type": "Person",
"name": "Sara Sokorelis",
"url": "https://cpl.thalesgroup.com/blog/author/ssokorelis",
"sameAs": "https://www.linkedin.com/in/saravie/"
},
"publisher": {
"@type": "Organization",
"name": "Thales Group",
"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",
"url": "https://cpl.thalesgroup.com",
"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",
"sameAs": [
"https://www.facebook.com/ThalesCloudSec",
"https://www.twitter.com/ThalesCloudSec",
"https://www.linkedin.com/company/thalescloudsec",
"https://www.youtube.com/ThalesCloudSec"
]
},
"datePublished": "2024-10-22",
"dateModified": "2024-10-22",
"mainEntityOfPage": "https://cpl.thalesgroup.com/blog/access-management/identity-revolution-dynamic-world-iam-360",
"description": "Explore the evolving world of Identity and Access Management with IAM 360. Learn about innovative trends, expert insights, and AI's role in shaping the future of IAM.",
"url": "https://cpl.thalesgroup.com/blog/access-management/identity-revolution-dynamic-world-iam-360"
}

basic

The post Identity Revolution: Welcome to the Dynamic World of IAM 360 appeared first on Security Boulevard.

In recent weeks, underground forums on the dark web have continued to flourish as bustling marketplaces where cybercriminals sell unauthorized access to corporate networks. From VPN credentials to Remote Desktop Protocol (RDP) access, threat actors take advantage of compromised corporate environments, often leveraging data from recent breaches or stolen via infostealers. This analysis highlights the …

The post Inside the Dark Web: How Threat Actors Are Selling Access to Corporate Networks appeared first on Security Boulevard.

 

It is good to see US government leaders realize that
ransomware is a growing existential threat to our country, at the hands of our
adversaries. 

 

A top US national cybersecurity advisor stated
in a recent op-ed, “This is a troubling practice that must end.”  The government is looking at ways to disrupt
ransomware attacks.  One tactic is to get
cyber insurance companies to stop reimbursements for ransoms.

 

Undermining ransomware is possible, but the only path is to
outlaw digital extortion payments.  This
targets the root of the problem by undermining the motivation of the attacker. 

 

For decades, cybersecurity and insurance companies have taken
advantage of growing attacks and fears to sell their products, which have not provided
a meaningful solution to stop the widespread surge of ransomware.  It has become a self-serving profit center to
motivate customers to purchase more tools and policies for a problem they are
not solving.

 

Security controls are a costly tactic where the attacker
maintains a significant overall advantage because they can quickly adapt, thereby
requiring more tools to be purchased by the potential victims who are caught in
an endless spending cycle.  Insurance
does nothing to reduce attacks, as it is a mechanism to transfer risk.  In fact, paying the attacker simply motivates
them more, thereby precipitating even more attacks!

 

There are feasible and practical plans
that would work.  However, security and
insurance companies are the first to cast doubt on any plans that may disrupt
their revenue streams.  Their narratives
are foreboding, but when closely examined, the fears of outlawing payments are largely unfounded. 

 

As a nation, we are beginning to see how digital extortion is
effectively being used by international adversaries and cybercriminals.  The trend will continue, rapidly causing more
extensive harm.  Traditional measures,
like continually adding more security tools, continue to fail in fundamental
ways, and we must take a different approach.

 

It is time for the US government to take a serious step
forward to undermine ransomware, without creating an unnecessary financial
burden on the potential victims, by outlawing digital extortion payments.

The post Are Leaders Ready to Break the Ransomware Cycle appeared first on Security Boulevard.

Authors/Presenters:Jun Huang, Zhen Zhang, Shuai Zheng, Feng Qin, Yida Wang

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – DISTMM: Accelerating Distributed Multimodal Model Training appeared first on Security Boulevard.

Cybersecurity audits are key to maintaining compliance with regulations and upholding a strong security posture. They evaluate your organization’s systems, identify vulnerabilities, and offer the insights you need to optimize security. But there are many different kinds to choose from, depending on your needs.

The post Types of Security Audits: Overview and Best Practices appeared first on Security Boulevard.

Cloud technologies increase access to information, streamline communication between government agencies and citizens, and accelerate information sharing. And that’s why the U.S. government has become a champion of cloud computing.

But each perk comes with a risk, and in response, the Office of Management and Budget (OMB) created the Federal Risk and Authorization Management Program (FedRAMP). If you’re a cloud service provider (CSP), software-as-a-service (SaaS) company, or other vendor interested in working with federal government agencies, FedRAMP certification proves that your organization meets the security standards required to successfully safeguard information.

Here’s how to get FedRAMP certification.

What Is FedRAMP?

FedRAMP is a set of standards and certification processes that helps CSPs mitigate risk when working with government agencies. Federal data is sensitive, and for cloud software to be eligible for government use, it needs to be FedRAMP certified. This means the software has to undergo standardized authorizations, security assessments, and continuous monitoring to ensure trustworthiness.

While the OMB initially developed FedRAMP in 2011, many other entities have come together to operate the program, including the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).

Think of the Department of the Treasury. This agency uses cloud services to manage highly sensitive financial information across the country. By working with a FedRAMP-compliant CSP, the agency knows that data is as safe as possible.

FedRAMP Compliance Requirements: How to Earn a FedRAMP Cloud Certification

Here’s a quick guide to the FedRAMP certification process:

1. Gather FedRAMP Documents

As a CSP or other vendor, you have to start by gathering documentation. Visit the FedRAMP website to filter through various templates and documents and find the ones that apply to you. These resources equip you with the documentation necessary to prepare, authorize, and monitor your cloud security.

2. Complete the FIPS 199 Assessment

The Federal Information Processing Standard (FIPS) 199 assessment gauges the sensitivity of the data your organization stores and transmits. It has three categories: low, moderate, or high impact. The higher the impact, the stricter the requirements you must meet. Most organizations are considered moderate.

Here’s a more detailed look at the FIPS 199 Assessment categories:

Low Impact

If your organization only stores login details as personally identifiable information (PII), you fall into the low-impact category. This is because a data breach wouldn’t significantly impact the agency’s operations or tarnish its trustworthiness meaningfully.

Moderate Impact

About 80% of the CSPs applying to become FedRAMP certified are moderate-impact. If information gets lost at this level, it would substantially impact the agency’s team, operations, or assets.

High Impact

High-impact CSPs have the strictest guidelines because if data is stolen, unavailable, or has integrity issues, the consequences would be catastrophic and far-reaching. Financial services and healthcare organizations often fall into this category because they deal with sensitive data.

3. Complete the 3PAO Readiness Assessment

For the third-party assessment organization (3PAO), you participate in a third-party cybersecurity attestation and receive a Readiness Assessment Report (RAR). Choose an accredited organization from the FedRAMP marketplace to perform the assessment.

This step isn’t mandatory depending on which authorization path you follow for certification (which we’ll cover below), but it’s recommended regardless. The assessment helps you identify potential improvements and offers insight into your risk posture, which is invaluable.

4. Develop a POA&M and Implement It

Develop a plan of action and milestones (POA&M), a document that describes how your security control implementation efforts are going. This helps you analyze, spot, and close any security gaps before FedRAMP certification. Include a structured timeline and clearly detail the actions you’ll take to address the gaps. 

The key to this step is clear documentation. When you can’t fix gaps immediately, you need a concrete plan that both you and any third-party organizations can refer to as a source of truth.

5. Decide on the Authorization Route

Determine which of the two authorization routes you want to follow: Agency or Joint Authorization Board (JAB). The steps toward certification differ slightly within these two routes, but they’re relatively similar. With JAB, you must be chosen by the FedRAMP board, and with the agency route, you partner with a 3PAO independently. We’ll discuss each option in depth later.

6. Ensure Continuous Monitoring

To achieve FedRAMP compliance, your organization must maintain continuous monitoring, both internally and externally. The 3PAO might conduct penetration testing, vulnerability scanning, and other assessments on a monthly or annual basis to make sure security efforts don’t stop at FedRAMP.

Types of FedRAMP Certifications

As of August 2024, there will be one level of certification: FedRAMP Authorized. With this, the former tiers of authorizations and different “paths” to certification will be removed.

Previously, there were two FedRAMP authorization processes you could choose.

Agency Authorization

For the Agency Authorization route, you have to find a federal agency sponsor to guide the certification. Choose one from the same federal marketplace linked above. You partner with this organization throughout the authorization process. The Agency Authorization process will be standard moving forward.

This starts with pre-authorization, where you meet with the agency, formalize the partnership, and address any required changes and compliance details. Then, the 3PAO conducts a security assessment and prepares an RAR and POA&M. If everything looks good, it issues an Authorization to Operate (ATO).

This route offers flexibility and speed, but it requires developing a close relationship with the 3PAO sponsor. If the sponsor churns, you have to start again, which can be a huge roadblock.

JAB Authorization

The JAB was FedRAMP’s highest governing body, which included officials from the Department of Defense, the General Services Administration (which manages the FedRAMP program), and the Department of Homeland Security. It’s been replaced by the FedRAMP Board to oversee certification. 

This path is becoming defunct as all certifications become FedRAMP Authorized and the JAB is replaced. Before, if JAB selected your organization, you then worked with a 3PAO to compile an RAR, Security Assessment Plan (SAP), and POA&M. When successful, you’d receive a Provisional Authorization to Operate (P-ATO), indicating that you’re approved for federal use. Now, no P-ATO statuses will be given. Only FedRAMP Authorized.

Navigate Security Reporting With Legit Security

If you want to work with federal agencies, FedRAMP certification is a must.

Need help getting started? Try Legit Security. We offer tools that automate reports for FedRAMP compliance so you can leave the heavy lifting to us. Request a demo today and see how Legit Security can improve your security practices and keep all information safe—governmental or otherwise.

The post FedRAMP Certification and Compliance: What It Is and Why It Matters appeared first on Security Boulevard.

A survey of 510 IT security and risk practitioners finds 93% have access to a comprehensive inventory of human and non-human identities across their IT environments, with 85% having a clear line of visibility and monitoring into who is doing what. However, just under half (45%) also noted there has been some type of unauthorized..

The post Survey Surfaces Depth and Scope of Identity Management Challenge appeared first on Security Boulevard.

Authors/Presenters: Peiyu Wang

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their timely []DEF CON 32]2 erudite content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – AppSec Village – Web2 Meets Web3 Hacking Decentralized Applications appeared first on Security Boulevard.

Authors/Presenters:Chaoliang Zeng, Xudong Liao, Xiaodian Cheng, Han Tian, Xinchen Wan, Hao Wang, Kai Chen

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – Accelerating Neural Recommendation Training with Embedding Scheduling appeared first on Security Boulevard.

During national weather emergencies, many turn to online platforms to get the latest news but don’t know about the threat lurking in the weeds: Hurricane scammers.

The post Hurricane scammers: How to stay safe during national emergencies appeared first on Security Boulevard.

Is your organization stuck with a legacy GRC solution that feels more like a blocker than an innovator? You’re not alone. Many companies today find themselves with outdated GRC systems that were once cutting-edge but now fall short of supporting the complex, evolving demands of modern business operations. So, what do you do if you’re...

The post Is It Time to Move on from Your Legacy GRC Solution? appeared first on Hyperproof.

The post Is It Time to Move on from Your Legacy GRC Solution? appeared first on Security Boulevard.

Authors/Presenters:Jiangfei Duan, The Chinese University of Hong Kong; Ziang Song, ByteDance; Xupeng Miao and Xiaoli Xi, Carnegie Mellon University; Dahua Lin, The Chinese University of Hong Kong; Harry Xu, University of California, Los Angeles; Minjia Zhang, Microsoft; Zhihao Jia, Carnegie Mellon University

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – Parcae: Proactive, Liveput-Optimized DNN Training on Preemptible Instances appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Experimental Astrophysics’ appeared first on Security Boulevard.

Regulatory concerns may have slowed initial SaaS adoption for financial services companies, but today, many rely heavily on apps like Salesforce, Microsoft 365, and ServiceNow to manage their operations.  Now, fully invested, financial services companies are faced with the challenge of safeguarding sensitive financial data that is stored off-prem. At the same time, they need […]

The post Securing Financial Operations: Know Your SaaS appeared first on Adaptive Shield.

The post Securing Financial Operations: Know Your SaaS appeared first on Security Boulevard.

In today’s data-driven world, data breaches are one of the most significant threats facing organizations, with the financial impact varying widely across industries. The cost of a data breach is often determined by the nature of the data involved and the regulatory landscape governing the industry. Sectors like healthcare and financial services, which handle highly […]

The post Data Breach Statistics [2024] : Penalties and Fines for Major regulations first appeared on Accutive Security.

The post Data Breach Statistics [2024] : Penalties and Fines for Major regulations appeared first on Security Boulevard.

Authors/Presenters:Gagan Somashekar, Karan Tandon, Anush Kini, Chieh-Chun Chang, Petr Husak, Ranjita Bhagwan, Mayukh Das, Anshul Gandhi, Nagarajan Natarajan

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – OPPerTune: Post-Deployment Configuration Tuning of Services Made Easy appeared first on Security Boulevard.

The Indo-Pacific region has emerged as a focal point of geopolitical tension and technological competition.

The post Testing Security Controls in the Indo-Pacific: A Critical DoD Imperative appeared first on AttackIQ.

The post Testing Security Controls in the Indo-Pacific: A Critical DoD Imperative appeared first on Security Boulevard.

Is your vulnerability management game on point? If it’s not, you’re handing attackers an open invitation. And if you believe that merely using a vulnerability scanner qualifies as effective management,...

The post What is Vulnerability Management? Compliance, Challenges, & Solutions appeared first on Strobes Security.

The post What is Vulnerability Management? Compliance, Challenges, & Solutions appeared first on Security Boulevard.

Chinese researchers used a D-Wave quantum computer to crack a 22-bit encryption key, which can be used as a cautionary tale for what may lie ahead with future quantum systems but doesn't threaten the classical encryption being widely used today.

The post Chinese Research Using Quantum System to Crack Encryption a ‘Cautionary Tale’ appeared first on Security Boulevard.