Logging into any type of application has to be one of the most talked about topics in security. It sometimes feels like it is the last frontier as far as technology innovation is concerned. Why is this so? Well it is likely because it is the point where the human – computer interface first comes into contact. This creates usability vs. security conundrum which is always hard to resolve. Part of the issue has been ‘password fatigue’ which has been a topic raging in the industry for many years and yet we don’t seem a lot further forward. But this isn’t true, technology in the area of authentication is moving forward. I’ve named this post “The Good, Bad and Ugly…” but in truth, each authentication measure can have a little of each and it really is more about choosing the right one, for the right scenario that counts.

The Password is Dead, Long Live the Password

The first ever type of login option in computing, used by MIT in 1961, was of course the humble password. We have used it almost religiously ever since, for everything, from logging into online banking to offline desktop computer login. It is so successful because it is both easy to program support for username and password access, but its also easy for the user logging in…mainly.

I say mainly because we now find ourselves in a situation whereby both security and usability have been severely compromised. In terms of security, the use of username and password in an Internet connected world has left the password highly vulnerable. Phishing, and in particular spear phishing, has meant that cybercriminals can very easily steal a username and password. Either by sending the phished individual to a spoof site which then tricks the user into revealing their login credentials, or by installing malware which exfiltrates them when they are used.

And then there is the usability aspect. The average user has to use passwords across many multiple sites and counting. Either you use the same or a few similar passwords, which is insecure, or you have to remember a different one for each site. Whichever it isn’t ideal. A report by identity vendors CSID found that amongst U.S. consumers, 61% reused the same password across multiple sites and 46% of them had 5 or more passwords to remember. You can, of course use a password manager, but that brings its own issues.

As an alternative, social and similar platforms, such as Facebook, Twitter, Google, Papal and Amazon, offer federated login which can be used as an alternative to a username and password. There are pros and cons to the use of this type of credential, of course.

And when you bring the password into the Enterprise, usage behavior becomes even more concerning.  Password sharing is one of the most prevalent insider threats. A survey by Centrify into password habits, found that 52% of U.S. based IT administrators had shared their username and password with a contractor and 59% of them with a colleague.

A Multitude of Options with Multiple Factor Authentication

The above username and password issues leads onto how can we improve things without upsetting the apple cart too much, after all, we like passwords, in the main.

If username and password are something we know, we can call this a first factor. If something we have, like a mobile device is also used to login with, alongside username and password, then that becomes a second factor or 2FA. 2FA is becoming more popular for the reason that it allows you to multiply the security needed to login to any system and it can be highly preventative in any phishing attempt.

The types of second factor authentication available are increasing, but the most common are mobile device based apps, or codes set by SMS text. You do also get hardware devices or ‘security tokens, especially in enterprise environments, but these were becoming less attractive as they cost per device and BYOD meant that employees were using smartphones at work, so why not utilize those. However, a recent innovation in security tokens, U2F, has made them more attractive as an option.

Mobile App Based 2FA

Mobile based 2FA apps offer support for the following options:

  • HOTP: A code is sent to the mobile app. This code is hashed. The user enters the code into the application during login, after they have entered their first factor.
  • TOTP: This is also a code but it is time-limited, i.e. It only lasts for a few seconds and must again be entered after a first factor has been entered for login.

One of the issues surrounding mobile code based access is the security; some implementations being more secure than others. The most secure way of using a mobile app based 2FA method is for the app to communicate the code directly to the back end of the application, rather than the user inputting the code into a user interface, which is open to a Man-in-the-Middle attack.

SMS Based 2FA

Mobile phones, including those that aren’t smart, as well as modern landlines, can use SMS based codes to login as a second factor. One of the downsides of using SMS code based 2FA is that it costs the vendor who is sending out the codes as generally this is done via a third party SMS gateway system.

Security Tokens

The security tokens mentioned earlier have been improved in recent years using a new authentication protocol called U2F developed by a consortium of large technology vendors, including Google, and known as the FIDO Alliance. In fact Google have implemented a version of U2F based on a key, which is inserted into a USB port, the user ‘clicking’ a button on the key to sign into web apps. Of course the issue with this is that if you are using an iPad or Smartphone for access there is no USB port.

You’ll Know It’s Me

The next major advance in authentication is the biometric. Anyone with an iPhone 5S or later, will know about their TouchID biometric login system, which uses a fingerprint to open the phone for use. This is probably the most well known type of biometric in common use and certainly it has broken down some of the barriers to biometric acceptance.

One of the earlier barriers to success with biometrics was an alarmingly large rate of false negatives or positives. Advances, such as that seen at Carolinas Healthcare System, which uses the veins in a person’s palm, has seen match rates increase to 99.9% in the last ten years. This is another issue with biometrics that is breaking down to allow a more global uptake of the method.

It looks like biometrics will start to be used more. As we see advances in biometric management, accuracy of biometrics results, and as the spectrum of biometric types increases, then it is a natural way to login and so will be opted for by the user.

Adaptive Authentication

Adaptive authentication is less of an authentication method and more of how you use existing methods, more efficiently, with added security and improved usability. Adaptive authentication allows you to configure policies, which determine the level of authentication required under any given circumstance.  It works by accessing the risk level of a specific access attempt. The best way to describe it is with examples. So, for example, you could set a policy that says that if a user is attempting access from a given IP or IP range, such as you’d get by accessing within the headquarters of an enterprise, then single sign on (SSO) is allowed. Or you could allow access from certain devices within a given geographic location but only using a second factor. Another example could be to increase the requirements of login, even going as far as to ask knowledge based questions, if you don’t meet certain criteria, or there is a pattern of failed login attempts and so on.

Adaptive authentication is a really good method of making the most of what you’ve got and it can really help with resource protection and handling varying levels of risk, especially in an extended supply chain where a variety of people across many jurisdiction require access rights.


One of the most nasty and sinister malware threats to come out of the minds of cybercriminals has been the creation of ‘ransomware’.

Ransomware is a type of malware that encrypts data, and then extorts money from the victim. Infection is carried in either an email, as an attachment, or using an exploit kit on a website where the malware will be downloaded and executed. Once infected with ransomware, the files, on your computer, across the network and even on remote file storage like Dropbox, are encrypted. When the malware has done its job, it then is programmed to pop up an onscreen message letting you know that if you pay X amount, within X days, your files will be decrypted. The x amount is usually $500-$1000, but can be much more, and payment is expected in the form of bitcoin; they ask for bitcoin because it is less easily traceable than a traditional money transfer.

Cryptowall is probably the most infamous of all ransomware. Cryptowall is up to version 4 and according the Cyber Threat Alliance the malware had, by version 3, made at least $325 million worldwide from infections. Each version of Cryptowall becomes even more sophisticated than the last. Cryptowall 3 was built to hide from detection and Cryptowall 4 changes filenames so users can’t even find out which files have been encrypted.

Ransomware: The Impact

People are paying the hackers. If you suddenly find all of your data: customer records, intellectual property, documents, flow charts, presentations, accounts, etc. are encrypted and essentially gone, you’ll pay up. The fear that the ransomware hackers instill in people is real. The FBI reported losses in the U.S. alone of around $18 million between 2014 and 2015. And that’s just in payments out. This doesn’t include material losses through lost time and network issues that ensue. And of course there is no guarantee that just because you pay the cybercriminal that they will decrypt your data – we are dealing with a criminal mind here, after all.

The FBI research was from a year ago, but MacAfee in their 2016: Threat Predictions report state that: “Ransomware will remain a major and rapidly growing threat in 2016…. we predict that the rise of ransomware that started in the third quarter of 2014 will continue in 2016. “.

It is hard to read the mind of a cybercriminal into the 2020’s, but the likelihood is that with a successful money-raising venture, like Ransomware, it will only proliferate. The Internet of Things being an area that will likely be utilized by cybercriminals as a means of infection. IoT devices have a very wide security surface to attack and thus far security of the IoT is still far from perfect.

Who Is Being Affected by Ransomware?

Ransomware hackers are targeting rich nations. They need to find companies that can afford to take the risk of paying $000’s to get their data back. The target sector the hackers are after is widespread and getting wider. They are coming after businesses of all sizes, rather than just being a consumer problem.

One of the most insidious ways ransomware is getting onto a network is via ‘malvertising’. Hackers are using the ad placement network and actually paying for infected ads to be served up on legitimate websites. Major websites like the New York Times have run infected ads. The most worrying thing about much of ad-based malware is that it is based on ‘exploit kits’ like ‘Angler’. If you access a site running a malicious ad and you happen to also have a vulnerability in your browser or Flash, then you have a very high likelihood of becoming infected with ransomware without even clicking a mouse. Scary stuff.

U.S. SMB’s are as much a target as their larger cousins because the hackers know that they are a ‘soft target’. Smaller companies are less likely to have a dedicated security team and systems in place to handle such an attack.

And no one is safe, in the past few months several U.S. hospitals have been infected with ransomware and one, the Hollywood Presbyterian Medical Center had to pay out $17,000 in bitcoin to the cybercriminals.

Is There Hope?

You can help prevent a ransomware infection by making sure that:

1.     Your staff is well trained in the way that malware infections work – make them aware of the danger of attachments in emails for unknown sources.

2.     Keep your OS and other software up to date and patched

3.     Keep backups of your data (but be careful not to use certain backup software that synchronizes with your directories as this can also become infected with ransomware)

4.     Have a security strategy in place to deal with the complexities of ransomware prevention and infection

Of course, if you do get infected, one thing is apparent. Even if you pay to have your files decrypted, the chances are that the cybercriminals behind the scam have already exfiltrated any data using remote access and will be selling that data, especially personal information, on the dark web. So simply put, the best way to deal with ransomware is to avoid infection in the first place.


A while back a colleague of mine was spear phished. It was really clever how they did it. She was contacted, not through a direct email, but via a message system of a professional group she was a member of. The message purported to be from a ‘worried colleague’. They had seen her profile on the professional group website and had also noticed that a Facebook account had been created using her photo. The Facebook page was real, her professional photo was being used and a variety of less than complimentary Facebook posts were in the timeline.

The person, who sent the phishing email, came across as being ‘a friend’ trying to help out and pointing to the abuses made in my colleagues name. They offered help saying that they’d also been a victim of this sort of identity theft and knew how to counter it. They asked my colleague to email them and they’d show her what to do.

It was a very convincing email. It used some of the oldest tricks in the book; tricks that conmen have used for centuries. It attempted to build a connection with my colleague, to find a common ground. The email was from a trusted source – her professional network. The writer created a scenario shrouded in fear, uncertainty and doubt, to cause my colleague to feel anxious and that her reputation was at risk. The phisher then held out a helping hand to make it all go away. It was a perfect example of highly targeted social engineering, in other words, using normal human behavior to manipulate a person into revealing far too much.

The case above had a happy ending. My colleague is a cyber security professional and recognized the signs of a sophisticated spear phishing attempt. But not everyone is so lucky and human behavior manipulation has become the pivot upon which cyber security attacks are based.

To Err is to Be Human

Social engineering is a technique used to manipulate a behavior. It isn’t new. As mentioned above, conmen and tricksters have been using this in one form or another for centuries. One of the most famous cases of social engineers was Frank Abagnale; the film “Catch Me If You Can” was a portrait of his life as a confidence trickster. Frank used people’s natural need to trust to commit fraud.

Social engineering in the context of cyber crime has been used extensively. One of the most infamous examples was the ‘I Love You’ virus. This was an email born malware infection, which swept the world in 2000. The email contained the subject ILOVEYOU and contained a ‘love letter’ which when opened ran the malicious code and infected the computer. This trick played on our own vanity – how exciting to get a love letter, almost impossible to resist opening it, just in case it was a secret admirer. And that is exactly what happened with the virus infecting about 45 million computers within 2 days of its release into the wild.

Since then, cybercriminals have embraced social engineering and human behavior manipulation turning it into almost an art form. The whole area of phishing is based on this very concept.

The Big Phish: Business Email Compromise

Phishing and its rich cousin, spear phishing, is arguably the most successful cyber security vector ever with 123,972 unique phishing attacks in 2015 (and since then, it has only been increasing). Phishing emails are very cleverly pulled together by the cybercriminal. In the mass mail out, less targeted ‘phishing’ variant, the hacker makes the email look just like a legitimate site, one that you’d enter login credentials; these credentials then being stolen by the hacker behind the spoof site. According to research by APWG Internet Policy Committee into Phishing, PayPal, Apple and TaoBao are the most popular spoofed sites for phishers, with 54% of all spoof sites representing one of the big three.

But the true art of phishing is seen in spear phishing.  Spear phishers have to spend quality time getting to know their target. The emails are crafted to reel in their prey, using full personalization and creating trust and connection between the phisher and the victim. One of the latest scams to be based on the principles of manipulation of human behavior is the Business Email Compromise or BEC. BEC scams have been hitting business, of all sizes, big-time.

A BEC is a form of spear phishing. It has a complicated profile. Firstly, deep reconnaissance is made to identify a business owner, or key employee, that will become the proxy for the phish. This individual then has their email account either spoofed or compromised.  The phisher will then learn as much as they can about their victim and the company they are targeting. They use this information to create highly convincing emails and instructions – using the ‘personality’ of the victim to come across as real. An example of the type of information that is really useful to phishers would be the calendar of the victim- are they away on business on certain days and so on. This allows the phisher to build up a personal profile and so mimic the person more precisely.

Once they have control of the email account, they can then apply email rules to make sure they don’t get detected when they utilize the account. Or, if they spoof the account, they make the email look like it is from that individual. With account control they can then enact their plan, which goes something like this:

1.     Create an email from this key staff member, to ask for a wire transfer of monies to a new creditor.

2.     This email will go to one of the compromised users subordinates. So for example if the CFO’s account is compromised the email might go to the finance controller.

3.     A variation on the above is where the phisher asks Human Resources for ‘employee details’ and thereby stealing identities which they can use for fraudulent tax returns and so on.

There are a number of different tactics being used, based on a compromised business account. Each one of them uses our natural trust system to trick us into performing actions we’d normally be reticent to do. BEC attacks are working.


Controlling Our Behavior

Phishing is so popular and successful that phishing is moving into other spheres. ‘SmiShing’ is the new phishing; with mobile devices being targeted with SMS based phishing messages – like this one. When checked the ‘Apple’ link goes to a spoof site in Romania where you are requested to enter your Apple login credentials. If you did so, they would be stolen and used to login to the real Apple site. Variants on this attack type also include a SMS message from a bank asking you to call a number to talk about a possible fraud attack on your account. When you do, you are asked for various details including your online banking password – the result being your bank account is cleared out.

There are ways that we can use to counter this abuse of our humanness, but it means being more aware of ourselves, how we react and how cybercriminals operate. Some basic checks include:

  • Caution is the watchword for anyone receiving an email requesting a funds transfer (for example).
  • Do not click directly on a link in an email, but instead, if it refers to an account, go to that account through the browser first.
  • Check email addresses – if you expand the address you may see it has unusual characters or is simply not the name it pretends to be.
  • Build a robust security strategy across the whole organization, taking both technologies and human behavior into account.

Five reasons to prioritize Privileged Access Management as-a-service

Five reasons to prioritize Privileged Access Management as-a-service

Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major security breach. Privileged Access Management (PAM) as-a-Service is a good way for organizations to get their PAM programs up and running faster and easier than ever. If you are reading this, you’re likely familiar with Software-as-a-Service (SaaS) and the benefits that it can bring your organization. We see that organizations are moving more and more of their applications and infrastructure to the cloud for a variety of reasons including: security, cost savings and ease of management. Likewise, in cybersecurity, organizations are starting to turn more and more to Security-as-a-Service to capitalize on the benefits above and marry security with operational ease of use.

After privileged access has been identified as a priority, deciding how to deploy it is the next step. In CyberArk’s Global Advanced Threat Landscape Report: Where Security Accountability Stops and Starts in the Public Cloud, we found that the number 1 reason organizations are moving to the cloud is security.

However, the harsh reality is that no organization can ever fully secure all their applications and infrastructure, whether their data center is on-premises, in the cloud, or hybrid. There is no single solution available in the market today that will prevent every advanced cyber-attack. But prioritizing what matters most first, privileged access, and taking advantage of all the benefits a SaaS solution can provide is increasingly becoming the option of choice for organizations who are embarking on a Privileged Access Management program. Privileged Access Management (PAM) as-a-Service is becoming a popular method for deploying security solutions for a variety of reasons. In this Ebook we’ll discuss five reasons to prioritize PAM as-a-service.

About PAM
About CyberArk


Once upon a time, in a world long, long ago…well actually not that long ago, there was an enterprise. This enterprise had control. It controlled who accessed its applications and data; it controlled who took that data outside of its company walls. It was a fine kingdom, protected by a strong wall.

Then the Internet happened. The enterprise could no longer keep everything inside the kingdom walls. The walls started to break apart and the company had to look at new ways to protect itself.

The short story above is a very simplified history of what has happened to organizations of all types and size, across every industry sector in the last ten years. We all are now very aware of the changes to the organization perimeter, how it has been extended and then made fuzzy. How the tools to control the cyber security threats have had to evolve to handle this change.

Now, just when we have gotten used to the extended enterprise perimeter, a new technology has entered our kingdom, not only making the perimeter fuzzy, but also smashing it apart. This technology is the Internet of Things or the IoT.

The Internet of Things meets the Supply Chain

Supply chains can be complex and convoluted. If you were to map one out on paper, including all of the possible tiers of suppliers, it could end up looking like something only a mathematician could understand. The IoT has just taken this complexity and added an order of magnitude to it. The IoT is big and getting bigger. Gartner have predicted that by 2020, half of all new business processes will incorporate some element of the IoT. These new elements are adding more ‘moving parts’ to the chain; and of course, any additional point is a potential point of failure. In our Kingdom analogy, it is like the castle walls have fallen away almost completely.

As we know, the supply chain can work like a domino effect. If one domino is knocked over, it hits any connected dominos until the whole chain falls over. One example of many was with the car manufacturer, Citroen, where a breach of customer records took place. In this case, it was a supply chain member, a site selling Citroen related gifts that opened the doors to the kingdom. Hackers added a backdoor to the sales site using an Adobe ColdFusion vulnerability. The impact isn’t always just direct loss of data, etc. either, reputational loss, from association can also be very costly to a brand. Simply put, any application or device (IoT or not) across the supply chain is a domino. If each part does not have the correct security in place, the rest of the chain is impacted – security is the responsibility of every member of the supply chain because it has the potential to impact every member. 

IoT and Supply Chains: The Good, The Bad and The Ugly

The IoT is a force for both good and bad. The World Economic Forum in their Global Risks 2015 report stated that, “While the “Internet of Things” (IoT) will deliver innovations, it will also entail new risks.” In terms of the supply chain, the IoT will add a whole new level of complexity to the chain. But the Internet of Things is also a force for good. The IoT can certainly improve supply chain processes and logistics. One of the key offerings of IoT devices is the data the devices can generate. This information can be used to analyze processes, creating a more demand driven chain, improving logistics and ultimately cutting costs. However, it is the very benefit of the IoT that is also its potential security downfall. As more IoT devices are used to make the chain more efficient and data focused, more points of failure are added to the chain. All of these new devices and things need to have security risks analyzed. The risk assessment of such complex chains is in itself, highly complex. More devices increase the risk of breach and therefore more points in the system need to be secured.

And of course, as expected, cybercriminals will exploit this new technology. Gartner have said that on the back of the IoT a ‘black market’ will take shape, selling fake IoT sensors which can then be used for cybercrime. Without due care, these sensors will then become an intrinsic part of the overall supply chain, creating baked in security holes and back doors. If your chain becomes infected with a spoofed IoT device the whole chain is compromised.

Having It All

The use of the IoT within a supply chain offers us focused intelligence. We can use the data generated to improve chain efficiency, make more informed decisions and offer better services to our customers. But we must recognize, this sea change in the way we generate data and extend our touch points, brings with it new security challenges and increased risks. To ensure the benefits of the IoT out way the risks, we need to ensure that we take those risks seriously and put measures in place to mitigate them. Only with insight, analysis and knowledge of effective security measures can we ensure that the IoT becomes a kingdom maker, rather than a kingdom destroyer.


Business as well as life is a balance. It was the Chinese New Year on the 8th of February, so it seems pertinent to use the philosophy of yin and yang to discuss the interactions of critical controls in the enterprise procurement process. The idea of yin and yang is that opposite/contrary ideas can in fact be complementary and build a stronger whole. This approach may well be useful in providing the right balance between the various control systems that come into play as any procurement process develops.

The Elements of Critical Control During Procurement: The Yin

There are a number of ‘critical controls’ within any given procurement program. Security is often seen as the main critical control and one, which can have the greatest impact on assets and infrastructure. However, security is not the only element that can have a potential impact on the procurement process and on vendor risk management. Of course, the criticality of each part is dependent on the industry. But in general, the type of things that you need to know about a vendor before procurement choices can be made include:

Security:   If you read this blog regularly, you’ll know that data and privacy breaches often have their origin with a third party supplier. A number of studies corroborate this, including the 2013 Trustwave study, which found that 63% of the investigated breaches began with 3rd party administration exposure. There is also a general and historical problem in the communication between procurement and security, security being seen to ‘slow down’ procurement.  However, this is starting to change as more breaches, like those mentioned above, occur. In a previous post we have talked about how KPMG have found that 70% of procurement managers now realize how important it is to know how a third party will handle their client data. This is a move in the right direction. An end-to-end security strategy, across the vendor/client eco-system is increasingly important and often needed for compliance with industry regulations.

Legal:   The legal aspects of vendor onboarding can be arduous. It seems that once you involve the lawyers, everything comes to a standstill. There are, of course, good reasons for this; legal needs to make sure that all eventualities are covered. This is never truer than when you have regulations to comply with, which often extend outwards to your suppliers systems. Other factors, such as competition law and the legalities around origins of goods, personnel and services, need due consideration.

Social and environmental:   As green laws take effect, a number of environmental constraints can come into play in the procurement process. You may need to develop a sustainable procurement policy to comply with regulations around these areas and to make sure the vendor choices you make, fit in with this overall strategy.

Having effective know your vendor (KYV) policies in place before making final decisions is part of your supply chain risk assessment. This is a key part of the procurement process as it offers a way to minimize the future risks and protect the business against uncertainty. Gartner in their recent evaluation of the role of the CIO and risk, have stated that “Procurement teams develop contracts that improve security agreements with cloud vendors and security managers” to be able to meet the challenges facing business today, especially when dealing with Cloud based data.

What Prevents Efficient and Accurate Procurement Choices?

Procurement choices that are educated and based on checks and balances will ultimately benefit the company, because they reduce the risks associated with unknowns. Getting this process right is a challenge. For example, procurement and security need to work together for the greater good. The SANS Institute in their paper on “Combatting Cyber Risks in the Supply Chain”, recommend a combination of ‘people, processes and technology’ to deal with the problem of good vendor evaluation for procurement. Communication and transparency is the key to risk reduction. It may seem like a slower process to add in the assessment stage, to audit vendors’ data security procedures, but in the long term, this will benefit your company, through informed choice – the old adage, “more haste, less speed” is highly applicable to the procurement process.

Procurement is the natural place where communication can start. It is often the main channel between the enterprise and the vendor and as such, can create effective dialogue to manage critical controls, like security, and ensure they don’t slow the process down any more than necessary. Seamless, clear communication in this area can also help to identify any hurdles. For example, if the vendor needs to go through a certification or validation process this needs to be identified early on. It is only be having open discussions and actively building frameworks to work to, that we can ensure we have those critical controls incorporated into the procurement process.   

Get it Right, Now, Not Later: The Yang

Getting your procurement controls in place before you sign that purchase order is vital. If you do it after knowing your vendor and any critical exposure points they may have, then you may well end up with security or compliance issues down the line. Once the ink is dry on the contract, it is much more difficult to put controls in place. This can result in overall increased costs, as well as a risky project that potentially could end in a catastrophic data breach. Putting controls into the mix, at the right time and to the right level, is part of a good, holistic approach to procurement. Getting the yin-yang balance right will create the type of vendor eco-system that gives you true value for money, whilst minimizing your risk of privacy and data breaches.


One of the topics this blog likes to explore is how to make the whole supply chain process more efficient, less risky and ultimately more profitable for everyone involved. We look at this from a real-world perspective, using our deep knowledge of this area, especially around automation and security. So it is really good when external sources back up your own knowledge and experience and this has been the case looking at the report by PWC on “Next Supply Chains: Efficient, Fast and Tailored”. In today’s post I’ll take a look at some of the findings of this survey by PWC and discuss their implications on supply automation, chain management and risk.

Supply Chain Trends

The PWC report had a particular pertinent and insightful finding. This was that the supply chain is regarded as an actual strategic asset by 45% of organizations. Strategic assets are vital for competitive edge and keeping them well managed is therefore an important business consideration.

In their report, PWC has identified a number of supply chain trends, all of which show an expectation of increasing in importance and which have a material impact on the effective management of the supply chain. The following graphic, taken from the report, shows the 12 most important trends; noticeably all are expected to increase in importance.

In this post I’ll concentrate on two of these top trends, which we come across time and again, “Implementing techniques to automate and increase transparency” and “Managing supply chains security and risk”.

Automation to Increase Transparency

In the PWC report, they noticed that the most successful companies had a program in place to reduce supply chain complexity and to use automation methods to make supply chain processes more efficient. This has been instrumental in the leaders identified in the survey, having delivery performance figures of over 96%.  Part of this comes down to transparency across the supply chain. Transparency greatly helps to improve the smooth running of a supply chain. A report by electronics manufacturers, Jabil, found that 96% of the surveyed respondents said that an opaque supply chain put efficient operation at risk.

Gartner analysts concur with PWC and identify automation of supply chain processes as a supply chain trend. In a recent supply chain conference, Gartner linked automation and the Internet of Things (IoT) arguing that this has the potential to impact transparency across the chain. Gartner stated that, “functions such as procurement, logistics and inventory management often operated in silos with not enough coordination or focus on the end result”. Gartner reiterate this sentiment in their latest supply chain predictions of 2016, saying that automation will double in the next 5 years due to increased digitization of companies. 

The PWC report shows clearly that automation leads to better performance, and Gartner is backing these findings up. This comes at a time when the digital landscape is moving underneath us all, as digitization of services and the IoT grow in importance – this makes the move to automation of supply chain processes inevitable as the complexity needs to be countered by transparency. In fact, the idea of having greater control over the processes and bringing all of the steps together in a seamlessly connected manner should be the goal of any eco-system. The PWC report stresses that digitization and automation of supply chains will create greater transparency, if managed correctly, which will ultimately result in reduced costs and efficiency.  They also point out that automation is seen by two thirds of respondents as a “vital” part of the supply chain process. In fact, PWC show that automation is seen as one of the best ways to differentiate a business across a number of industry sectors including automotive and retail, giving them a method to “optimize their logistics and distribution operations”.

Managing Risk

The supply chain has not been immune to the global challenges we are currently facing. These challenges extend to financial market turbulence and the increasing cyber security pressures felt by all enterprises.

Growing risk from the supply chain is something that the vast majority of organizations seem to suffer from. Zurich Insurance found that in 2014, 81% of companies suffered a supply chain disruption, an increase of around 4% since 2010 and almost a quarter of survey respondents saw losses of around $1million due to such disruptions – cyber security being one of the most concerning.

The PWC survey identifies the management of chain security and risk as a top trend. They point out that to have a successful supply chain operation, an organization has to take personal responsibility for tracking the risks across the chain. The complexity of risk management rears its head most noticeably when the supply chain is a global one. Risk come in many shapes and sizes and a global chain can involve environmental, financial and certainly cyber-security risks. Ensuring stability of the extended supply eco-system is a management challenge and one, which requires a holistic approach.

PWC found that risk mitigation, through close management of supply chain partners was one of the top differentiating practices of effective and high performing supply chains.

A Transparent Approach to Risk Management

The two top trends we have looked at here are not mutually exclusive. Both of these trends impact each other. By using automation to improve transparency, you can in turn enhance the management of risk across the chain. A move towards automation is a leap forward to take your supply chain to the next level, but it will afford greater rewards in the guise of more optimized, efficient and risk minimized processes.

Why IBM for Privileged Access Management – Get scalable, enterprise-grade security solutions, backed by unmatched service and support.

When you deploy IBM Security Secret Server and IBM Security Privilege Manager across your organization, you unlock the full potential of PAM with solutions that are:

Partner with IBM for incredible service and benefits

  • 24/7 access to IBM support
  • Unlimited feature set within IBM Secret Server
  • Simple pricing and packaging options
  • Quick time-to-value—install in minutes and see value immediately
  • Supports large-scale distributed environments from on-premise to cloud environments
  • Integration with the IBM Security portfolio including IBM Cloud Identity, QRadar®, Guardium® Data Protection, and IBM Security Identity Governance & Intelligence.
  • Access to IBM Security PAM Professional Services
  • Access to IBM Security Expert Labs for deployment and configuration

Protect privileged accounts to reduce your attack surface. Sign up for a free trial of IBM Security Secret Server now.

Top 8 IAM Challenges with your SaaS Apps

The Importance of Identity for SaaS Applications

The enterprise cloud revolution is here. IT organizations everywhere, from small and mid-sized businesses to Fortune 500 companies, are moving from on-premises software to on-demand, cloud-based services. As enterprise IT makes this transition to a new hybrid on-demand/on-premises configuration, controlling who is granted access to which applications becomes increasingly important. This presents CIOs and their teams with a whole new set of identity management challenges. In addition, users must keep track of multiple URLs, user names, and passwords to get access to their applications. IT’s role is also fundamentally changing. As the steward of these new services, IT must provide insight and advice about Software-as-a-Service (SaaS) products to ensure the company is maximizing the business value of their investments.

There are eight main identity and access management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, as well as best practices for addressing each of them.

About IG
About AM
About Okta

IBM Security Privilege Manager – Remove excess privileges from endpoints and use policy-based controls to block malware attacks.

Least Privilege Policy

Security regulations call for a least privilege policy, which means limiting access to reduce your attack surface. Least privilege requires that every user, application and system account have the minimum access to resources needed to do their job. Many customers, users or applications have admin or root privileges with access to sensitive data/operating systems. Under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them. All others operate as standard users with an appropriate set of privileges.

Regulations like PCI DSS, HIPAA, SOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

To successfully comply with a least privilege policy, you must know which privileges you need to manage. That means finding out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Imagine how much damage and risk you will take away if you remove your business users from local admin groups, yet provide them with a way to install approved applications. IBM Privilege Manager helps with just that.

Get started with IBM’s free endpoint application and least privilege discovery tools.

To successfully comply with at least privilege policy, you must know which privileges you need to manage. Find out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Can you imagine how much damage and risk you will take away if you can remove your business users from local admin groups – yet provide them with a way to install approved applications? IBM Privilege Manager helps with just that.

Secure your largest attack surface with a single agent

IBM Privilege Manager can communicate with hundreds of thousands of machines at once. You can check policies and execute 24/7 control across every device and application under your purview through a single, streamlined dashboard.

You can discover which users and endpoints have local administrative rights, including hidden or hardcoded privileges across domain and non-domain machines, and automatically remove these rights as needed. This helps you control the exact membership of all local groups and users to reduce the risk of backdoor accounts.

Define flexible policies that ensure a frictionless user experience

IBM Privilege Manager automatically elevates the applications and data that users across your organization need—without requiring credentials or forcing users to request IT support. It provides granular policy-based controls that determine and maintain access to trusted applications and processes.

Through advanced real-time threat intelligence, the solution whitelists, blacklists or graylists your applications according to flexible policies you define.

  • Whitelisting – Trusted applications are whitelisted and elevated, so users can easily access them without IT support.
  • Blacklisting – Blacklisted applications are blacklisted based on real-time threat intelligence and are blocked from running.
  • Graylisting – Potential threats are graylisted, meaning they’ve moved to an isolated sandbox environment for further testing.

Additionally, any application can be quarantine and “sandboxed” at any time, as you deem necessary, regardless of its list designation. A quarantined application can be safely executed and tested without the risk of exposing system folders or underlying OS configurations.

Easily manage and remove local administrative rights

Determine which accounts are members of any local group, including system administrators. If necessary, you can quickly reset all endpoints to a “clean slate” by removing all local administrative privileges at once.

Boost productivity for users and support staff

Since policy-based controls are enacted on the application level, users can access the trusted applications, systems and data they need without local administrative rights or the hassle of submitting tickets to IT support.

Achieve audit compliance through transparency

Share an easy-to-understand auditable trail of all application policies, administration credentials and privilege elevation activities with auditors. You’ll provide a clear picture of your compliance levels and what actions, if any, should be taken.

Read the last part tomorrow!

nl_NLNederlands en_USEnglish