Tag Archives: risk

Recognizing Third-Party Risks & Addressing the Gaps with Identity-Based Security

Enterprises and businesses are well into their digitization journey. Many have adopted digital strategies and tools that align with their businesses and goals. However, in their swiftness to adopt software and tools that enable them to be agile, many may have overlooked one of the most crucial aspects of their data security – third-party access and control. The issue arises as a result of the adoption of multiple diverse tools and technologies needed for digitization, the acquisition of contract talent, consultants and third-party support. This rings true even for Financial Service Institutions (FSIs). In a recent report, Gartner stated that 59% of organizations experienced a data breach due to third parties and only 16% of them say they are equipped to manage these risks.


Boey’s Headshot 1x1

“Today, organizations can manage up to thousands of identities which means more access points that may present significant risks. In order to mitigate the risks of breach and protect digital identities, data and resources, enterprises need a comprehensive identity security solution for complete visibility into all user types and their related access, including all entitlements, roles, and attributes, to ensure employees receive the right access to the right resources to do their job.”

Chern-Yue Boey, Senior Vice President, Asia-Pacific, SailPoint


While it can seem like a daunting task for IT departments and CIOs to get a handle on the issue, the truth is that it’s a simple task of managing access on a “just-in-time” and/or “as-needed” basis. With an increasing number of such instances, it becomes a conundrum of how to dynamically manage these permissions. One emerging approach is to manage these permissions or instances as “identities”. Using this approach, it’s a matter of mapping these identities and the data they have access to. Essentially, a holistic view of who (identities) can access what data (what), is needed. While it can be a little complicated to administer this on a dynamic level, companies like SailPoint provide turn-key solutions fortified with artificial intelligence (AI) that allow just that.

An Increasing Concern for Financial Service Industries (FSIs)

As banks and other FSIs start embracing digitization and move towards becoming digital services, we’ve seen an increasing emphasis on data security and privacy particularly when it comes to user data. However, like many other enterprises, the digital infrastructure and tools that they have in place may pose a risk when it comes to data security. What’s more, when it comes to FSIs, the consequences of poor security can result in millions of dollars of loss for both the client and the institution itself.

hands holding a smartphone with data on screen
Photo by Tima Miroshnichenko on Pexels.com

In Malaysia alone, we’ve seen an increasing number of scams and data breaches in the past 5 years. This seems to have skyrocketed during the pandemic and is not showing any signs of slowing down. In fact, in the past year alone, we’ve had breaches of large service providers like Telekom Malaysia and Maxis. More worryingly, we’ve had breaches of FSIs like Maybank and iPay88. Of course, under the watchful eye of regulators, these issues are constantly being investigated and fines are dolled out for mismanagement.


Boey’s Headshot 1x1

“The reality is a large majority of cyber security breaches today occur as a result of non-employee identities. According to a research by Ponemon, 59% of respondents confirm that their organizations have experienced a data breach caused by one of their third parties and 54% of these respondents say it was as recent as the past 12 months”

Chern-Yue Boey, Senior Vice President, Asia-Pacific, SailPoint


That said, it’s important that these institutions move from a reactive approach to a more preventative and proactive one. This change has to happen with both policy and adoption of security technologies which give CIOs and data security experts a clear view of who is accessing what data and why.

Creating A Data Secure Environment for Business

FSIs like Maybank and iPay88 may point to their apps with features like SecureKey and their implementation of one-time pins (OTPs) as potent security measures. However, as Chern-Yue Boey, Senior Vice President at SailPoint puts it, “Authentication is like giving someone the keys to your front door, but identity security is where you can control whether this person can have access to your rooms and other aspects in your home.”

What’s needed is a system that can cross-check and verify if access to the information is allowed. Mr. Boey weighs in on this, “A complete identity security strategy involves understanding, controlling, and managing user identities and access to all resources holistically, in line with authentication methods. This means building an identity security foundation to enable authentication and comprehensive identity governance.”.

close up view of system hacking
Photo by Tima Miroshnichenko on Pexels.com

Identity governance will entail creating unique profiles to manage access to data. This also entails structuring data so that it can be accessed on an “as-needed” basis. While many systems for cybersecurity do include options for Zero Trust environments, the implementation of identity management ups the ante and creates an environment where small silos of data can be made available to external users and contractors. This will enable access to data on a restricted basis and allow CIOs and IT Departments to manage data based on job function, role and levels of access.

Mitigating Risk with Identity-based Security

This is where Identity Security can play a huge role for FSIs and even other corporations. The creation of these identities limits the potential exposure even if a breach occurs. That said, in order to mitigate the risk, it falls to the C-suite executives – particularly the CIO or CSO – to understand which job functions should have access to what data. Only with this understanding can they deploy solutions like SailPoint effectively.

Having this understanding – which can be fostered at every level of management – will help mitigate risks associated with third-party workforces. In fact, it helps with a key risk: unauthorized access to sensitive data. As access becomes limited, so too do the entry points for bad actors.

person paying using her smartwatch
Photo by Ivan Samkov on Pexels.com

That said, understanding is only one part of the equation, FSIs and other organizations will need better oversight over the identities in their system and the data being accessed across the entire distributed IT ecosystem. This includes the ability to grant or restrict access as necessary. Doing this will create a perimeter of security when it comes to pertinent, sensitive data.

Maximizing Security with Informed Access

This transparency and oversight will allow for better-informed decisions as CSOs and CIOs have access to a central repository of all users – third-party or otherwise – and their relationship to the organization. This includes their job functions and the data they have access to. It helps with managing risk when it comes to third-party access. IT Departments are able to assign risk ratings to individual third-party users based on who they work for, location, access level and other parameters as set by the organization.

It also allows them to better manage the onboarding and offboarding of employees and non-employees as they enter and exit the organization. Essentially, the visibility, relationship data and governance will necessarily give rise to a lifecycle for each identity in the organization. While it may seem like a simple matter of managing the current access of users to the data, it goes further than that with identity management. It gives granular control and visibility to a CIO, CSO and IT Departments allowing them to react effectively and in a timely fashion. It also allows them to automate compliance audits with minimal manual intervention.

A Necessary Measure for Dynamism and Agility

As much as it may seem like an added layer of complications and headaches for IT departments, the shift from managing data based on access vs. through identities is the difference between being reactive and proactive. Managing data access with Identity security is a necessary measure for FSIs and organizations to remain agile in operations as well as respond dynamically to a landscape of uncertainties.

HUAWEI and ZTE Declared National Security Risks by FCC

So the trade ban with HUAWEI has been going on for several months now and nothing seems to be indicating that there would be an overturning of the decision. Every other person outside of the United States of America (U.S.A.) was hoping that the situation will get better and somehow the decision overturned though. Why? HUAWEI devices without Android is like eating Egg Mayo Sandwich without the Eggs. They are still good, just not as good.

It looks like all hopes for HUAWEI to be cleared of that trade ban is further and further away from reality though. The Federal Communications Commission (FCC), which is U.S.A.’s version of MCMC for Malaysia, or if you are not in any of these countries – they are an independent body that regulates and certifies electronic items that involves communications. So your routers, modems, televisions, and even smartphones have to go through their certifications and ‘okay’ before being sold; they have declared HUAWEI and ZTE to be national security threats for the state. Sounds bad? It is bad.

While there were restrictions to HUAWEI telecommunication gears in the United States, there were no full ban to be set yet at the time. Thanks to the declaration from FCC, HUAWEI and ZTE items can no longer be purchased by all government linked companies or using the Universal Service Funds (USF) subsidy. That also means that we are not going to get Google’s Play Store on the HUAWEI devices anytime soon.

According to the chairman of FFC, Ajit Pai the Bureau has found evidence that both HUAWEI and ZTE having “close ties” to the Chinese Communist Party and the country’s military. But it is not just down to the links between the company and the government that becomes an issue. FCC also cited that the Chinese law dictates that these telecommunication giants that operates in China are obligated to share data and cooperate with China’s various intelligence services whenever the need arises.

If what FCC claims to have found is true, it becomes a huge privacy and data security breach potential. HUAWEI and ZTE have repeatedly denied the claims that they are a threat to the United States’ national security. To be fair, they have denied the existence of a certain backdoor that feeds information from all their telecommunication devices and services to the Chinese government. We do not know how much of the law aspect is true. We are not living in China after all.

Still, the biggest impact is still on HUAWEI’s smartphones. We have always enjoyed their smartphones. They have made great smartphones like the HUAWEI P40 Pro we recently reviewed. Sadly, the lack of Google’s Play Store on their devices crippled the devices so much that we find them an absolute nightmare to deal with on a day to day basis at times.

So far HUAWEI and ZTE has not responded to the claims. We remain hopeful to HUAWEI’s response to the claims. That, and also hoping that HUAWEI finds a way to get the Play Store ecosystem on their devices that are still running Android anyway.