Sat. Sep 23rd, 2023

Protecting identity, as well as making access control secure, is one of the priorities of the departments dedicated to cybersecurity in organizations. However, there is not always a correct strategy, so Byte TI, together with the security firm VU, organized a face-to-face meeting with CISOs from various companies to test the situation regarding this problem. The meeting was attended by Mario Moreno, Head of Safety at Metrovacesa; – Nestor Serravalle, Executive Vice President for Europe of VU; Gabriel Moline, CISO Leroy Merlin; David Moreno del CerroCTO of Tendam; Alvaro Ladoux, fraud expert; daniel damas, CISO of Nationale Nederlanden; Mayca Aguilar, Cybersecurity Identity Management & Compliance of Ferrovial and Joaquin Pano, DPO of Leroy Merlin.
Maica Aguilar, Cybersecurity Identity Management & Compliance at FerrovialMaica Aguilar, Cybersecurity Identity Management & Compliance at Ferrovial Maica Aguilar, Cybersecurity Identity Management & Compliance at Ferrovial, was the first to intervene to analyze the challenges of digital protection. In her opinion, “the person is the center of security and the current focus tends to go there because the perimeter no longer exists. The entry point for an attack is people. Before people were seen as a secondary point of attack, now they are not. Now we are in zero-trust models in which the control of people has become the central axis of a cybersecurity strategy of any company”.

David Moreno del Cerro, CTO of TendamDavid Moreno del Cerro, CTO of Tendam In this sense, David Moreno del Cerro, CTO of Tendam, agreed with this opinion since for him, “the protection of the job is somewhat insufficient because the user accesses from multiple devices and locations. The link is now the user and it is the weakest element, so it is essential to ensure identity management.”
Néstor Serravalle, Executive Vice President for Europe of VUNéstor Serravalle, Executive Vice President for Europe at VU Néstor Serravalle, Executive Vice President for Europe at VU, considered that “it has been stated for some time that the only element to systematically protect is identity. The problem with this identity is that it is affected by different variables, such as accessing services through innumerable passwords. However, there will be a time when we will not have to worry about this series of aspects. In reality, with digital identity, it is about making sure that the user is who they say they are. Clearly there is a conjunction of technologies and a regulatory framework that must be respected. In this framework, Europe is aware and doing a good job because they consider it strategic and it is seen as a social good. The conjunction between what is happening in technology and the role of the states is going to lead to a situation that is different from the current one and in which value will be given to the fact that the identity is unique and that of a user. There is going to be a brutal change in or that refers to digital identity”.
Daniel Damas, CISO of Nationale NederlandenDaniel Damas, CISO of Nationale Nederlanden One of the problems related to digital identity is that users do not know how to handle it. At least that is the opinion of Daniel Damas, CISO of Nationale Nederlanden: “We are not yet prepared for people to know how to handle digital identity. Technically we cover the devices, but the key is that people know how to use that digital identity. One of the problems we face is that if there are currently people who do not know how to handle digital transformation, how are we going to require them to manage their digital identity?

The difficulty of passwords

Mario Moreno, Head of Safety at MetrovacesaMario Moreno, Head of Security at Metrovacesa Passwords occupied a dominant space almost from the first moments of the meeting. And it is that, as stated by Mario Moreno, Head of Security at Metrovacesa, “passwords, at the moment, are a problem. Users have a professional environment and a personal one where they have different passwords and usernames. And in general, they do not show concern for their safety. They only do it if it affects their money and then they do take precautions and all the security measures that are implemented seem fine to them. However, if it is about company connections, people do not value it and do not realize that it is also about money, only that it is money from the company that pays them. David Moreno del Cerro, CTO of Tendam, explained that in his organization they work with “tens of billions of clients in our profiles and validating those profiles is essential and we are constantly looking for formulas to protect that data. We have access data from customers who have their data stolen and that means that in the end, they are compromising my own security. We have systems to protect all this and to notify the client every time we perceive that there is a risk or incident”.

Protecting identity, as well as making access control secure, is one of the priorities of departments dedicated to cybersecurity

In this sense, the European Vice President of VU stated that it is essential that the protection be as broad as possible: “This protection has to include customers, suppliers, the value chain, etc. All companies are going to go towards protecting the identity of all of them, because if not, they are going to have problems. Companies have to promote the customer identity, so that the identity is in one place and that the identity provider is consumed. We believe there should be more identity value network providers.”
Gabriel Moliné, CISO Leroy MerlinGabriel Moliné, CISO Leroy Merlin For Gabriel Moliné, CISO Leroy Merlin, “the challenge lies with the big identity providers like Facebook, Google, etc. And this is a big concern for me because I think we are creating an identity oligopoly with these companies and the market for identities is being transformed.” His partner, the DPO of the multinational, Joaquín Pano believes that “ensuring identity goes further. All of us, companies and users, should make a significant effort to manage that identity. The problem is that there are many who want to maintain the current model, because otherwise, many providers would lose their business and their reason for being”.

Identity management issues

What are the main attacks? How do cybercriminals access data that should be protected? For Maica Aguilar, “the most common are phishing attacks since they represent the highest percentage of effectiveness. In addition, the attacks are becoming more sophisticated. We do tests with our workers to educate them and we see that people very easily fall for a more or less sophisticated phishing. We give monthly talks, seminars, we launch advice… I mean, our employees can’t say they don’t have information, and yet the problem is that cyberattackers are getting better and better and people fall for it. And the moment someone’s identity is stolen, you have a very serious problem.” And the sophistication is increasing. In fact, phishing is becoming obsolete and is beginning to be replaced by techniques such as vishing in which the voice is the protagonist and in which the attacker, using the conventional telephone line and social engineering techniques, tries to access financial data by stealing his identity. In this sense, Leroy Merlin’s DPO affirmed that “we carry out periodic vishing exercises and in the same way that users are more alert with phishing, with vishing they still fall a lot. For us, the report button is key because we see that users are reporting incidents faster and faster. In other words, people are more aware.”
Álvaro Ladoux, fraud expertÁlvaro Ladoux, fraud expert The fraud expert, Álvaro Ladoux, faced with this situation, explained with data what the organizations face: “Spain is the second most attacked country in Europe and there are 400,000 daily attacks. INCIBE only manages around 120,000 incidents per year, and that represents only 2% of the total. And it all starts with a phishing, with which it is intended to obtain an economic benefit with the sale of data in which 70% of it is identity”.

Identity management strategies and silos

One of the problems in the strategy to carry out identity management is Shadow IT. In this regard, Gabriel Moliné believes that “it is necessary to explain to the departments that have the capacity to hire services from outside, the risks they run in terms of identity protection and even in terms of fines they may receive.” To improve this strategy, Tendam’s CTO believes that it is necessary to go to a pay-per-use model: “The investment that a hyperscalar can make is much greater than what I can make. The cloud has evolved a lot and the resources that these companies have and their technology is very advanced. Today I cannot consider an on-premise model. If there is someone who does it better than you, you have to go with him”. Néstor Serravalle agreed, but also stressed that “in these cases in which a model as a service is opted for, it must be taken into account that the responsibility for the protection of the data that has been taken to the cloud lies with the client. and here we must bet on the construction of hybrid systems to protect identities. I believe that the big technology companies are not the most suitable for managing identity management more comprehensively. I think that the SIAM and IAM models, which can already be contracted as a service, are a much more effective model.

By Alvaro Rivers

Award-winning student. Incurable social media fanatic. Music scholar. Beer maven. Writer.