Tech Talk with David Cottingham

May 7, 2024
A compelling conversation about the role of identity in strategic security planning

SecurityInfoWatch.com recently spoke with David Cottingham, the president of rf IDEAS and a security product development and management veteran with over 25 years of experience in the security space. He set the tone for our discussion by describing how he thinks identity plays a role in security planning and outlines how implementing identity access management strategies can help companies address the weak points in their current security systems.

According to a White Paper by Osterman Research. over 80% of organizations have experienced an identity-related breach that involved the use of compromised credentials. Movement toward more secure credentials such as digital passkeys and mobile credentials can help industries secure their more challenging and vulnerable endpoints.

Cottingham tackles this concept and offers other best practices for logical access and identity controls for most organizations.

SecurityInfoWatch: What role is identity playing in companies’ cybersecurity strategy in 2024?

David Cottingham: Account takeover (ATO) attacks will continue to be prevalent throughout this year. To mitigate these risks, it’s important that companies have advanced detection and prevention solutions in place as cyberattacks increasingly target identity. Passwordless authentication solutions will continue to rise in popularity because of their use of passkeys and multifactor authentication to protect sensitive data.

SIW: How can companies best include mobile credentials and digital wallets as a part of their access control strategy?

Cottingham: Implementing a mobile digital wallet solution for employee badges helps organizations future-proof their secure authentication strategy across the following use cases: single sign-on (SSO), secure printing, attendance tracking, and visitor management. The benefits of leveraging digital wallets include providing their employees with a seamless user experience, making user data more private and secure, streamlining the distribution and management of employee credentials for IT administrators, and removing the financial burden of replacing lost or stolen physical badges.

SIW: How does the vulnerability of identity access management (IAM) differ across industries?

Cottingham: IAM is at the core of a company’s security strategy, and fundamental to managing information security. While all industries should have an IAM strategy the vulnerability or risks associated with Identity vary depending on the industry and the employee accessing information. Risks can include financial, reputational, regulatory, or safety.

  • Vulnerabilities by Industry:
    • Healthcare: Vulnerabilities include network downtime, failure to meet regulatory compliance (ex. HIPAA), which requires securing protected health information (PHI), and having an inefficient workforce that spends less time on patients (ex. each clinician having to type in a username/password upwards of 70 times per day)
    • Manufacturing: Vulnerabilities include production line downtime from ransomware attacks, having the accountability of untrained/uncertified frontline workers operating mission-critical manufacturing systems (ex. PLCs, HMIs, SCADAs), and safety concerns of untrained frontline workers operating hazardous equipment (ex. forklifts), which can violate OSHA standards
    • Financial Banking: Vulnerabilities include failure to meet regulatory compliance (ex. Gramm-Leach-Bliley), which requires securing customers’ personal and financial information.
    • Education: While not a vulnerability, it’s all about having an IAM solution to deliver a seamless student experience. Typically, a digital experience, mobile credentials enable students to leverage the credential in the digital wallet for payment (bookstore, vending, cafeteria, printing), access to facilities, and access to resources (computers, books)

SIW: Are any industry systems more sensitive or more challenging to secure?

Cottingham: All industries are at risk of identity being compromised, resulting in losses. These risks can be as simple as password sharing, or poor password discipline caused by the fatigue of constant user id and password entry. Systems and/or endpoints utilized by frontline workers are getting more challenging to secure due to the nature of them often being unattended in high-traffic areas, misused with shared forms of authentication (i.e. shared passwords or pins), and connected to the larger network which enables a hacker to access much more sensitive data than what’s on the system/endpoint itself.

  • Examples include medical devices in patient rooms, point-of-sale systems or mobile computers in retail stores, and HMIs/PLCs/SCADAs in manufacturing facilities.

SIW: What are the weak points in a system’s current IAM controls? What needs should companies be immediately aware of and addressing?

Cottingham: Identity controls are growing more complex, making them harder to safeguard for organizations. While IAM does keep data secure, attackers also target it as IAM can be a weakness for companies of all sizes. The more organizations can combine their identity controls into fewer (ideally one) solutions, the stronger their cybersecurity will be.

SIW: What are the best ways for companies to address password fatigue and ensure password-protected data is secure?

Cottingham: Single sign-on, (SSO) greatly reduces the risks of password compromise as users only need to authenticate their identity once and can use that authentication across different devices or accounts. Not only does SSO strengthen security, but it also reduces the stress employees often feel with having to remember many different passwords, sometimes delaying their access to critical information in settings such as healthcare.

SIW: What are some trends you’re seeing so far this year or expect to come up throughout the year? Some experts are predicting an increased use of biometric authentication, single sign-on (SSO) enhancements, etc.

Cottingham: We anticipate an increased movement to more secure credential types as awareness of vulnerabilities of legacy systems continues to rise. These more secure credentials can take the form of digital passkeys, more secure card types, and mobile credentials, like NFC wallet, with a second factor needed to access them.

SIW: Are you seeing a growing trend in the convergence of physical and network security functions and a bigger priority being put on a more collaborative working environment?

Cottingham: We are seeing a slow movement towards convergence of physical and network security functions and mobile is helping to accelerate this move as legacy systems are upgraded to take advantage of mobile and secure features. Simply securing the front door is no longer a viable solution to preventing cyber-attacks. Furthermore, organizations are starting to realize that credentials, used for physical access, can be leveraged for logical access use cases beyond the door, such as single sign-on, secure printing, time and attendance, visitor management, mustering, and more to improve data/network security, optimize workforce efficiency, and maintain regulatory compliance.

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]