The AT&T data breach of March 2023 should serve as a lesson in the dangers of relying upon siloed security solutions. As easy and popular as it is to point and laugh at the multibillion megacorp faceplanting into a humble pie, the truth is more granular. Siloed security, wherein disparate policies and systems are applied to a pool of identities, are nothing less than a wall of Swiss cheese. While the parent company is very much responsible for the burden of security, the vulnerability is part of an endemic misunderstanding about siloed security.
The Folly of Siloed Security
The AT&T breach resulted from oversights in a marketing firm the telecom company uses in its outreach programs. This exposed the Customer Proprietary Network Information (CPNI) of 9 mil users. This included names, email addresses, account numbers, and phone numbers. While this can also be a teachable moment on not always ticking the “let us collect information on you” box, it also demonstrates how broad corporate attack surfaces have become. Even if the central corporation has the best internal security on the planet, it takes just one authorized third-party vendor to endanger vital information.
AT&T alerted the relevant federal agencies in the wake of the breach. They offered the customers an option to add extra security to their password free of cost. However, this “fix” does not really address the underlying vulnerability. AT&T is still relying upon the “we’ve totally fixed it this time we swear” security of an outside vendor. If the problem is to be well and truly solved, it requires an overarching change in how AT&T handles their risk posture. Nor is AT&T alone in their vulnerability among telecom companies. Just recently, T-Mobile suffered their 8th data breach in less than 5 years.
So many identities get juggled back and forth without any centralized policy governing their usage. Little wonder that these breaches are becoming a recurring trend. Major companies contract out a service to an outside firm. That firm has a gap in their security. That gap is exploited to gain access to the big fish. Remember the hacked HVAC unit that brought Target to its knees? Or the insurance-services provider used to get into the sensitive personal data of Keybank clients? A data breach affecting 9 million customers (enough people to comfortably populate Virginia) has become close to routine.
The Security of Federated Identity Management
The reliance upon siloed security must be shed if companies wish to avoid the same fate. A federated identity solution encompassing AM, CIAM, IGA, and PAM provides the platform from which your enterprise can escape the dangers of third-party vulnerabilities. With detection and remediation enabled by automatic systems and role-based access management, you take the first steps toward responsible security.
Establish this basis of proper identity management. Then start scaling it out to cover your partners as well as your clients and internal users. In addition to the enabling your enterprise, your identity solution lets you expand out your security measures across your full identity fabric. This includes the security of your third-party service providers. Have their identities interact with your company on your terms. Thus, you swiftly detect and investigate any discrepancies and red flags.
Unfortunately, only a full-scale identity transformation, with the defense of your identity fabric as a driving consideration, can span across an attack surface of multiple enterprises. Implementing such a sweeping digital transformation is possible on your own. However, solutions are far more likely to be both successful and cost-effective when staged by a trusted IAM Service Provider. Enterprises with the foresight to reject siloed security and invest in federation enjoy fewer breaches and more options for remediation.
