It seems that every day there's a new breach in the news – ransomware, identity theft, nation/state-sponsored cyber-terrorism, and the good old standbys of phishing and zero day attacks. Businesses need to face a new reality where they are under constant attack from cyber-criminals. With the “data breach of day” headlines constantly hitting the media, it's easy for companies to get sucked into the data breach fatigue vortex and to bury their heads in the sand.
No one is immune and it's generally been accepted that it will happen eventually, so the attitude has shifted from “will I get attacked; what can I do to prevent it?” to “I've already been attacked; how can I minimise the damage?”
Of course, there are steps businesses can take to protect themselves ranging from next-generation firewalls, antivirus, staying up to date on patches to encryption and intrusion detection. While these all provide a necessary first-line of defence, but what happens after the bad guys inevitably find a way around these or a malicious or careless insider is the source of a breach?
Looking at most major breaches, there are some common themes. Generally, the bad guys come in through the front door, let in by an unsuspecting or naïve user. These bad actors are patient and work hard to cover their tracks and escalate privileges within the breached enterprise until they obtain sufficient rights to get to the data that is their real target. Then, as a seemingly legitimate user with seemingly legitimate permissions, the systems gladly grant access. And then you are in trouble – the digital fox is in the henhouse.
The disciplines of identity and access management (IAM) can go a long way to ensuring that when the bad guys do get in (and they will), there's nothing for them to do and achieving their nefarious objectives is simply not worth the effort. There are several key IAM practices that can minimise risk without negatively impacting the way your users go about their jobs.
Effective, business-driven provisioning and de-provisioning – make sure that those attributes that define which users can access what are established by the line-of-business (not IT) and that they are applicable across the entire enterprise.
Remember that nothing presents greater risk than a siloed approach to role or group management where the processes you put in place for one system are independent of every other system. And a “close is good enough” attitude is never alright when it comes to user access.
Adaptive, risk-based authentication – rather than implement access control in a heavy-handed, generalised manner that inevitably leads to disgruntled users who will look for every chance to skirt security policy, implement a contextual approach that can adjust enforcement relative to the risk of the request.
For example, an on-premise user has access to systems and data that he always uses to do his job is given transparent access to the systems he needs during business hours. However, if the same user is working remotely, after hours, exhibiting less-common behaviours, perhaps he is asked for an extra level of assurance via a multi-factor authentication challenge, for instance.
Privileged access management – the holy grail of any bad actor is the privileged accounts associated with every system. If they can escalate permissions to be granted access to these all-powerful and anonymous accounts, all bets are off. Simply eliminating the sharing of administrative credentials – locking them away in an automated password vault – and auditing activities performed with them will dramatically increase security and shrink the risk surface.
Identity analytics – while behaviuoral analytics helps determine why something bad happened and prevent future incidents, identity analytics provides insight into potential risk before anything bad can happen. Identity analytics looks at the entitlements, rights, and permissions granted to users and notifies of anomalies and areas of risk. Identity analytics will find the inappropriate escalation activities, users whose permissions are out of line with peers both within and outside of the organisation, and excessive rights that may be relics of incomplete de-provisioning or temporary elevation activities.
None of us can afford to ignore the risks, the constantly changing attack landscape, and the persistent behaviours that make some organisations an easy target. However, with effective IAM, they can limit damage, reduce risk, and dramatically increase the chances for defensive success.
Contributed by Todd Peterson, IAM Evangelist for One Identity
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.