When data breaches used to hit news headlines, it was a big deal. Breaches like Target, Home Depot and The Office of Personal Management became mainstream headline news all over the World - yet in the last few months, breaches like the one at Whole Foods seemed to take a back seat to the ramifications of the Equifax breach that are still being exposed - despite some customer's credit card details being compromised by hackers.
In September, Whole Foods customers in various locations discovered that they may have become victims of a data breach, which resulted in some credit card information being compromised; around 100 stores were reportedly breached, over a six month time frame. Announced on the 28 September, the breach occurred relatively soon after the breach at Equifax grabbed headlines internationally - and at a time when the fallout from the breach continued to dominate news both in the industry and the mainstream press. As a result, the breach at Whole Foods was met with little to no public outrage, as consumers were still wrapping their heads around the scale and the risks associated with Equifax.
So, what is going on here? Consumers are becoming breach fatigued - with data breaches happening every other, if not every, day, it is easy for news of smaller breaches to get swallowed up by the bigger news - in this case, by the fallout from the Equifax breach. Consumers are becoming desensitised, and although they often have themselves covered by locking and blocking compromised cards, getting replacements and though their banks and credit agencies are monitoring their online activity - even down to sending them alerts when suspicious behaviour arises - breaches continue to occur at an alarming rate.
While we mostly aren't privy to reasons behind data breaches and speculation can be high, we do know through experience that although organisations are taking steps to safeguard confidential data, it is usually accessed by the attacker gaining access via the administrative privileges that exist on virtually every system. Sometimes the weakness results from the use of default admin credentials, which can be exploited to gain unlimited access to the desired data and systems. The door can also be left open through an unpatched vulnerability, which when exploited provides access to a specific system, where through lateral movement and privilege escalation, the attacker can then gain access to additional and more desirable systems.
The end result is always the same – the attacker finds an open door; steps through and then gains increased access to systems until the goal is achieved and the data is breached. We do have security technologies available today that help to mitigate these risks. After scanning for vulnerabilities and ensuring that all systems are adequately patched; controlling the use and issuance of administrative passwords and ensuring that they are not shared and are frequently changed and updated – referred to as privileged access management, a subset of identity and access management (IAM) – the processes are then in place to mitigate the underlying risk and defend the domain from malicious attackers.
So why is it that organisations still struggle to protect its digital assets - where is it going wrong?
Factors of identity and access management
In order to implement IAM successfully, the following factors need to be given careful consideration:
People: Who needs access: employees, admins, partners, customers?
Resources: What do the people need to access: applications (on-prem or in the cloud), SAAS and privileged accounts?
Access: Precisely what level of access do the people need in order to do their jobs, and perhaps more important what access do they NOT need?
Environment: How are the people accessing the information: on-premise, remotely, mobile and over what connection? And are there time or location restrictions on that access?
Governance: What rules does this access have to follow? Who makes those decisions? And, what regulations must be satisfied?
Each factor is critical to ensuring security, and a failure involving any of these factors can open the door for a breach. This is the essence of IAM, ensuring that the right people, have the right access, to the right resources, in the right ways, and that you can prove all those “rights” to the people that need to know. Since regular user access can be exploited and escalated to privileged user access – the holy grail of risk – effective IAM, for both regular users and privileged users is the most comprehensive and safe path to protection.
While it is impossible to absolutely prevent breaches, it is entirely achievable to reduce your risk by becoming a hard target through effective access controls (the essence of IAM); make it difficult for bad actors to get what they are after if they do breach the perimeter (the fundamental purpose of privileged access management); and make it easy to discover problems, identity risk before it becomes an issue, and satisfy the compliance demands that are there for our protection (the principles behind governance). Effective IAM is perhaps the best way to prevent your organisation from becoming the next security breach headline.
Contributed by Andrew Clarke, EMEA director, One Identity.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.