When it comes to your organizational security, you should leave no stone unturned. Overlooked access rights are one of the most unnoticed security threats your organization can face – and it’s less of a stone and more of a somehow-overlooked, but ever-looming mountain.
As employees change roles within the organization (whether through promotions, role-changes, or due to temporary projects), they accumulate more access rights than they actually need. This is commonly referred to as “permission bloat” or “privilege creep”.
Your employees need access to certain resources to do their job, but if they acquire “too much” access, then they actually become a security risk. So how can we identify when an employee has too many access privileges?
Often times, taking a preemptive course of action is more effective than taking a reactive one, and that is true here. Rather than trying to identify when an employee poses a risk to your organization, you can take preventive actions to make sure that they never end up with more access than they should have.
By ensuring that employee accounts are provisioned with the correct entitlements and putting procedures in place (to fill in any gaps that are created) with approval-based delegation, organizations can truly tighten up their security efforts and minimize the risk they are exposed to.
Now that we have established the legitimacy of acting before being forced to react, the question shifts to: “What preemptive measures can I take prevent an employee from acquiring too much access?”
Below I have detailed four possible actions that you can take to prevent permission bloat.
1. Access governance
Access governance (AG) is a process that allows organizations to govern who has access to what and is primarily aimed at reducing the risks presented by employees with too many permissions. It does so by enforcing access rights according to users’ designated role/job function.
AG also is geared towards assisting organizations in following the correct business, technical, legal, and regulatory issues they may face. By using access governance, organizations can create a level of transparency that prevents employees from accumulating so much access as to become a security risk.
2. Service automation
Service automation (often a part of an identity and access management solution) can make sure that all of your organization’s access requests pass through approval and are compliant with policies and regulations. In a large enough organization, the IT department often doesn’t know the majority of the employees and are unsure who is the correct decision-maker to forward an access request to. This confusion could inadvertently result in an employee being granted access that shouldn’t have been approved.
By using a service automation solution, IT can now directly send the access request (for whatever resource or application needed) to the correct decision maker/manager for quick approval. That individual approves or denies the request, and access is granted/denied accordingly. This process removes the uncertainty, risk of human error, and potential compliance violations out of the equation.
By implementing service automation, you are unlikely to ever end up in a situation where you have to try and identify employees with too much access within your organization.
3. Principle of least privilege
Another preventive effort to combat an employee having “too much” access is to follow the principle of least privilege. The principle states that an employee should have the exact access rights needed to perform their job responsibilities—no more, no less. By doing this you prevent the inevitable slow build-up of accumulated access within employees.
When your organization fails to follow the principle of least privilege, you are not only creating a major security risk within the organization, you are also exposing yourself to regulatory compliance violations and causing an unnecessary tangled and cluttered IT environment.
AG is a solution that helps your organization enforce the principle of least privilege, but it’s still a security discipline with enforcement that must extend far beyond just IT basics.
4. Extensive logging and auditing
Implementing an identity and access management solution that provides logged reports of any changes made to an employee’s permissions over time is another prime example of being preemptive and not reactive. By doing this, you can easily audit and view where an employee may be granted too much access. With one fell swoop, you can easily discover the issue and revoke access rights down to a level that doesn’t hinder your organization’s security.
Permission bloat: Leave reaction to the unprepared
When it comes to organizational security, it’s better to act before you need to react. Too often, organizations do not realize they have employees with bloated access rights that represent a very serious threat to the organization. Don’t wait until it is too late, be proactive and start identifying areas for your organization’s security to improve.
When it comes to breaches, there are no big fish, small fish, or hiding spots. Almost every type of organization – including yours – has critical personally identifiable information (PII) stored. Storing PII makes you a target regardless of size, industry, or other variables, and all it takes is one employee thinking a phishing attempt is legitimate. That means everyone’s at risk.
Statistics show that data breaches are on the rise and can bring devastating, long-term financial and reputational repercussions to your organization. The 2019 Cost of a Data Breach Report, conducted by Ponemon Institute, estimates the average total cost of a data breach in the United States to be close to $4 million. And the average price for each lost data record, says the report, is around $150.
Breaches happen in so many ways, a one-size-fits-all solution doesn’t exist. Security requires a multifaceted approach to be successful. Here are four ways (plus one) your organization can beef up its data security barriers and prevent data breaches.
1. Train employees
Put all new employees through data security training and require all employees to take a refresher course at the start of every year, so the latest security guidelines are fresh in their minds.
While this type of training can be dull, it only takes a few minutes to cover the essential details. For example, employees should:
- Treat all devices (e.g., desktops, laptops, tablets, phones) as being capable of accessing the organization’s systems
- Never write down or leave a record of passwords where others can easily find them
- Be extra suspicious of emails or phone calls from unverified people requesting passwords or other sensitive information (There’s more on that last one below.)
Incorporate some up-to-date breach statistics to help convey the seriousness and pervasiveness of threats and the possible financial ramifications.
2. Simulate phishing attacks
Many security issues are the result of human error, such as clicking on a link in a malicious email.
Spear phishing attempts – i.e., highly targeted and customized phishing efforts – tend to lead to more breaches because they target specific personnel. The messages may reference a department or regular job function and can appear similar to other relevant messages in the target’s inbox on any given day.
Free or paid phishing simulators can test your employees’ ability to detect phishing emails by sending some of those types of emails yourself. Alerts and reports are provided for when someone responds to one of these messages.
Using one of these simulators, you can put your employees through active training to help them become more secure.
Remember to remind staff to double-check anytime they aren’t 100% positive that an email is legitimate. If an employee receives something that looks even a little off or out of the ordinary from a sender they know or can contact, they should run the thing by the IT team.
3. Evaluate accounts
How often does your IT team evaluate existing accounts? It can undoubtedly be a complicated process, but evaluating all of the activated accounts within your organization can go a long way in shoring up security and minimizing digital bloat.
Are there orphaned accounts floating around within your organization that former employees can still access? Are there review processes for determining and updating what different users should be able to access as their position within the organization changes?
The best time of year to evaluate accounts may be when you update everyone’s accounts from the previous year. If the time to sit down and evaluate accounts continually eludes your IT team, have them chip away at it between other processes, or have them schedule it as a larger project during less demanding months.
4. Review your user account lifecycle processes
What is the standard process for deactivating accounts when employees leave your organization or outside consultants are no longer providing services? These types of departures – whether involving immediate security concerns or not – are the most significant contributors to orphaned accounts plaguing in your systems.
Manually managing or automating account deactivation is crucial. Review and optimize your organization’s deactivation processes to determine how fast and comprehensive they are when it comes to quickly restricting accounts.
Rapid responses can prove invaluable, providing peace of mind that comes from knowing your account review process cleans everything up.
Side note: Consider implementing a secure SSO solution
Having a single point of entry for the majority of your systems and applications can make things easier for all employees. Users will only need to remember one set of credentials and administrators can protect resources behind more restrictions without reducing easy access. By limiting the point of entry to one single spot, you can protect against potential data breaches. Configurable security settings, like date and time restrictions, allow administrators to control their environment even as systems and applications are extended to the cloud.
Applications and systems containing certain sensitive information can be made inaccessible from anywhere other than specific physical locations to help prevent risks, and secure portals can maintain logs of user activity, including when and how information is accessed.
Your organization’s data is one of its most valuable resources. Protecting it doesn’t have to be complicated or expensive, but it must be done right. Strengthen your organization’s data security practices today by starting to implement some or all of these practices.
Here we are: at the beginning of a new year and the start of another decade. In many ways, technology is exceeding what we expected by 2020, and in other ways, well, it is lacking.
Back to the Future made us think we would all be using hoverboards, wearing self-drying and fitting jackets, and getting to and from the grocery store in flying cars by Oct. 21, 2015. Hanna-Barbera promised us a cutting-edge, underwater research lab in its 1972 cartoon, Sealab 2020.
While some of the wildest technology expectations from the big and small screen may not have come to fruition, the last decade of identity and access management development didn’t let us down.
And, I believe identity access management (IAM) cloud capabilities and integrations will continue their rapid spread – as well as their transformation of enterprise technology and the way we do business – in this new decade and beyond.
Here are three IAM predictions for 2020.
1. Single sign-on (SSO) protocols steadily decrease the need for unique accounts and credentials for every resource, so Active Directory (AD) is put on notice.
SAML, OAuth 2.0, OpenID, and other protocols mean people will see a drastic reduction in the number of unique accounts and credentials necessary to log in to certain websites. Do you need to log in to manage a site or do some online shopping? Likely, you can just use your Google or Facebook account to verify your identity.
This trend will continue to dominate throughout business-to-consumer efforts. I believe it will also take hold of business-to-business and internal business operations, thanks to the SSO developments made by Okta, Tools4ever, and other industry leaders.
The rise of SSO and the maturation of cloud platforms, such as G Suite, will likely result in a reduction in Microsoft’s market hold with on-premise AD. As more enterprises transition to hybrid infrastructures to the cloud, flexibility means relying less on systems and applications that pair with AD to authorize user access.
Google Chromebook and other devices prove that the AD divorce is possible. Because of this, expect to see directory battles between Davids and Goliaths like Microsoft.
2. Downstream resources benefit from improved integration.
Along with the increasing use of protocols connecting IT resources, expect downstream systems, applications, and other resources to utilize identity data better. We’ll see how information transferred within the protocols mentioned above can be leveraged.
Provisioning will be far more rapid since transferred identity data will help to create accounts and configure access levels immediately. Continual improving integrations will provide administrators and managers with far more granular control during initial setup, active management, and deactivation.
Also, increasing connectivity allows centralized management at the source of the authoritative identity data and pushed easily from there. At the same time, systems and applications will better incorporate identity data to enforce a given user’s permissions within that resource.
3. Multi-factor authentication (MFA) pervades our login attempts and increases the security of delivery to stay a step ahead.
MFA is already popular among some enterprise technologies and consumer applications handling sensitive, personal data (e.g., financial, healthcare), and will continue to transform authentication attempts. A lot has been said about increased password complexities, but human error is still persistent.
The addition of MFA immediately adds further security to authentication attempts by having the user enter a temporarily valid pin code or verify their identity by other methods.
An area to watch within MFA is the delivery method. For example, SMS notifications were the first stand-out but forced some organizations to weigh added costs that messaging might bring on their mobile phone plans. SMS remains prevalent, but all things adapt, and hackers’ increased ability to hijack these messages have made their delivery less secure.
Universal one-time password (OTP) clients, such as Google Authenticator, have both increased security and made the adoption of MFA policies much easier through time-sensitive pin codes. Universal OTPs also do away with the requirement for every unique resource to support its own MFA method.
PIN codes are now getting replaced by “push notifications,” which send a simple, secure “yes” or “no” verification prompt that allows access. After the client app is downloaded and registering your user account, a single screen tap is all that is needed for additional security to your logins.
Gartner has been praising push notifications as the way of the future for a couple of years. Gartner predicted that 50% of enterprises using mobile authentication would adopt it as their primary verification method by the end of 2019.
The cloud will undoubtedly control IAM’s potential for the foreseeable future.
The role of chief technology officer is evolving quickly because of the current spate of technology and its development. Not so long ago, CTOs focused heavily on IT operations and their organization’s technology and design expansion. Now, much of their time is spent on business development and raising bottom lines. Perhaps the most stressful factor facing most CTOs today is the unpredictability of people, both outside the organization and within. There’s also the fact that … More
The post Pain points for CTOs: A primer of the most stressful aspects of the job appeared first on Help Net Security.