According to a recent survey, 74% of breaches involved access to a privileged account, and yet many organizations are still failing to take the steps necessary to prevent the abuse of privileged credentials.
Ensuring that privileged accounts are secure requires Identity and Access Management (IAM) – a term used to describe the process of managing digital identities and controlling what assets those identities are allowed access to.
IAM consists of three core elements; Authentication, Authorization, and User Behavior Analytics (UBA).
1. Authentication
Authentication is typically done using a single sign-on solution (SSO). A single sign-on solution will allow a user to login to a system via a single portal, which will automatically authenticate the user to all connected systems and applications.
At a bare minimum, it is a good idea to have a strong password policy in place. A strong password should be unique, at least 8 characters long and should include numbers, symbols, special characters, and so on.
Naturally, users must avoid using passwords that are easy-to-guess. These days, most sophisticated authentication protocols will use multi-factor authentication, sometimes referred to as “Two-Factor Authentication” or “Dual-Factor Authentication”, and includes two or more of the following;
- Something (only) you know, which might include a password, passphrase or security question.
- Something (only) you have, which is typically a software token, certificate or a hardware dongle, such as an RSA SecurID token.
- Something you are, which might include fingerprints, iris or retinal patterns, vocal or facial characteristics, or some other kind of biometric data.
2. Authorization
Authorization is the process of establishing whether or not an authenticated user has permission to access a given resource. The process starts by assigning access controls to users or groups – both human and non-human (service accounts), to determine which resources they can and can’t access.
Access controls are assigned according to a “managed policy”, which is a set of rules used to determine which users, groups, and roles have access to which resources. Many adhere to the “Principal of Least Privilege” (PoLP), which stipulates that users should be granted the least privileges they need to adequately carry out their role.
PoLP can significantly reduce the risk of a serious data breach, by limiting the actions that can be performed by either an internal or external threat actor.
3. User Behavior Analytics (UBA)
UBA is the process of detecting anomalous changes – typically in relation to access permissions, and files and folders containing sensitive data. A User Behavior Analytics solution will monitor patterns of human behavior in an attempt to detect anomalies, or in other words, events that deviate from what would be considered “normal” behavior.
UBA is an important part of IAM, as it enables IT teams to keep track of who has access to what data, and when. There are many solutions available that can help with UBA. These solutions will compile information about the behavioral norms associated with each user, and detect, alert and respond to any events that deviate from these norms.
Some of the more sophisticated solutions are able to detect and respond to events that match a pre-defined threshold condition. In the context of Identity and Access Management, this might include identifying and responding to multiple failed login attempts.
For example, if X number of failed logins have been detected within a pre-defined time-frame, a custom script can be executed which might stop a specific process, change the firewall settings, disable a user’s account, or even shut down the entire server.
Why is Identity and Access Management (IAM) Important?
While it’s not easy to determine exactly what constitutes an “insider threat”, it is widely accepted that insider threats are the leading cause of data breaches, in some way or another.
According to The Global Data Exposure Report, 69% of organizations say they were breached due to an insider threat.
An insider threat can be either caused by negligence, or could be motivated by more malicious reasons, which might include stealing sensitive information for personal gain, or in some cases it could be an act of espionage.
Identity and Access Management is our primary defense against insider threats. IAM ensures that we know exactly who has, and should have, access to our sensitive data. Many organizations either don’t spend enough time or allocate enough resources to ensure that their IAM protocols are robust, and capable of adequately protecting their sensitive data.
The implementation and management of an IAM strategy is indeed a time-consuming and expensive operation, and it’s unlikely to yield any noticeable benefits – at least in the short term. However, what many organizations fail to understand is that it’s not a question of if, but when, a data breach will unfold. The chances are, an organization that fails to adequately protect their privileged accounts, will live to regret it.
Another Benefit of a Strong Identity and Access Management (IAM) Strategy
Another important benefit of a strong IAM strategy is that it enables employees to work from remote locations securely. Additionally, having a single sign-on enables greater scalability, as employees will not need to create a new account for each new service or application that is introduced.
A robust IAM strategy may even give your company a competitive advantage, as customers will feel more confident that their data is secure. And of course, were your company to experience a data breach – perhaps due to a weak IAM posture, this will damage your company’s reputation, which may lead to a loss of business.
Knowing Where to Begin with Your Identity and Access Management (IAM) Strategy
These days, organizations use a much more diverse range of applications and environments. In addition to the traditional on-premise IT environments, an increasing number of organizations are switching to a hybrid model, which integrates cloud-based services and infrastructure into their existing setup.
Not only that but there are an increasing number of different devices that are connecting to our networks from many different geographical locations. The above factors create additional complexities that can be overwhelming and make it difficult to know where to start implementing effective IAM protocols.
The first step towards developing a robust IAM strategy is to establish a dedicated team and involve all relevant stakeholders from across the organization. You will need to spend some time researching the different tools available, which includes contacting different vendors to find out what packages they offer, and how much they charge.
The next step involves creating an inventory that details all of the different users, devices, applications, servers and platforms that your organization relies on. You will need to determine how users will be identified on your network. Will they be identified by their name, employee number, or some other identifier? Many organizations will group these users into roles, and assign access rights based on these roles, a practice referred to as Role-Based Access Control (RBAC).
Roles may be broken into categories, which are in turn broken into sub-categories. For example, data is often classified as public, private or restricted. In which case we need to determine whether a user is an end user, an administrator or a specialist user.
We can then setup additional roles, which might include job competency, experience, location, department, and so on. For example, we can easily determine whether a certain type of user, with a certain amount of experience, who is operating from a certain location, is allowed to access, move, modify or remove data that is classified a certain way. RBAC doesn’t provide the same level of granularity as Attribute-Based Access Control (ABAC), however, RBAC is generally the preferred choice as it a lot easier to implement and maintain.
Data Discovery and Classification
Most organizations store large amounts of unstructured data, much of which is confidential. However, many companies (62%) don’t know where their most sensitive data resides, and a lot of this data is not classified properly.
If we don’t know where our sensitive data resides, how can protect it? The answer is, we can’t! As such, in order to establish an effective IAM strategy, we need a solution that will automatically discover and classify a wide range of data types, such as PII, PHI, PCI, and any data that is covered by the data protection regulations that apply to our industry.
Managing “Ghost” User Accounts
An often-overlooked area of Identity and Access Management is that of inactive, or “ghost” user accounts. According to an article published by SC Media in 2017, 1 in 4 user accounts are inactive.
Hackers will often look for inactive user or service accounts as they can provide easy access to sensitive data. For example, a hacker can perform a search on LinkedIn to see who has recently left a company and use this information to target a specific account.
Gaining access to a stale user account might allow the attacker to probe without triggering any alarms. Many UBA solutions provide built-in tools which can automatically detect and manage inactive user accounts.
Identity and Access Management (IAM) and Compliance
While it may have been possible to have implemented sub-standard IAM protocols in the past, those days are quickly coming to an end. In recent years we seen an increase in the number of high-profile data breaches make the headlines, and Governments across the globe have finally recognized the importance of data protection, and thus a number of new and improved data protection regulations have been introduced.
The General Data Protection Regulation (GDPR), which was introduced in May 2018, was arguably the most significant data privacy law that we’ve seen to date. A failure to comply with the GDPR could lead to fines of up to 20 million euros.
The advent of the GDPR led to a number of other data privacy laws being introduced that follow a similar theme. In the United States we’ve seen the California Consumer Privacy Act (CCPA), the Nevada Senate Bill 220 Online Privacy Law, and the more recent NY Shield Act, come into effect. In the UK we’ve seen the Data Protection Act 2018, which was designed to complement the GDPR, as well as various other new data privacy laws sprouting up around the globe.
A robust IAM strategy is crucial for complying with these types of regulations, as well as most other data privacy-related regulations such as HIPAA, SOX, PCI-DSS and ISO 27001. For example, under the GDPR, data subjects have a number of elevated rights, which include;
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Protecting these rights requires an in-depth understanding of how a users’ data is being accessed. Without having well-designed IAM protocols in place, gaining the visibility and control over who has access to personal data, and when, will be significantly harder, and thus the chances of satisfying the compliance requirements will be significantly lower.
Additionally, most sophisticated Data Security Platforms can use User Behavior Analytics (UBA) to generate a wide range of pre-defined reports that are customized to help comply with the various data protection regulations.
Identity and Access Management – A Summary
- Start by establishing a dedicated team who will be responsible for the implementation and management of your IAM strategy.
- Implement a single sign-on solution to improve visibility and control over user access.
- Ensure that you have a strong password policy in place, and if possible, use multi-factor authentication for added security.
- Introduce a set of rules to determine who should have access to what resources. Make sure those rules adhere to the “principal of least privilege”.
- Use a data discovery and classification solution to ensure that you know exactly where your unstructured sensitive data resides.
- Assign access controls based on pre-defined roles, such as job type, experience and location.
- Implement a User Behaviour Analytics (UBA) solution – sometimes referred to a DCAP (Data-Centric Audit & Protection) – to be able to detect anomalous changes to privileged accounts and the resources they have access to.
- Use an automated system for managing inactive user accounts.
- Regularly review access rights to ensure that they are still relevant and make amendments where necessary.