Seemingly every week, there’s another security mishap that puts the IT team or the CIO or the CISO or the VP of IT on the proverbial hot seat. Whether it’s the big name issues like TJMaxx or Societe Generale, or the myriad security problems that we don’t hear about. These events are happening with frightening regularity. What’s the answer?
Let’s start by looking at the problem (because there are so many).
- The external threat – while perhaps the most feared type of attack, this is by no means the most dangerous. These attacks take the form of APT (advanced persistent threats) or DDoS (Distributed Denial of Service attacks). The hack at TJMaxx a few years back was an external attack where a nefarious individual used unsecure wireless access points to break into the enterprise systems.
- The internal threat – these are most dangerous types of attacks. These are generally either an overt attack or the result of some unintentional activity. In either case, perpetrated by an employee or recently-made ex-employee.
- Disgruntled administrators – Remember the City of San Francisco situation a year or two ago? A disgruntled admin changed all the admin passwords on his way out the door and wouldn’t give up the new password. This is a solvable problem with today’s technology using password safe technology.
- Absent-minded employees – Where do your employees store their six, eight or 15 different passwords? I’ll give you a hint, pick up any keyboard and voila – there they are. Again, solvable.
- BYOD – Are you employees accessing enterprise data with their iPad, Android phone or other “employee-owned” device? Do you lie awake at night worrying that the device might fall into the wrong hands and you can’t do anything about it?
Fundamentally, the solution to these and other problems can, and should, revolve around the identity and whether the organization is appropriately managing the identity and its access. In other words, if the organization manages the identity appropriately and efficiently, then many of these issues might just go away. What are some of the steps organizations can take to effectively manage these identities? Here are a few.
- Manage your privileged users – Privileged access management is the cornerstone of any good identity program targeting security issues. These admins have elevated access so you need to control when and how they use those credentials. Storing elevated account passwords in a password safe is a great start. You must also be able to audit their activity including having the ability to have “DVR-like” playback of their activities.
- Manage your users’ access – Beyond simply provisioning (and quickly deprovisioning), you need to “govern access.” This means giving these users only what they need (read: request) access to. And beyond that, the request needs to go to the business owner, for they are the only people who can really decide if that requester *should* have access to the data, application, whatever. Don’t rely on IT to give and take away access. If asked, they may likely say yes because they don’t have the business context to decide when the answer should be no.
- Compliance – I know; I’m as tired of writing the word as you are of hearing it. But it’s a reality. And if you are going to have a strong security program, well, the other side of that coin is compliance. Make sure whatever systems, process and/or products you put in place to tighten security, that they also have a compliance component. This may take the form of *readable* audit logs as well as certification (aka attestation). In case you’re not sure what this is, it’s basically the ability for the data/application owner to get a list of who has access and then they can “approve” that those people need access. And if someone doesn’t need access, then revoke it.
Listen, security takes several forms. There’s a strong firewall, maybe even a next generation firewall (I’m just starting to learn more about these from our good friends at SonicWALL). There’re also virus and malware protection. And frankly these topics, and others like them, garner the lion’s share of the publicity when there’s a breach or hack. But fundamentally, if you control the identities and what data or applications each identity has access to, you can prevent many of the challenging issues facing organizations today. In the meantime, stay secure, my friends.
The most secure man in the world, Bill Evans
P.S. Shameless plug: Not sure how you stack up against other companies? Take the Free Third-party Assessment from Aberdeen Group to see how your IAM performance stacks up