As a Security Principal at Quest Software, I get the unique opportunity to work with a wide and diverse range of customers. From small local business to large multi-national enterprises, as well as government agencies and militaries, my team’s insights were gained through engaging and helping a wide variety of customers and end users. This knowledge is a valuable commodity. We continue to build it by closely monitoring industry trends and the ever changing cyber security landscape. We also help our customer’s apply a real-world approach to this ever challenging space.
Security and IAM solutions are multi-layered. They starts as simply as training users on safe computing practices and can end with fine-grained dynamic authorization rules applied to web services or cloud-based applications. In fact, there are so many security offerings and disciplines available that oftentimes organizations don’t know where to begin. In this white paper, I will address this daunting issue: where to start and where to go from there.
With the extremely broad offering of security solutions and the costs associated with each, the first step is the toughest. At a minimum, your network should have the two default security mechanisms; a capable directory technology like Active Directory or LDAP, and a feature-rich firewall solution. But once you have those pieces in place, then what?
If you were to evaluate the recent security breaches, you would find that nearly all of them could have been nipped in the bud with three simple security solutions; multifactor authentication, secure web access management and privileged access management. These solutions are relatively inexpensive, easy to leverage, and provide the fastest ROI and peace of mind.
The need to ensure that the person logging in is, in fact, who they claim to be is fundamental to security. The vast majority of breaches are perpetuated by nefarious people who obtained credentials that allowed them to login to systems to which they should not have access. The easiest way to prevent this unauthorized access is to raise the level of assurance that the person logging in is really who they say they are. And multifactor authentication is the de-facto approach.
We all know what multifactor authentication is (something you know PLUS something you have), and we all know we should have it. But why haven’t we done so already? Basically, I see that most organizations have at some point tried multifactor authentication and the user response was so negative that it was either killed as a project or made so limited in scope as to be irrelevant.
A typical approach to MFA is to simply ask the customer for a onetime-password (OTP) in addition to their normal login credentials. In an MFA-enabled environment, you could almost broadcast your credentials in public, and the people who hear you still won’t be able to login as you unless they have your unique token generator. So, what’s so bad about that?
Here’s a sample of what’s bad about that:
Well, much has changed. Let’s take One Identity’s Defender product as an example:
Honestly the biggest change in the MFA landscape is the smart phone. Smart phones are ubiquitous. I mean, don’t most 13-year-olds have a smart phone these days? But alas, we still have that pesky enforcement point, right? Not necessarily.
It’s generally accepted in our industry that around 99 percent of the time, the user attempting to authenticate into a system is actually that user and not an impersonator or a hacker. When we understand that, our philosophy on authenticating users can transform from making it inherently difficult for users to making it simple, easy, fast and secure. Subsequently, we could reallocate our authentication-computing power to identifying threat or anomalies of a hacker hitting the environment.
What do you need to make this transformation? You need risk-based authentication. You’ll get that with Cloud Access Manager (CAM), One Identity’s web-access management (WAM) platform.
Which brings us to the second piece of low-hanging fruit. The whole point of computers, IT and all of that stuff is so that people can do their jobs better. Providing easy, optimized access to the applications and data that users need is critical. After all, if people can’t get to their stuff in an easy manner, they will find another way — one that is probably non-secure, and introduces risk to your organization.
That’s where a web access management solution, such as One Identity's CAM, comes in. Instantly, it bares fruit, if you will, due to its many security benefits, a few of which we’ve highlighted below:
Finally, and probably most importantly, CAM is installed with a built-in risk engine – called the Security Analytics Engine. With the introduction of a risk engine to your web access management strategy, you will have an intelligent, adaptive authentication capability that allows your trusted users to authenticate quickly, while making the challenge for an attacker all but insurmountable. Enabling the risk engine in your environment means instantly filtering your traffic for the following risk indicators (to mention a few):
So, what do we do with this information? We calculate a risk score. If that risk score is low enough, your users will not see a multi-factor prompt. The higher the risk score, the more involved the authentication process and the more restricted the access they may gain (if they aren’t denied). Your users could be asked for a multi-factor token or even blocked completely. That’s adaptive authentication – or contextaware security. Again, the goal here is to make it as easy as possible for our users to connect while simultaneously blocking attacker at every opportunity. This is something you can only do with a risk engine, and you get that right outof-the-box with One Identity’s CAM.
So, these two solutions - a capable MFA solution and a simple secure WAM strategy – can quickly seal up security holes in your organization. Now it’s time to grab our last piece of low hanging fruit but this time it’s a piece of fruit that many organizations don’t even realize exists. It’s like a unicorn fruit (??). It’s one that could have prevented many of the most high-profile data breaches. It involves protecting our most important assets with privileged access management (PAM).
In any organization, there are administrators who literally have the keys to the kingdom; and rightly so. For a company to run smoothly, someone must have the root access to servers to provide maintenance, troubleshooting and configuration. But that privileged access comes with serious risk, to the organization and the person with those responsibilities.
Once a hacker gets access, his or her next step after breaching your organization is to elevate their privileges and create back-door accounts to further their access. If your domain administrator’s credentials are compromised or a latent Kerberos identity is decrypted and replayed, the attacker has carte blanche access to your organization’s most sensitive data.
But imagine a scenario where your administrators don’t even need to know what the credentials are to access a secure server. In fact, what if nobody in the organization knew what those credentials are? It is this idea that drives the concept of PAM. In a company using PAM, like One Identity’s Privileged Password Manager product, a dedicated hardened appliance manages all the credentials to your secure servers, infrastructure, applications, databases and everything else. And it does this independent of human interaction.
When an administrator needs to gain access to a high-risk workstation, they simply authenticate against the PAM server, supplying MFA credentials, if necessary, and they ‘check-out’ the password to a secure target for a predetermined amount of time. With this solution, not only can they check out the credentials to a secure server but can also dynamically open remote control sessions that are recorded in a DVR-like fashion.
Not only is the organization free from having high-risk access protected by a managed password appliance, but the administrator is also protected. For instance, imagine something has gone wrong in your environment. Typically, all suspicions would be aimed at the administrator. But if that administrator could actually replay the video capture of what he did during the period he had checked out credentials for that server, he could prove that he was not the one that ‘dumped the user table’.
Fortunately, the solutions described above are not difficult to implement, but they are cost effective, and deliver a security coverage that would have prevented some of the most notorious breaches in recent news. Rightfully so, many companies are reticent to invest in the giant framework security products they see today, as there is legitimate concern about realizing ROI. So, how you do consume and overcome this security challenge? Easy: one bite at a time.
In the mélange of fruit to which we’ve just introduced you, you have three distinct — but very integrated — solutions. You can start anywhere. Whatever your greatest need is, and then move on to the next priority. You don’t have to take it all on at once. These three security products — multi-factor authentication, web access management and privileged access management — are a tasty mix. Plus, you can start to recognize ROI in days, not months.
Are there still risks — even with all three solutions implemented? Of course. In spite of the best technology, the best intentions, and the most diligent oversight — security is not a perfect science. Every organization should be prepared for when its best security efforts aren’t quite enough. Such as when a user exposes their credentials; or a contractor receptionist allows an impersonator dressed as an exterminator into the server room; or someone drops their keys in a parking lot. These things happen. Even with MFA, WAM and PAM in the mix, sometimes it’s still not enough to protect your organization if an attacker is motivated and lucky. So, are we left to wait for the inevitable or is there something we can do to mitigate the risk? The answer is simple: governance.
The notion of IAM governance is beyond the scope of this white paper. However, we should can explain why a more strategic IAM strategy that includes modern governance is so important.
Governance solutions like One Identity Manager provide a number of features, including some of the following relevant capabilities:
Of course there are many other features of a full-blown identity management system, such as dynamic role memberships, user self-service and more. But consider the three solutions discussed in this document.
The simple fact is, if and when your environment is breached, how are you to know, if you don’t have governance in place? If an attacker’s first tangible goal is to create a back-door account and escalate his privileges, are you going to see that happen and be able to react to it?
One Identity Manager will see those out-of-band changes and inform your administrators that it has identified the changes as a risk. What we’re talking about here is a way to be as proactive as we can. It is a governance platform that provides the final security blanket we need when all else has failed.
So yes, you need governance. It is the Holy Grail that every IT security team should be striving for. But we recognize that the budgets are not always there or that we haven’t effectively evangelized the executives to make the story complete. So do we give up? No, we prioritize, pick the low hanging fruit and prepare our organization as best we can.
Think about what an attacker is going to do.
So, take another look at the quick security wins you can get with the low hanging fruit of IAM. When when you are ready to apply modern governance, you’ll be confident that the rest of your organization has already been protected in the best ways possible.
Joe Campbell is Principal Solutions Architect at Quest Software. He is an accomplished software developer with an extremely diverse background. His career spans innovations for some of the world’s biggest companies; and he’s pioneered new, awardwinning technologies in wireless, RFID, visualization, communications and telephony. As a trusted security advisor, his experience in security and software architecture makes him a highlyrespected visionary and leader in the technology industry