Identity and Access Management – Times are Changing – Are you Ready?
CIOReview
CIOREVIEW >> Oracle >>

Identity and Access Management – Times are Changing – Are you Ready?

Ed Moore, Sr. Director of Identity and Access Management, Carnival Corporation
Ed Moore, Sr. Director of Identity and Access Management, Carnival Corporation

Ed Moore, Sr. Director of Identity and Access Management, Carnival Corporation

Today Identity and Access Management (IAM) professionals play more of a role in helping to prevent bad actors from doing harm to businesses. In the past, all teams relied on the network to provide that level of security. Today hackers are able to go to an identity store on the dark web and purchase information on different companies. This allows the hackers to be able to get their foot in the door to get started hacking faster than they have in the past. 

Forrester said a few years ago that over 83 percent of all breaches for that previous year were because someone already had the credentials. Meaning that hackers did not have to try and attack your network. They walked in through the front door and did damage to each company.

Numbers are scary but is there anything that we can do about it? How can Identity and Access Management (IAM) teams make a difference?

First step is to take a look at where you are today. What systems do you have in place today?  How mature are those systems? Start with the basics and work the way forward. Crawl, walk, run is what I have always tried to demonstrate to other executives when talking about both the assessment and increasing overall maturity of any team. One must first start with knowing themselves first.

This starts by taking an inventory of what we have in both the way of the products that IAM manages today in our company and the maturity of team members in the team.  Do you have a way to manage all of our accounts in Active Directory today? Do you have an Identity Governance solution in place today?

I always start with Active Directory (AD) and work my way out.  Have the AD admins dump out some data in AD and see if there are any data quality issues.  Are there attributes missing?  Are accounts stale?  Are there abandon accounts that have not been purged after someone has left the company? When is that last time that everyone changed their account password? These are the items that you need to be looking at first.

  Multi-Factor Authentication (MFA) is another key pillar in IAM that will allow for you to help prevent someone from coming in an accessing account that they do not own.   

You can also have your staff to work with open-source tools like Ping Castle and BloodHound to try and find other areas that are not going to come out in your review by just reviewing the data. You need to take a look at the full contents of Active Directory.  Look at it from the eye of a bad actor. How would I get in here if I was a hacker? 

Now that you have a better looking and more secure Active Directory, then what is next?  The next thing that I would want to make sure that any company has good grasp on is provisioning and deprovisioning of access for new employees or for those leaving your company?  Do you have a solution today for Identity Governance?  If not, then how are things done today?

If you are just starting out from nothing or you are a small company, then you are not going to be able to set up something like SailPoint IdentityNow for example.  Map out all provisioning and de-provisioning data flows and determine what is manual and what you can automate.  Once you have the flow diagrams, then ensure that all security controls are in place for each of the steps necessary to prove a secure, accurate, and timely response for each process.

Next is a privileged access management (PAM) solution.What you are looking for here is a solution similar to Beyond Trust or CyberArk. Some smaller companies cannot afford all of the bells and whistles that come with these two products and they can provide a solution that is too large for your company. Shop around and even use someone like Gartner or Forrester to help you with some of these solutions based on your overall company size.

Issues and risks that we are trying to prevent is for someone to be able to get into your accounts that have a high amount of security privileges and are very powerful in your overall infrastructure or applications. This step is an absolute must and not optional. Vault these privileged accounts and rotate passwords frequently.

PAM solutions allow for you to have your administrators log into these products and verify that they are who they say that they are. Then they select where they want to work for that time and they check out an ID for that environment or server.PAM systems then direct that admin to a session to allow them to do their work without having to enter the password in some cases. Once they are done, then the password is rotated and cannot be reused again until they have checked out the account once more. These solutions help to protect the highly valued accounts that you must keep out of the bad actor’s hands. Also make sure that you are rotating all accounts after seven to twenty-one days of inactivity. You want to constantly rotate the passwords and not expose these to even the administrators where possible.

Multi-Factor Authentication (MFA) is another key pillar in IAM that will allow for you to help prevent someone from coming in an accessing accounts that they do not own. Remember that you need to set up MFA both on your cloud solutions but also on the on-premise solutions too.  MFA is pretty easy to set up and the users will just need some time to adjust if you do not already have this in place. Move on this quickly. This is not optional.Most account take overs are because companies did not have MFA turned on.

You can also try other factors once you have the basics implemented.  You can use add tokens or other solutions to what you are working with today. Think of it from a user experience perspective and not just what the marketing team selling you solution think is nice. Try things like biometrics and facial recognition. Try and use something that is already native on the iOS and Android devices, then your teams do not have to maintain that solution and integration is faster. Also, if you do not allow for cell phones like in a call center, then think of alternative solutions in the way of tokens or “bingo” cards from Entrust to solve that problem. 

Once you have all of these in place, then you look to mature to the point of having a solution where you can get risk levels based on account logins by region and other possible issues. You need to have your IAM team be able to see alerts in real time and then be able to react.  Actions to these alerts could behavingusers provide another factor of authentication or re-MFA again. It could be that they have to change their password immediately. It could also be that you need to isolate or quarantine that account.

Lastly, be prepared. Even if you do everything else above, then this is not a recipe to say that you will never be attacked. Be prepared. Plan for the worst case and have your teams do frequent tabletops to find gaps in your recovery plans or incident response plans. Preparation and communication will help you as you continue to find more ways to improve your overall IAM maturity. You are now ready.

Read Also

What It Truly Means For IT Security To Bea Business Enabler

Richard Frost, Senior Cyber Security Manager, esure Group

Digital Transformation 2 Requires a CIO v2.x

Guy Saville, Director - Responsible for IT, Business Systems & Credit at SA Home Loans

Leverage ChatGPT the Right Way through Well-Designed Prompts

Jarrod Anderson, Senior Director, Artificial Intelligence, ADM

Water Strategies for Climate Adaption

Arnt Baer, Head of General Affairs & Public Affairs, GELSENWASSER AG

Policy is a Key Solution to Stopping Packaging Waste

Rachel Goldstein, North America Policy Director, Sustainable in a Generation Plan, Mars

Congestion-Driven Basis Risk, A Challenge for the Development of...

Emma Romack, Transmission Analytics Manager, Rodica Donaldson, Sr Director, Transmission Analytics, EDF Renewables North America