Organizations traditionally have had only two options to address identity and access management:
1. Solving specific pains in an ad-hoc manner with system- and task-specific tools and practices from a variety of vendors.
2. Implementing a monolithic framework that seeks to address issues enterprise-wide through an almost entirely customized approach.
These options either are too customized and cumbersome to be sustainable, or too controlling and rigid to address today’s new market realities. Neither adequately addresses the business-driven needs that are forcing organizations into action.
Quest Software identifies the following five top security threats and offers a set of solutions.
1. Internal excessive privilege - System Administrators with complete access to servers and data can pose a tremendous internal threat if they turn against the company. Similarly, everyone from admins up to executives poses a threat to security and data if they maintain excessive access rights after changing positions or taking on different roles.
2. Third party access - Giving partners and other third parties appropriate access to data is no longer cut and dried. Data stored in the cloud may be located across the country or overseas—or sit on physical servers owned by one vendor, but housed in facilities owned by any number of data centers. Employees of these third parties often have direct access to unencrypted data, or they may retain copies of both encrypted or unencrypted data.
3. Hacktivism - Politically motivated hacking is on the rise. Members of various groups assert that much of their success comes not from their technical expertise, but from having found easy targets. While an organization may not have control over whether or not it is attacked, effective identity and access management strategies and technologies, and basic employee security training, will reduce the chances that attacks will succeed.
4. Social engineering - Social engineering is the age-old technique of using lies, deception and manipulation to gain sufficient knowledge to dupe an unwary employee or company. Using public social channels to detail every aspect of your upcoming “unplugged” vacation trip may be just what a scammer needs to put an attack in motion.
5. Internal negligence - Negligence typically is an offense committed by management when “they should have known better.” Most successful data security breaches have some element of managerial negligence associated with them, such as simply forgetting to check log reports for clearly suspicious patterns.
How to combat security threats:
Adopt a “least privilege” security posture that gives each employee the least privilege necessary to accomplish required tasks, and ensures that unnecessary access rights are revoked whenever an employee changes roles. Some of the most common implementation options to help get to a least privilege state include: assigning appropriate access directly to users based on well-defined roles, limiting access to administrator and/or root accounts – making sure that the passwords to these accounts are not shared, are changed frequently, and that there are controls in place to limit and track their use.
Embrace an access review policy and regular, automated access alerts that notify two or more administrators of access changes, employee changes or other critical issues. To prevent access creep, access privileges must be dynamically linked to human resources and staffing databases. Notifying more than one administrator helps overcome negligence.
Lock the front door by fostering education, encouraging diligence, and developing processes such as regularly changed passwords, or by adopting “harder” security access technologies with tools such as Microsoft Active Directory or multifactor authentication. Employee education can cover the logistics and basics of security, but also can address topics such as the psychology and known techniques of social engineering hacks.
Achieve compliance by implementing access control and separation of duties practices and technologies, and developing, implementing, and enforcing secure policy on all system access. Provide a complete audit trail of policy and activities, and eliminate non-compliant login practices.