Question

In: Computer Science

Suppose your organization have multiple software development and IT operation teams. You want to implement IAM...

Suppose your organization have multiple software development and IT operation teams. You want to implement IAM controls securely to protect against insider threats and reduce the unauthorized access incidents. What do you think are the top 5 best practices in IAM?

Solutions

Expert Solution

Defining Insider Threats

The Computer Emergency Response Team (CERT) for the Software Engineering Institute recently redefined an insider threat as the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.

For the purposes of this blog, we’re not going to focus on the motives and behaviors of an insider, but on them having and using their privileges to get access to an organization’s assets.

What is Identity and Access Management?

Now let’s talk a little bit about identity and access management (IAM). IAM is a security framework that controls digital identities and account access. The framework, when paired with your organization’s policies and the right technology, can provide centralized and automated control of user access to information and resources.

With the IAM framework implemented, you can use granular role-based access controls to enforce enhanced privilege and authentication policies.

Why Are Insider Threats Difficult to Detect?

Since insiders are typically employees or business partners who have or have had, trusted access to your network(s) or information resources, it makes them very hard to spot. Consider the following scenarios:

  • Inactive Accounts: What if an employee left the company and because of broken processes and lack of governance, the employee’s account was never deactivated or removed?
  • Privilege Creep: How do you identify and manage accounts of employees who have worked in many different departments of the organization over the years and whose previous privileges were never updated or removed to reflect role changes?
  • Multiple or Parallel Accounts: Although there may be a legitimate need for multiple accounts for an individual or process, how does the governance process enforce periodic reviews to validate sustained access to these accounts so they can do their job?
  • Separation of Duties: Does the governance process also account for internal controls to prevent fraud and error by requiring more than one individual to complete key processes or tasks?
  • Multifactor Authentication: Are you using an additional form of authentication that requires something you have, are, or your location, in addition to the traditional something you know (e.g., password)?
  • Irregular Access: Does the system automatically alert your security team if someone accesses their account during non-routine hours?
  • Privileged Account Access: Do you have additional security measures and audits in place for privileged users who have access to the admin accounts, or as they say, “the keys to the kingdom?”

All of these questions are only scratching the surface of the areas you should be considering.

What are the Fundamentals of IAM?

When we look at IAM concepts, we can boil it down to three fundamental principles:

  1. There needs to be a high-level of confidence that the person logging in to an account is the person they say they are;
  2. Access should only be granted to individuals with a current need to accomplish their assigned job tasks and;
  3. Account access and activity logs need to capture what accounts are or were accessed and by whom and when.

Once you’ve applied these principals, be sure to baseline your normal operational activities. This allows you to sift through the noise to locate what could be abnormal activity to help it stick out like a sore thumb and better your chances of preventing and detecting insider threats.

How Can You Reduce Insider Threat Risks?

Many businesses or organizations use multiple systems and processes to handle various pieces of their network and security capabilities to include access to accounts. When it comes to network security, there are many methodologies and technologies out there to choose from but as we know, piecemealing security together generally isn’t as effective as when it’s designed and viewed from a holistic approach.

Below are the seven best practices for enterprises to improve IAM maturity and reduce security risk:

  • Consolidate identities: According to Verison, 80 percent of breaches are due to compromised credentials. It’s critical to develop a holistic view of all users and strengthen and enforce password policy, or eliminate passwords, where possible.
  • Enable single-sign-on (SSO): SSO to enterprise and cloud apps, combined with automated cloud application provisioning and self-service password resets, cuts helpdesk time and cost, and improves user efficiency.
  • Implement multi-factor authentication (MFA) everywhere: MFA, including third parties and the VPN that adapts to user behavior, is widely acknowledged as one of the most effective measures to prevent threat actors from gaining access to the network and navigating to target systems.
  • Audit third party risk: Outsourced IT and third party vendors are a preferred route for hackers to access corporate networks. Conduct audits and assessments to evaluate the security and privacy practices of third parties.
  • Enforce least-privilege access: Role-based-access, least-privilege and just-in-time privilege approval approaches protect high value accounts, while reducing the likelihood of data loss from malicious insiders.
  • Govern privileged sessions: Logging and monitoring of all privileged user commands makes compliance reporting a trivial matter and enables forensic investigation to conduct root cause analysis.
  • Protect the inside network: Network segmentation, isolation of highly sensitive data and encryption of data at rest and in motion provide strong protection from malicious insiders and persistent hackers once inside the firewall.

Summary

Reducing insider threat risk is the name of the game for security-minded folks and insider threats are a risk all organizations, big and small, must consider. However, the bottom line is that if you architect and implement an IAM security framework and technology that ties in your governance and subsequent policy rules into a centrally managed identity and access system, your ability to prevent and detect insider threats will be greatly enhanced.


Related Solutions

You are a member of the product development group in your organization, and you have been...
You are a member of the product development group in your organization, and you have been asked to initiate the requirements specifications for a new software application. Before you start, you need to do some research on requirements, their definitions, and what makes a good requirement document. Conduct research using the library, Internet, and your course materials, and write 400–600 words in response to the following questions: Why do you need requirements? How can you classify requirements? Define what makes...
Suppose that you are invested in a software development firm that designs automotive radar software for...
Suppose that you are invested in a software development firm that designs automotive radar software for robotics systems in cars. Your offices and most of the key employees who helped to start the company are in Tampa, but given expansion plans, your current location is no longer sufficient, and you need to decide on a location for your new headquarters. Now, your business is faced with a difficult decision: where do you locate your new headquarters? Option 1: Lansing, Michigan...
Your organization has decided to implement the EHR system, and you have been appointed as a...
Your organization has decided to implement the EHR system, and you have been appointed as a member of the steering committee. Discuss the role of the steering committee in EHR implementation. note: Please write by computer form.
Your organization has decided to implement the EHR system, and you have been appointed as a...
Your organization has decided to implement the EHR system, and you have been appointed as a member of steering committee. Discuss the role of the steering committee in EHR implementation
Your organization has decided to implement the EHR system, and you have been appointed as a...
Your organization has decided to implement the EHR system, and you have been appointed as a member of a steering committee. Discuss the role of the steering committee in EHR implementation.
Your organization has decided to implement the EHR system, and you have been appointed as a...
Your organization has decided to implement the EHR system, and you have been appointed as a member of the steering committee. Discuss the role of the steering committee in EHR implementation. note: Please write by computer form.
Suppose you want to invest in a mining operation. You know the total mass of four...
Suppose you want to invest in a mining operation. You know the total mass of four ore deposits, the percent of that deposit that is a mineral containing iron (Fe), and the chemical formula for the mineral: Deposit A contains 31,000,000 tons of ore containing 26% sidererite [FeCO3] Deposit B contains 16,000,000 tons of ore containing 63% magnetite[Fe3O4] Deposit C contains 67,000,000 tons of ore containing 25% hematite [Fe2O3] Deposit D contains 46,000,000 tons of ore containing 30% limonite [FeO(OH)]...
Imagine that you are a system analyst of a software development company and you have been...
Imagine that you are a system analyst of a software development company and you have been assigned to a team that will be developing the information systems for the clients. For now as a team leader for the data design team, you have been asked to the read and understand the following case studies and prepare the data design as specified. Creating an Entity Relationship Diagram, Creating a Context Level Data Flow Diagram. Create the ER diagram for library management...
You will play the role of a paralegal in a software development company. You have been...
You will play the role of a paralegal in a software development company. You have been given the task of recommending the type of license agreement that should be used for your company’s new software product line. Consider all types of license agreements in making the recommendation. The software delivery method should also be considered.
A. Should internal auditors be members of systems development teams that design and implement an AIS? Why or why not?
  A. Should internal auditors be members of systems development teams that design and implement an AIS? Why or why not?   B. What internal control procedure(s) would provide protection against the following threats?   1. Theft of goods by the shipping dock workers, who claim that the inventory shortages reflect errors in the inventory records.   2. Posting the sales amount to the wrong customer account because a customer account number was incorrectly keyed into the system.   3....
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT