Question

Suppose your organization have multiple software development and IT operation teams. You want to implement IAM controls securely to protect against insider threats and reduce the unauthorized access incidents. What do you think are the top 5 best practices in IAM?

Answer 1

Defining Insider Threats

The Computer Emergency Response Team (CERT) for the Software Engineering Institute recently redefined an insider threat as the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.

For the purposes of this blog, we’re not going to focus on the motives and behaviors of an insider, but on them having and using their privileges to get access to an organization’s assets.

What is Identity and Access Management?

Now let’s talk a little bit about identity and access management (IAM). IAM is a security framework that controls digital identities and account access. The framework, when paired with your organization’s policies and the right technology, can provide centralized and automated control of user access to information and resources.

With the IAM framework implemented, you can use granular role-based access controls to enforce enhanced privilege and authentication policies.

Why Are Insider Threats Difficult to Detect?

Since insiders are typically employees or business partners who have or have had, trusted access to your network(s) or information resources, it makes them very hard to spot. Consider the following scenarios:

• Inactive Accounts: What if an employee left the company and because of broken processes and lack of governance, the employee’s account was never deactivated or removed?
• Privilege Creep: How do you identify and manage accounts of employees who have worked in many different departments of the organization over the years and whose previous privileges were never updated or removed to reflect role changes?
• Multiple or Parallel Accounts: Although there may be a legitimate need for multiple accounts for an individual or process, how does the governance process enforce periodic reviews to validate sustained access to these accounts so they can do their job?
• Separation of Duties: Does the governance process also account for internal controls to prevent fraud and error by requiring more than one individual to complete key processes or tasks?
• Multifactor Authentication: Are you using an additional form of authentication that requires something you have, are, or your location, in addition to the traditional something you know (e.g., password)?
• Irregular Access: Does the system automatically alert your security team if someone accesses their account during non-routine hours?
• Privileged Account Access: Do you have additional security measures and audits in place for privileged users who have access to the admin accounts, or as they say, “the keys to the kingdom?”

All of these questions are only scratching the surface of the areas you should be considering.

What are the Fundamentals of IAM?

When we look at IAM concepts, we can boil it down to three fundamental principles:

1. There needs to be a high-level of confidence that the person logging in to an account is the person they say they are;
2. Access should only be granted to individuals with a current need to accomplish their assigned job tasks and;
3. Account access and activity logs need to capture what accounts are or were accessed and by whom and when.

Once you’ve applied these principals, be sure to baseline your normal operational activities. This allows you to sift through the noise to locate what could be abnormal activity to help it stick out like a sore thumb and better your chances of preventing and detecting insider threats.

How Can You Reduce Insider Threat Risks?

Many businesses or organizations use multiple systems and processes to handle various pieces of their network and security capabilities to include access to accounts. When it comes to network security, there are many methodologies and technologies out there to choose from but as we know, piecemealing security together generally isn’t as effective as when it’s designed and viewed from a holistic approach.

Below are the seven best practices for enterprises to improve IAM maturity and reduce security risk:

• Consolidate identities: According to Verison, 80 percent of breaches are due to compromised credentials. It’s critical to develop a holistic view of all users and strengthen and enforce password policy, or eliminate passwords, where possible.
• Enable single-sign-on (SSO): SSO to enterprise and cloud apps, combined with automated cloud application provisioning and self-service password resets, cuts helpdesk time and cost, and improves user efficiency.
• Implement multi-factor authentication (MFA) everywhere: MFA, including third parties and the VPN that adapts to user behavior, is widely acknowledged as one of the most effective measures to prevent threat actors from gaining access to the network and navigating to target systems.
• Audit third party risk: Outsourced IT and third party vendors are a preferred route for hackers to access corporate networks. Conduct audits and assessments to evaluate the security and privacy practices of third parties.
• Enforce least-privilege access: Role-based-access, least-privilege and just-in-time privilege approval approaches protect high value accounts, while reducing the likelihood of data loss from malicious insiders.
• Govern privileged sessions: Logging and monitoring of all privileged user commands makes compliance reporting a trivial matter and enables forensic investigation to conduct root cause analysis.
• Protect the inside network: Network segmentation, isolation of highly sensitive data and encryption of data at rest and in motion provide strong protection from malicious insiders and persistent hackers once inside the firewall.

Summary

Reducing insider threat risk is the name of the game for security-minded folks and insider threats are a risk all organizations, big and small, must consider. However, the bottom line is that if you architect and implement an IAM security framework and technology that ties in your governance and subsequent policy rules into a centrally managed identity and access system, your ability to prevent and detect insider threats will be greatly enhanced.