Driven by a growing number of security breaches, the demand for greater mobility at work and the trend towards Bring Your Own Device (BYOD) in the workplace, Identity and Access Management (IAM) is a growing area of focus for businesses across many sectors.
Just how intense that focus is set to become is illustrated in a recent MarketsandMarkets research report. This suggests that the global market for IAM solutions will grow to some $12.8billion dollars by 2020, up from $7.2billion in 2015.
Many organizations already use identity management as a key weapon in their security arsenal. This, of course, allows a network or system to authenticate the identity of a user through credentials, ranging from a simple user name and password to digital certificates, physical tokens, biometric factors (fingerprints, iris scans, or facial recognition), or a combination of these factors.
The strength of the authentication required will depend on the sensitivity the material being accessed, as well as the impact should these resources fall into unauthorized hands. Public information might require little or no authentication, while proprietary or classified data or accounts with administrative privileges will require stronger authentication, preferably using multiple factors.
But is authenticating identity really the first step organizations should be taking? Identity management and access control are two sides of a coin; both are essential for security, but neither are adequate by themselves. However, access, more specifically least privilege access, should be the first consideration and at the heart of any organization’s IAM strategy.
The fact that someone has established his or her identity as an employee should not result in unfettered access.
The insider threat to enterprises is serious. The Government’s 2015 Information Security Breaches survey found there was staff involvement in 81% of the data breaches suffered by the large organizations it polled, while deliberate misuse of systems by employees and contractors accounted for 18% of the single worst security breaches for all sizes of organization. Whether malicious activity or as a result of employee errors, both scenarios present real risk to the enterprise.
In addition to threats from otherwise legitimate insiders, there also is a risk that the user credentials can be compromised and that the ID authentication process can be exploited to let malicious outsiders into the system. For these reasons, the principle of least privilege is best practice in access control.
The concept is simple: a low-level clerk does not need and should not have administrative privileges on IT systems; a worker in sales does not need access to sensitive financial information.
That’s the theory. In practice, however, it can be difficult to manage and organizations can unwittingly make mistakes which can compromise the practice of least privilege access and so the integrity of their approach to IAM and cybersecurity.
Firstly, users are often assigned access privileges based on their role in an organization, but individuals seldom fit neatly into single roles. They may need special one-time access, and each person fulfilling the same role might need slightly different types of access. Effectively managing least privilege access here requires not only authentication and secure connections, but granular controls for each user and the ability to monitor their activities.
That means that every action should require a permission; and business domains are defined by specific resources for the system being developed. Users can then be placed in roles that are associated with a specific set of permissions by assigning resources to each role. All actions should then generate events; which allows detailed reporting and analysis of the system by the applications using it. Events also can trigger responses, such as notifications or alerts for further monitoring.
Secondly, it’s important that the concept of least privilege is extended right across the organization even to those classified as privileged users such as systems administrators. Here organizations should be looking to enterprise IAM solutions that can provide real-time, continuous risk analysis on users, detailing who has access to what, who has access to privileged resources, their activity and summarizing their behavior and access rights with a risk score per user.
With the move towards greater mobility and BYOD, comes the increasing need to ensure that regardless of how a network and data is being accessed, it’s being accessed securely through correct identity mapping, correct access assignments and robust authentication flows. Above all however, the concept of least privilege should remain at the forefront to ensure the integrity of an organization’s approach to IAM.