By Byron V. Acohido
From the start of this 21st century companies continually scrambled to embrace ever more complex digital systems. Business networks connect an astounding variety of devices than to a vast array of tools and services residing on company premises and in the Internet cloud.
An amazing cascade of logons and digital handshakes routinely takes place to enable convenient digital commerce as we’ve come to know it. The problem is, from a privacy and security standpoint, not nearly enough attention has been paid to assuring the authenticity of each and every connection.
That’s where their identity and access management, so-called IAM, systems come into play. I recently spoke with Jeff Bohren, senior solutions architect at Optimal IdM, a prominent vendor in the IAM space. IAM vendors sometimes feel they’re toiling in obscurity compared to other, more sexy, security sub-specialties.
Bohren argues that addressing IAM is logically proactive step all companies should take, one that can immediately and materially improve an organization’s security posture.
Related article: Understanding, using IAM tools can help keep intruders out of company networks
IAM controls who gets into a network and what they can do once inside, he says. Doing IAM well can reduce breaches caused by careless mistakes, such as granting administrative powers to a partner whose staff can then change or take whatever they want without constraints.
That’s approximately what happened when Amazon was breached earlier this year by hackers leveraging weak passwords and poor security hygiene to divert funds from Amazon’s vendors into the hackers’ own bank accounts.
Breaches like that are common, but they don’t have to be, Bohren told me. Company decision makers need to challenge and empower their CISOs to prevent unauthorized or over-privileged access. “Cybersecurity professionals need to rethink their IAM strategies to make sure every partner and vendor has exactly the access they need¾and not a single byte more,” he says.
FIM systems
One technology that can help: Federated Identity Management. So-called FIM systems use common sets of identity data to tie together multiple systems. FIM systems have been refined and made very flexible and reliable.
Acohido and Bohren
It is technically feasible for an employee to use one company logon to securely access internal company systems and applications, as well as access cloud-based tools supplied by outside vendors: the same logon for internal apps and external cloud services such as Office 365, or Concur expense reporting forms or Salesforce CRM tools.
“Right now most users at most enterprises have something like five to seven logins they need to use to get their jobs done everyday,” Bohren points out. “That’s a problem because that’s five to seven potential vulnerabilities. What enterprises should be doing is working on reducing that to fewer logins and that will translate into fewer vulnerabilities.”
Rethinking access
It is vital that the assigning and use of “privileged access’ be carefully considered and closely monitored, as well. Why so? “Privileged access is a big problem because that’s where we’re seeing a lot of these hacks happening right now — it’s privileged accounts being compromised,’’ he says.
Obtaining the logon of a system administrator who has root access to all systems represents “the keys to the kingdom,” Bohren continues. “They can now penetrate the main controller acting as an admin and change anybody’s password they want. At that point they own your environment.”
I can recall interviewing IAM vendors just a few years ago when their big push was to get companies to take stock of, and reduce, the wide disbursement of privileged access accounts.
In the rush to accelerate digital commerce, companies routinely granted privileged access to non-technical managers, and even clerical staff; folks that had no business requirement for deep access. Naturally, threat actors targeted those employees, stole their logons, and got deep access.
Two-factor authentication push
There has been some tightening down of privileged access, particularly in the financial services and health care industries. So, naturally, the smartest hackers are targeting system administrators who need privileged access, including root access to critical systems, to do their jobs.
Optimal IdM and other IAM vendors today are pushing for organizations to require two-factor authentication for anyone logging on to a sensitive systems. “We’re encouraging additional security to be put on top of the admin logins,” Bohren says. “In addition to having the user id and password, they also are going to need to have some kind of second factor authentication.”
Another area of emphasis calls for companies to audit logons to sensitive systems. “This would generate an audit record of who got access to what, and that’s really important,” Bohren says.
For a deeper dive on these takeaways, please listen to the accompanying podcast.
(Editor’s note: Last Watchdog has supplied consulting services to Optimal IdM .)
