Identity and access management have always been important to a CISO’s strategy, but unfortunately not enough are paying attention to the details judging by the number of breach reports citing theft of credentials as a key element of the attack.
In a column today Andy Taylor, a senior IBM managing security consultant, offers five clues that tip off ill-conceived or overly complex access governance processes can give too much access to the wrong people with too little oversight:
Do you know who uses or owns all user accounts in your organization? Are there any active accounts for people who have left? When was the last time your staff checked? If the answer is not in a while, that’s a warning sign. Taylor offers another: Neither the account naming convention nor the metadata gives any indication of account owners, yet the accounts can still be used to access sensitive resources.
–Poorly defined certification processes
IAM certification process appears too frequently with little warning or notification, Taylor says. “Notice is often sent to the incorrect reviewer and contains confusing entitlements only the IT guru understands.”. A poorly defined review processes means user identities and access to valuable resources aren’t secured, leading to risks, he points out.
–Inadequate access request approvals
You may have a good access approval process, but some people may be wrong for giving approvals. Taylor gives as an example persons who have no organizational relationship with the users, or individuals who know little about the business function or access. What’s particularly dangerous is privileged access only being approved by line managers who may not understand security requirements or policies. The result can be segregation-of-duty (SOD) breaches.
–Lack of segregation of duty controls
Some functions have to be segregated to limit the risk of fraudulent behavior — for example people who submit invoices shouldn’t be approving payment for their own spending. But, Taylor says, companies can have difficulty articulating SOD controls because of a lack of knowledge about their applications and their usage across business functions. “These process checks are often run manually and are ad hoc in timing — in most cases a long time after the access has been granted and occasionally in reaction to an incident or breach,” he writes.
–Independent processes across the organization
Having a range of different divisions, perhaps due to acquisitions and mergers or geographic separation can lead to organizations having different identity and access management processes and teams. Not only is this costly and inefficient, it’s risky.
This is an era offering a wide range of multifactor authentication technologies to make access to data more secure. But if infosec pros aren’t managing the process of enrolment and certification better all those tools won’t help.