COVID-19 has changed the rules for enterprise security, as it has forced a move to work-from-home (WFH) environments for many companies. And this will last beyond the immediate future into the post-pandemic economy. According to a Gartner survey, 74% of CFOs see WFH as an ongoing strategy, even after the pandemic abates, and intend to transition some employees to remote work permanently.
Infosec teams must address new threats and challenges originating from remote workers, making the need for better Identity Governance and Administration (IGA) more acute. In the past two years, 79% of organizations have suffered identity-related breaches. The cost of a breach to an organization is significant. The Verizon data breach a few years ago cost the company approximately $152 per individual record. The average cost per breach is $3.86 million, which does not even involve loss of brand value. Moreover, WFH can bring more phishing attacks. WFH employees may also introduce unauthorized software and devices that pose security threats.
Novel frameworks are a must
There is a need to rethink enterprise security. User identity has become a critical cybersecurity concern as more remote WFH users have gained secure ID and access to corporate documents and data. A one-problem, one-tool approach to security is no longer sustainable. Security technologies must fundamentally work together if they are to achieve meaningful effectiveness. Research shows that companies that develop a forward-thinking approach to addressing identity security issues have significantly fewer breaches. Novel frameworks are a must for issuing and validating credentials – new IGA frameworks that can help secure corporate assets.
The overwhelming shift to WFH has added challenges to security. Already, a high number of organization (94%) have experienced an identity-related breach, and 66% of organizations indicate phishing attacks constitute the most common attack vector for identity-related breaches. Add to these issues the security challenges created by WFH, including:
- Corporate IT losing control of computer-related assets, including software, unauthorized devices, and loss of security.
- Gaps appearing in asset entitlements and user authentication.
Frameworks for issuing credentials and validating are a must as 80% of privileged credentials are at the heart of cybersecurity breaches. Physical security may be great, yet what’s needed are security measures and frameworks that focus on identities.
Unfortunately, many organizations do not do a good job of tracking their employees for security purposes. Employees transfer to a different position, or leave the company, yet their access credentials remain in effect. Employees receive new credentials, while their old ones are not de-provisioned. The problem is compounded by how many organizations do not use an automated IGA solution, and instead use manual processes to de-provision credentials.
To improve critical infrastructure cybersecurity, an identity-centric standardized framework should be established to provide credentials and assess risk. This framework places identities and credentials at the core of security and determines how they are best issued, managed, verified, revoked, and audited for authorized devices, users and processes. The framework also determines how remote access is managed.
Governance-driven processes
It is important to automate the provisioning and deprovisioning processes to save time and reduce error. Toward this end, privileged accounts and entitlements are best granted through governance-driven provisioning.
Implementation approaches
There are different implementation approaches. Requests for privileged accounts can be initiated by users from an IGA tool. Eventually, user access is provisioned through an IGA workflow. Or for those who prefer the manual approach, IT service management (ITSM) can handle the provisioning workflow. Here, the privileged account request is initiated from an ITSM tool. Eventually, requests and entitlements granted are logged for audit purposes. ITSM has accountability to the IGA. It hands off the request to the IGA to provision user access to the PAM tool.
Just as with provisioning, there are de-provisioning options. In one approach, the governance system is integrated directly with the PAM system. The de-provisioning process is initiated through HR and integrated with the PAM tool. The advantage here is that if the action is going through HR, it will proliferate down and remove access from that user immediately.
In a second approach, the de-provisioning process is initiated through HR and integrated with the corporate directory. The governance system modifies content in a directory where objects are associated with privileged accounts and entitlements of privileged resources. The typical HR lifecycle acts as a trigger for the governance system.
In a third approach, the de-provisioning process is initiated through HR and integrated with the application. Here, the IGA system is integrated directly with the systems containing privileged access so that it can modify privileged access accordingly. Manual processes are avoided.
A manual option is still possible in which HR initiates a de-provisioning process that notifies application owners to manually remove privileged access. But a manual approach is not recommended. Maintaining data on written documents and spreadsheets may be convenient -- until there is a security lapse.
Establishing a comprehensive and effective cybersecurity program that secures an enterprise is a challenge. Given the rise in WFH, expected to continue beyond the pandemic, organizations are being forced to improve the way they identify, track, and manage employees, applications, and devices that access their resources. Identity and asset management is a critical component of a successful security strategy.
Key to this effort is identifying the vulnerability and risk associated with different identity types and resources. Identity defined security outcomes can be achieved using many different automated identity defined security implementation strategies. These approaches combine identity and security capabilities which help organizations leverage an identity context to improve their security posture. These programs are well worth the investment, given the potential for monetary damages, and loss of customers and brand value.
Note: This article was adapted from a webinar entitled “Identity Defined Security Outcome Deep Dive” presented with the Identity Defined Security Alliance (IDSA).