With machine identities, floating employees and risky vendor-access-rights complicating the work of IT teams, this checklist is a timely reminder …
Initially a stop-gap measure, remote/hybrid-working arrangements have become a permanent part of organizational work styles, with corporate leaders increasingly recognizing the value of this kind of working style in driving business growth.
Organizations seem to be lagging in fully transiting to the new workplace reality, at least from a cybersecurity perspective. Cases such as the breach on air transport IT company SITA show that when it comes to implementing effective IT security, one of the most important elements to consider is the way in which identities are managed.
Within corporate IT infrastructures, an identity represents a one-to-one relationship between humans and their digital presence. However, the latter presence can have multiple accounts, multiple credentials, and an infinite number of entitlements in electronic format. This is what makes identity security so important. It is vital to be able to map identities back to the person to whom they belong while also validating their privileges.
However, six important identity-linked challenges can be encountered when it comes to achieving this mapping, and IT teams need to take note of them:
Members of staff with the same names
When members of staff share a common name with a colleague, this can potentially be an issue where corporate email addresses are based on a combination of first and last names. Some businesses avoid this by adding a middle initial or a number as a suffix; however multiple entries in a global address list can make finding the right individual difficult.
Instead, consider adopting an account nomenclature based on full names, including middle initials. This approach will help stop emails being mistakenly sent to the wrong people, which could result in the inappropriate disclosure of sensitive information and cause data privacy issues.
The issue of ‘floating’ employees
Identity classification problems can happen with staff that ‘float’ regularly between departments or office locations. In identity management terms, a floating staff member may also be called a collector or mover. Floating employees generally have broad entitlements and, at any given time, it can be hard to report what their proper access rights should be.
IT teams need to find a way to register these identities in the organization’s identity governance solution and central directory stores and ensure that their privileges are checked and updated on a regular basis.
Over-provisioning of access rights
Administrator account rights allow a digital identity to have widespread access across an IT infrastructure. However, when these rights are over-provisioned, significant security problems may arise.
A challenge for most environments is the certification of who has administrator rights and whether these are actually required. Alternatively, implementing the principle of least privilege, including just-in-time access, can significantly mitigate risks around access rights.
Issues around mergers and acquisitions
When plans are implemented to consolidate the two organizations’ IT domains, identities, applications and policies, best practices can often be inadvertent casualties.
This, in turn, can lead to identity problems ranging from over-provisioning to multiple accounts and domain names that do not follow an established pattern. As a result, a cascade of additional identity-related problems can surface, including applications that only work in some domains. If a business fails to merge standard operating procedures and establish technology baselines first, any subsequent identity management initiatives will suffer.
For this reason, it is essential to establish security, including identity, policies and provisioning baselines during the outset of any merger or acquisition. This will then provide support for future activity.
The rapid growth of non-human identities
Traditionally, digital identities have been primarily associated with human users. However, modern computing environments now incorporate many types of non-human identities. Things such as robots, Internet of Things (IoT) infrastructures, and control systems all have identities that can be compromised by cybercriminals.
To avert this problem, make sure all machine-based identities have ownership assigned in the same way as human users.
Vendor (supply chain) identities
Trusted vendors and partners are likely to require access to the corporate IT infrastructure.
Special controls must be implemented to manage these third-party identities, validate that all their activity is appropriate, and provide an audit trail of activities.
IT teams should consider creating controls to manage these identities outside of typical directory services and avoid assigning generic accounts like ‘Consultant1’ or “VendorABC’. Such users should have actual account names for the duration of their services, to allow for a management paradigm that reflects the simplicity and often transient nature of their access.
Access rights should also be assigned following a model of least privilege, have strong monitoring capabilities, and be simple enough to administer that the burden of management is nowhere near as complex as that of managing employees.
By considering these issues and taking appropriate steps, organizations can ensure they have a robust identity framework in place that supports staff while also delivering effective security for digital assets.