What is the single greatest point of vulnerability when it comes to information systems security? If you guessed “identity and access”, then you are correct!
When you look at the largest security breaches over the past several years (Equifax, Yahoo, Target, Anthem, Uber, etc.), you will notice that they were all the result of stolen (external attacks) or misused (internal attacks) employee credentials. In fact, the Verizon Data Breach Report suggests that up to 80% of security breaches stem from identity and access related vulnerabilities. And according to the Ponemon Institute, security breaches cost US companies, on average, $7 million.
In this article, we share 4 steps your company can take to reduce the risk of a costly attack on your information systems.
In today’s complex business environment, employees have to login to more than a dozen applications on a daily basis. These can include ordinary apps like Office 365, Salesforce, Workday, Box, and Oracle E-Business Suite as well as more sensitive VPN and system admin accounts.
With so many apps and accounts to manage, employees may resort to:
These concerns become even greater if you have contractors, vendors, partners, and other external shareholders who also have access to your information systems.
What can you do about it?
The solution is to implement single sign-on (SSO) throughout your organization, giving each employee one set of credentials that grants seamless access to all of their apps. Since they no longer have to remember multiple usernames and passwords, they can choose stronger, more difficult-to-crack passwords. Single sign-on solutions also include features to promote frequent password rotation as well as easy self-service for password reset requests.
Of course, using single sign-on alone does not ensure the safety of your credentials…
For optimal information systems security, single sign-on should be combined with two-factor authentication (2FA) — also known as multi-factor authentication or MFA. It works like this: When someone tries to login to a 2FA-enabled application, a series of adaptive checks are triggered to verify that person’s identity.
The most common verification technique is to send a push notification to the account holder’s phone. So, even if hackers are able to get their hands on an employee’s credentials, that password would be useless without the attacker also having the employee’s phone.
Location-based checks are also embedded in most multi-factor authentication solutions. Consider the example of an employee who is based in San Francisco, CA, which is where he always logs in to the corporate network from. If someone tries to login to the network from Russia using his credentials, the system will flag the login attempt and warn IT administrators of the potential breach.
Single sign-on (SSO) and two-factor authentication (2FA) provide an excellent foundation for blocking internal and external threats to your information systems. But it doesn’t stop there… The third step is to adopt formal access control policies and procedures to ensure that the right person has access to the right resources at all times throughout your organization.
One of the most popular tools for this is role-based access control (RBAC). This allows you to provision — and perhaps more importantly, automatically deprovision — access for individuals based on their role at the company. For example, imagine that one of your financial analysts just moved to a new department, working with a brand-new team on a completely different project. He should no longer have access to files from his previous role, and he will need to gain access to new files for his new role. There needs to be a streamlined process in place to facilitate this so that nothing falls through the cracks leading to a security vulnerability.
Having formal access controls in place also helps make auditing and compliance tremendously easier. This is crucial if your company is subject to regulations such as HIPAA, SOX, PCI DSS, GDPR, and more.
Along with general access controls, you should take extra precautions with privileged account access. What exactly are privileged accounts? They are administrative accounts (e.g. local host, domain admin, Active Directory admin, etc.) that grant elevated superuser access to your critical IT systems. Every organization has them, and they’re necessary for administrative and maintenance purposes. However, if privileged access falls into the wrong hands — or if someone simply has more privileges than they should — that can spell catastrophe for your organization.
For example, imagine that you have hired a contractor to perform maintenance on your IT systems, and he will dial in through your corporate VPN in order to perform his work. If his access is not properly isolated and monitored, he could unknowingly install malware on your network or steal sensitive information. Privileged account management (PAM) solutions such as password vaulting, password check-in check-out, and session monitoring can greatly reduce your risk of such a breach.
Putting these information systems security strategies into practice can be a complex challenge. You have to design the right solution to fit your IT environment and needs (choosing from among dozens of vendors and products on the market), implement the solution (requiring strong technical expertise and understanding of business requirements), integrate the solution with your infrastructure and existing applications, and ensure smooth operations and system durability on an ongoing basis.
Thankfully, you don’t have to go at it alone. We have a great deal of experience helping organizations of all sizes implement and manage complex information systems security solutions, and we would love to serve as your security partner. If you are interested in working with us, get in touch.
Sennovate is a global managed security services provider (MSSP) that specializes in Identity and Access Management (IAM) solutions and services.