Every company concerned with protecting its systems and information must also be concerned with shortcomings in its cybersecurity risk management efforts. Some companies possess critical information such as confidential business and customer data which if compromised can lead to serious consequences including competitive disadvantage, tarnished corporate image, lost customers and loyalty, increased fraud costs, lawsuits, and penalties for violating regulations. Companies usually have good intentions when it comes to information security and consumer data privacy but fail to properly plan or execute the information protection plan due to concerns for initial costs, required efforts, and lack of resources.

Shortcomings in cybersecurity risk management and best practices

Shortcomings in cybersecurity risk management can be attributed to the lack of information security risk awareness on the part of company executives and management who are sometimes blinded by short term gains. Some companies do not take information protection seriously because of the immediate costs associated with protecting confidential information. According to Henry Bagdasarian, “companies typically pay attention to cybersecurity when associated costs and efforts are tied to mandatory compliance with regulations, customer requirements or audits, and serious data breach incidents”. As such, executive management support for cybersecurity is usually limited to the bare minimum in order to comply with laws, keep customers happy, and maintain a responsible corporate image at the lowest costs possible.

When companies only consider the immediate impact of information protection, they fail to properly address the long term information protection risks including lost revenues, lawsuits, government or client scrutiny, impact to their industry, and costs of identity theft and fraud cases.

Impact of Data Security Regulations

Most of the time, information protection laws are introduced and forced upon businesses because companies fail to properly and collectively address the data protection risks to the society and damage inflicted upon others. But why do companies need government intervention to do the right thing? Isn’t proper protection of customer information a good business practice with long term benefits such as higher revenues due to customer loyalty and retention? Then why give the government an opportunity to introduce overlapping laws which will cost money to comply with anyhow? Why can’t industries proactively act in the best interest of every one to address a business risk which is growing each day? System intrusions, data breach, identity theft and fraud are growing business risks which should be properly addressed and which might require actions beyond the regulatory requirements such as educating customers. The corporate cybersecurity risk management shortfalls may be ignored by the government for as long as these cybersecurity shortfalls do not affect people or other businesses. Once this line is crossed, governments and their lawyers will react to protect consumers and affected parties.

Cybersecurity Risk Management Shortfalls

Shortcomings in cybersecurity risk management are many, however, companies which either fail to identify as many of their shortfalls or ignore their information security weaknesses are more exposed to the consequences of unprotected information.

Below is a list of information protection shortfalls:

Low visibility of the cybersecurity function – In many organizations, the cybersecurity team reports to the Chief Information or Technology Officer without a direct line to the Board or a sub-committee of the Board to avoid a conflict of interest and escalate issues quickly. The function must be centralized as much as possible from an oversight standpoint.

Lack of adequate executive management and Board support – The lack of management and Board support often results in the lack of organization-wide support for the cybersecurity function as the tone at the top determines the behavior of the rest of the organization.

Lack of periodic risk assessment and gap analysis – A frequent and adequate risk assessment is a precursor to security gap identification and remediation. Periodic risk assessment is necessary to identify, prioritize, and remediate security gaps.

Incomplete cybersecurity scope – Before risk assessments can be executed, the cybersecurity scope must be determined. For example, critical systems and data must be identified, and, cybersecurity scope must also include processes outside of the information systems. Not all companies can readily list their systems and vendors which handle various types of business or personal data.

Inadequate budgets for automated tools, expertise, gaps remediation, and staffing resources – To properly address cybersecurity risks, planning must include adequate budgets for advanced tools which deploy artificial intelligence, technical expertise, and adequate levels of cybersecurity staffing.

Unqualified or inadequate level of cybersecurity management and staff – We often hear about the lack of available qualified cybersecurity experts in the market. This shortfall and budget deficits leave companies with no choice but to hire unqualified and less expensive employees or leave the vacant position open for a long time which lead to shortcomings in cybersecurity risk management.

Lack of documented and communicated policies and procedures – Some companies either don’t have a full list of cybersecurity policies and procedures which are tied to best practices and global standards or do not update them regularly to reflect changes in the threat landscape. Once these cybersecurity policies and procedures are documented, they must be communicated to all appropriate parties to collectively help secure the systems and data.

Improperly designed or configured internal and system controls – Internal control is the foundation of risk management and thus internal controls must be properly designed and configured within business operations and systems to ensure adequate level of security across the enterprise.

Inadequate monitoring of external incidents and regulatory requirements – It is often said that knowledge is king and therefore being aware of the cyberattacks and how they occur is important for managing cybersecurity risks. Keeping track of industry standards and regulations is also important to avoid shortcomings in cybersecurity risk management.

Insufficient awareness of the risks and solutions – Organization-wide education regarding cybersecurity risks and best practices is critical to ensure continuous protection of systems and data. This includes employees, executives and management, customers, vendors and anyone else accessing the resources.

Unmanaged and blind transfer of controls to third parties – Many companies blindly trust their vendors and business partners to have adequate security and comply with best practices when they outsource their services. This is not a very good idea as the organization assumes the risks even if their vendors cause a data breach. It is wise to establish security SLAs with business partners and include an enforcement clause such as an audit.

Exclusion of cybersecurity from key business decisions and changes – Decisions made by various departments have often security implications which must be planned and mitigated before exposing the organization to unnecessary risks. Such decisions include outsourcing, process re-engineering, acquisitions, and mergers. Many times, the cybersecurity teams are not aware of changes in their environment and therefore can not assess or mitigate the risks on a timely basis.

Inappropriate access to confidential information and related systemsAccess certification is a cybersecurity best practice which assesses and certifies access to systems and data periodically to determine the appropriateness of access to resources. The frequency of access audit and certification depends on the risk level of each system and data residing within the system. As this is a labor intensive effort, most companies delay or avoid this best practice.

Excessive collection, duplication, sharing, and retention of personal data – The excessive collection, retention, and sharing of personal data which are collectively referred to as “Identity Obesity” by Henry Bagdasarian in his book titled Identity Diet which suggests that most consumers and businesses are “identity obese” as they mishandle personal information. The proposed identity theft protection tips in the book were later adopted and included in the Certified Identity Protection Advisor (CIPA) certification study guide and exam.

Inconsistent and inadequate data destruction and disposal practices – Ignoring just-in-time data destruction adds additional cybersecurity risks. Since all confidential data must be protected, keeping unneeded data leads to unnecessary risk, cost and effort.

Certified in Data Protection

Poor data breach response and management – Finally, companies are very slow at detecting system breaches because they have not invested in state of the art cybersecurity technologies. Also, most companies do not have an adequate breach response plan which addresses resources and vendors when a data breach occurs.

Estimates show 75.4 billion connected devices will be in use around the world by 2025. Because so many of these devices interface with physical systems, this raises significant concerns for both physical security and cybersecurity. However, the majority of businesses still handle the two separately.

Integrating cyber and physical security for better access management i cybersecurity

Merging the digital realm with physical security is essential as more consumers, businesses and organizations continue to move toward reliance on the cloud and internet of things technology. Integrating cyber and physical security for better access management requires actionable plans for security policy implementation and enforcement to address current challenges.

Recognizing the Demise of the Perimeter

Businesses must think beyond the confines of offices and internal networks when considering security. The traditional “perimeter” has expanded to include devices connecting from numerous locations at all times of day. The result is a network with a higher degree of vulnerability from a number of distinct endpoints.

Expansion isn’t limited to large enterprises. Businesses of all sizes are adopting remote work policies and partnering with third-party vendors. Cloud migration is enabling more collaboration between employees in and out of the office. Mobile and IoT devices increase network complexity and may represent the most significant vulnerabilities in modern network environments.

With such a large and varied attack surface, converged security solutions are essential. Devices do much more than manipulate data; they regulate building systems, manage access control and serve as main avenues of communication. Hackers gaining access through any single endpoint can compromise data security and physical safety throughout an organization. This signals the need for smarter security solutions to address physical and digital vulnerabilities.

Considering Organizational Limitations

Unfortunately, full security convergence isn’t a reality in most businesses. It’s either a work in progress or not on the radar at all. According to the ASIS International 2019 State of Security Convergence study, 24% of companies in the U.S., Europe and India have fully converged physical security and cybersecurity. If business continuity is also considered, only 16% of companies in the U.S. have achieved full convergence; 70% have no plans to attempt it.

To identify barriers to physical and cyber security convergence, businesses must examine current physical security systems and cybersecurity policies. Siloed processes and a lack of communication between departments must be addressed when creating unified security protocols.

Mindset among security professionals also has a significant influence. If those heading up different areas of security don’t understand the intimate relationship between digital and physical systems, they’re not likely to recognize the need for convergence. A successful protocol requires a shared commitment to protecting the company’s most valuable assets by maintaining clear communication and working together to enhance all aspects of security.

Understanding the Physical and Cyber Security Risks

Cultivating such a mindset begins with an understanding of how cyber and physical systems are already connected. Converged security solutions are essential to address the vulnerabilities emerging as the result of the way networks, devices and systems have begun to overlap.

The digital realm is no longer isolated from the physical. Building systems, medical devices, manufacturing equipment and much more now rely on connected technology for operation. These physical elements, including apparent incidentals like HVAC units, pose the greatest level of breach risk.

Why? Because businesses share the security vulnerabilities of any party connecting to their networks. Devices often allow or require third-party access for maintenance and monitoring. Many businesses also erroneously believe such devices are already secure and don’t require additional protections. Because entry into one system can give hackers control of other devices on the network, businesses should perform regular audits to identify all connected devices and eliminate potential entry points.

Supporting Cooperation Between Departments

Physical security involves protecting essential equipment, as well as infrastructure of businesses and buildings and their employees or occupants. Cybersecurity addresses access control and data protection. Bringing the two together shouldn’t seem foreign, so it’s up to company leadership to communicate the importance of adopting an all-encompassing security strategy.

When IT departments and those in charge of physical security come together to discuss the needs and challenges in both realms, it reveals areas where policies and protocols can be streamlined for more effective security and overall cost savings. Merging protocols though an automated, scalable security system designed to support convergence makes it possible to create specific parameters for physical and digital access, which not only minimizes vulnerabilities but also provides a critical audit trail in the event malicious activity is discovered.

Developing converged security solutions requires thinking outside the box and embracing a “holistic” view of security. IT professionals, cybersecurity experts and business executives need to get serious about breaking down silos and developing all-in-one security solutions with the goal of addressing every known point of vulnerability. With improved communication, integrated platforms and detailed policies, businesses can create secure systems equipped to meet today’s biggest security challenges.

Identity and access management certifications

Access controls are designed to allow, deny, limit, and revoke access to resources through identification, authentication, and authorization. When we discuss managing access to data, we have to address both physical and logical access. Physical access refers to buildings, devices, and documents while logical access refers to computer or system access.

Access control types and models used for managing access to resources through identification, authentication, and authorization

Access Management Concepts

Let’s go over some of the security and identity management concepts which are included in the scope of some of the Identity Management Institute certification programs and examinations.

Identification

Identification is the introduction or presentation of an entity (person or device) to another entity.

Authentication

Authentication is a process in which the credentials provided by an entity are compared to the entity’s information stored on a system to validate the identity.

Authorization           

Authorization occurs after an entity’s identification and authentication have occurred to determine exactly what they are allowed to do. Authorization is implemented through the use of access controls.

Principle of Least Privilege

The principle of least privilege dictates that we should only allow the bare minimum of access to an entity which may be a person, device, account, or process to allow it to perform the required function. This concept also applies to computer services which may be granted more access and capability than required to run the system through inappropriate programming.

Principle of Separation of Duties

The Separation of Duties principle is achieved by dividing a task and authority for a specific business process among multiple users. The primary objective is to prevent exploitation and fraud by allowing two people to complete a task. For example, to ensure security when transferring funds online, the system may require two people to enter the system and approve the transaction.

Access Control List

Access control list or ACL is a file, typically referred to a computer file system, which attaches permissions to an object or entity. An ACL specifies which users or system processes are granted access to objects, as well as what operations the objects are allowed. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read, write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.

Capabilities

Where ACLs define the permissions based on a given identity and a set of permissions, capability-based access provides an alternative method of granting access based entirely on something we possess such as a token, access badge, or pass code. In a capability-based system, applications can share with other applications the token that defines their level of access.

Access Control Methodologies

Depending on the access control methodology, access may be granted based on something that we know, have, and are.

An example of a something that we know is a password or code, something that we have is an access badge, and something that we are is our finger print or biometric data.

Access Control Models

The most common set of simple access control models includes discretionary access control, mandatory access control, rule-based access control, role-based access control, and attribute-based access control.

Discretionary Access Control

Discretionary Access Control (DAC) is a model of access control based on access being determined by the owner of the target resource. The owner of the resource can decide who does and does not have access, and exactly what access they are allowed to have.

Mandatory Access Control

Mandatory Access Control (MAC) is a model of access control in which the owner of the resource does not get to decide who gets to access it, but instead access is decided by a group or individual who has the authority to set access on resources. We can often find MAC implemented in government organizations, where access to a given resource is largely dictated by:

  • the sensitivity label applied to data (secret, top secret, etc.),
  • by the level of sensitive information the individual is allowed to access (perhaps only secret), and
  • by whether the individual actually has a need to access the resource which is the principle of least privilege.

Role-Based Access Control

Role-Based Access Control (RBAC) is a model of access control that, similar to MAC, functions on access controls set by an authority, rather than by the owner of the resource. The difference between RBAC and MAC is that access control in RBAC is based on the role of the individual accessing the resource.

Attribute-Based Access Control

Attribute-Based Access Control (ABAC) is based on attributes. These can be the attributes of a particular person, of a resource, or of an environment. Attributes may be Subject (height of a person in an amusement park), Resource (software that only runs on a particular operating system or website), or Environmental (time of day or length of activity time passed).

Multilevel access control models may be used by military and government organizations where the simpler access control models that we just discussed may not be considered robust enough to protect the information to which we are controlling access.

Physical Access Controls

When discussing physical access controls, we are often largely concerned with controlling the access of individuals, devices, and vehicles.

Access control for individuals often revolves around controlling movement into and out of buildings or facilities. We can see simple examples of such controls on the buildings of many organizations in the form of badges that control door access to facilities (something we have). Such badges are typically configured on an ACL that permits or denies their use for certain doors and regulates the time of day that they can be used.

Physical access control for vehicles often revolves around keeping said vehicles from moving into or through restricted areas.

Tailgating

One of the more common issues with physical access controls is that of tailgating. Tailgating occurs when we authenticate to the physical access control measure, such as when using a badge, and then another person follows directly behind us without authenticating themselves.

Identity and access management certifications

Executive assistant superpowers should not be underestimated when considering the level of access that some executives have in an organization and the frequency by which they share their privileged access and information with their assistants.

Executive assistant secretary power

In many organizations, some executives, who by the way have sometimes excessive and unnecessary access to data, facilities and systems, share their privileged access rights with their assistants making them some of the most powerful employees in terms of access to restricted assets. Executives rightfully delegate many administrative work to their assistants, however, such delegation of administrative tasks occasionally transfers access to systems and data to a third person increasing the risk of unauthorized access and disclosure. Sharing information by executives with their assistants may be necessary sometimes, however, security related data such as passwords may go against the security policies and best practices.

Typical executive assistants usually have access to many confidential information in their departments as they are involved with many tasks including documentation and processes related to hiring, performance reviews and termination. They also handle many of the executives’ administrative work such as expense reporting, email response, calendar management and purchases with executive’s credit cards.

As previously stated, some executives have powerful access to many resources and assets in the company, whether by design or accidentally, and when they share their unrestricted access with their assistants, they place their companies at risk because the access to information, system or facility which was intended for the executive may not be appropriate and intended for the assistant.

Executive Assistant Superpower Risks

One of the biggest risks presents itself when executives share privileged access with their assistants for a routine task without realizing that such action may lead to additional unauthorized access. For example, it is not uncommon for a busy executive to ask the assistant to contact the help desk for a password reset because they forgot their password and don’t have time to be on hold by the help desk person or automated music for a password reset. For the executives, this is a valuable time wasted so they rather have their assistants take care of the minor issues. In this example, even if corporate help desk procedures allow an executive assistant to ask for a password reset for the boss, how do we know the assistant doesn’t take advantage of this temporary power to satisfy his or her curiosity? The vast majority of executive assistants are ethical, decent, and hard working professionals, however, from a security risk management standpoint, cybersecurity professionals must always try to minimize the risk.

Continuing with the password example, once a password is reset with a temporary password, most systems will force the person logging in for the first time using the temporary password to change the assigned password upon initial login in order to allow the password owner to select a unique and personal password. What if after the assistant is granted a new password, the assistant logs into the system, selects a unique password, goes through the executive’s confidential information and emails, and gives the boss the new password afterwards? In case the executive lets the assistant change the temporary password, the executive no longer controls his or her access credential unless the executive changes the password again to prevent future misuse by the assistant. That said and depending whether the executive changes the password immediately or when prompted by the system upon its expiration, this leaves a window of opportunity for misuse. In either case, whether the executive changes the password immediately or thereafter, there is a window of opportunity for curious and unethical assistants to abuse their executive assistant superpowers. As stated before, the majority of executive assistants are ethical and hard working people, however, security best practices dictate to be vigilant in order to ensure security at all times.

There is no magic solution for this problem. Executives must periodically review and assess the access of their assistants to ensure their access rights are appropriate and limited to their job duties for performing their daily functions and prevent unnecessary disclosure of confidential information.

Forty-three percent of U.S. employees engage in remote work at least some of the time. By contrast, 44% of companies around the world didn’t allow any of their employees to work remotely as of 2018. A lack of remote work infrastructure puts such businesses at a disadvantage in an environment where the need for a robust remote workforce is becoming more important than ever.

Cybersecurity Considerations for Remote Workers

Adopting a remote work policy requires careful consideration of the implications for cybersecurity. Although employee productivity and satisfaction are likely to rise when a remote work option is offered, companies making the transition need to follow best practices for identity management, access control and data security.

Start with Reliable Infrastructure and Security Tools

Cloud-based work, productivity and collaboration platforms with the ability to handle large numbers of remote employees enable businesses of all sizes to implement remote work policies. Cloud platforms are scalable and often include security tools for managing network access and data protection. Key factors for successful remote work security include:

• Support for numerous device types
• End-to-end data encryption
• Compliance with all major security and privacy laws
• Mobile device management options for employee-owned device access
• Regular data backups and redundancy
• Continuous monitoring for malicious activity

Businesses are likely to require several tools to achieve the optimal combination of these remote work security features. This requires quick action on the part of IT teams and executives to identify remote access needs, research vendor options and develop plans for deployment.

Implement Strong Access Control for Remote Work Security

Proper identity management and access control becomes even more critical when employees are working remotely. To minimize risks, companies must:

• Require the use of a company-managed VPN with detailed activity and access logging
• Provide company-owned devices for work access or implement mobile management of personal devices
• Require multi-factor authentication for all platforms
• Establish access guidelines, including time and location restrictions
• Review and update access permissions on a regular basis
• Require employees to install and routinely update security software on all devices with network access

Additional security measures and access restrictions may be necessary for employees who work with highly sensitive data.

Educate Employees Regarding Increased Remote Access Risks

Businesses face a difficult paradox when implementing remote work policies. Employees may be more productive and happier when they work remotely at least part of the time, but growing a remote workforce carries the greatest risks. Should a breach occur and network access become impossible, a business with a predominantly offsite team could face the prospect of a complete shutdown.

The problem is compounded if disaster or calamity precipitates a sudden shift to remote work. Hackers can use panic and the associated lack of judgment to target people in their most vulnerable states of mind. Therefore, education is an essential part of remote work cybersecurity. Employees must know:

• The dangers of accessing company networks from unsecured Wi-Fi connections
• The increased possibility of phishing and malware attacks
• Specific company guidelines or restrictions applying to remote access

Practice Timely Data Breach Responses

Remote work introduces a great deal of unknowns for which company security policies have no provisions. Although it’s impossible to anticipate every possibility, strategic response planning can enable businesses to reduce the impact of data breaches resulting from vulnerabilities in remote platforms.

Conducting routine risk assessments and remote access audits pinpoints potential issues with permission levels, authentication methods and activity logs and reveals areas with insufficient or conflicting security settings. In addition to fixing these weak areas, companies should implement tools to:

• Log all network access and activity
• Isolate devices affected by malware
• Remotely lock or wipe stolen devices

Data forensics experts and legal teams with cybersecurity experience can offer additional support in using these tools to mitigate breach effects while helping companies navigate the aftermath of attacks.

Test the Remote Access System

Because the need to shift to remote work can happen with little warning, companies must take the essential step of testing new remote access infrastructure prior to allowing widespread use. Testing need not be more complicated than selecting a team of reliable employees to work from home for a short stretch of time and asking them to take note of any issues they encounter.

Even a few days of such an experiment can reveal bottlenecks, vulnerabilities, problems with permissions and unanticipated access needs. Guidance from a cybersecurity professional is invaluable when turning insights into actionable changes. Repeating the test on occasion as the nature of remote work evolves allows businesses to maximize productivity and provide the best experience for offsite employees.

With some independent research data predicting remote work will rival or overtake traditional office environments by 2025, now is the time for companies to strengthen remote access policies. Proper planning and preparation can mitigate breach risks through a combination of security infrastructure and ongoing employee education.

Identity and Access Management blog, articles, news, analysis and reports
Visit our blog to read other articles.

Corporate executives have in general more power than others in an organization and some of them abuse their power and override security controls. Often this is due to the lack of knowledge about security risk management and consequences of data breach incidents. After all, which executive wants to deal with the aftermath of data breach incidents specially if they are disclosed in media and public forums?

When it comes to security, policies are designed to manage the security risks and must be applied to everyone consistently in order to maintain security. Controls such as segregation of duties, manager approval, principle of least-privilege, and system security standards are implemented to safeguard any organization from many security risks facing companies and ignoring such controls leaves major risks unaddressed for the companies. Executives like all other employees should not be exempt from following any of the company policies, procedures or any of the internal controls in place in order to ensure continued safeguard of company assets including confidential information.

Usually, when policies and procedures are not followed or are overridden (sometimes by the same people who created and approved them), it becomes extremely difficult to monitor the deviations even if policy exceptions have been formally submitted. If policy violations lead to inappropriate access and activities, it also becomes extremely difficult to immediately detect such security violations because the detective controls are also sometimes eliminated, manipulated, bypassed, or ignored all together. Such violations may be detected during subsequent internal or external audits but it may be too late by then since a security breach for even a short period of time may lead to serious consequences.

Why Some Executives Abuse Power and Override Security Policies

Executives sometimes abuse power by overriding controls because:

  1. they don’t even know their actions constitute control override and policy violations,
  2. they are not fully aware of the consequences of their violations which lead to inadequate or lack of controls,
  3. they are busy and don’t think the same stringent controls and rules apply to them,
  4. they don’t think they pose any risk to the company if they violate the policies vs. the rest of the company,
  5. they plan to commit fraud,
  6. they think they can get away with it due to their positions and perceived entitlement and rights in the company, and
  7. they might not even have requested such override and it was just granted due to their perceived entitlement.

When executives abuse power and override controls knowingly, it can be malicious and much more dangerous. For example, such power abuse can be intended to commit fraud, which can cost the company immensely.

Transferring Right

In some instances, executives share their passwords to systems and emails with their assistants for some tasks because they don’t have time to request a password reset or complete the task themselves. By doing so, the executives share their privileged access rights to sensitive company information and e-mails with their assistants and as such, even for a short period of time, they place their company at risk unknowingly. Although, the decision to share their passwords with someone else is intentional and careless, consequences of such decision and introduction of additional risks for the company are unintentional in this example.

When executives abuse power unknowingly, their actions may not be malicious but can still be dangerous for the company. There are many cases of control override without a formal exception request. One example is the automatic granting of access to restricted areas to executives. The person or group responsible for securing a restricted area like the server room automatically grants the CEO or the President of the company access to such restricted area as if they’re automatically entitled to such access even if they have not requested and don’t need such access. Often the person in charge of securing the restricted area or system is fearful for his job when he is asked to grant access to an executive or even removing unneeded executive access.

These observations suggest that:

  1. some employees in a company may believe that executives are entitled to unrestricted access and thus a) grant them such access even if they are not requested by the executives or b) would not question executive request for unneeded access or control override,
  2. some executives may believe the company rules don’t apply to them, and
  3. employees may think that it may not be worth to fight an executive for compliance and risk losing the job.

In order to maintain a sound internal control environment and address instances of non-compliance, executives should be expected to support and follow the same policies that one of their peers or the board created, approved and expects everyone in the company to follow. It should also be clearly communicated to all employees that executives are not exempt from following company policies and are subject to the same rules and policies as every one else. Much too often, independent internal parties responsible for monitoring the existence of and compliance with internal controls within an organization are reluctant to follow-up on cases when executives abuse power, especially if such abuse is minor for fear of losing their jobs. However, the risk on hand is not always about the executives’ intentions, which may be innocent, but rather how others can take advantage of reduced controls whether the executives abuse power directly or indirectly.

According to Henry Bagdasarian, “this is a nightmare for CISOs because they must decide between pushing back on excessive requests from executives, directors and managers who feel special and risk losing alliances and the job or allowing some exceptions while being accountable for security audit findings or data breach incidents when they occur.”  

Identity and Access Management blog, articles, news, analysis and reports
Visit our blog to read other articles.

There are many identity and access management challenges facing organizations and their staff which are partly introduced by changes in technology, threat landscape, and our way of life such as Internet of Things (IoT), distributed systems and workforce, Bring Your Own Device (BYOD) policies, cloud computing and storage, phishing and hacking scams, and various external requirements from regulations and customers. These changes and demands are further complicating the way organizations and their experts are managing user identities in systems and protecting systems from threats which often target users and their access rights to gain unauthorized entry into systems.

Identity and Access Management Challenges

While there is an increasing number of identity and access management challenges worldwide, there is also an increasing number of identity and access management tools and solutions that organizations rely on for responding to evolving challenges. In addition, while organizations take advantage of IAM tools to secure their systems and comply with regulations, they also improve upon other areas of their business. For example, with the deployment of appropriate IAM solutions, user access administration becomes faster and less burdensome for the IT staff who must often provision access for users quickly. However, providing on-demand access to users also raises some security risks that management must accept in exchange for higher user satisfaction.

Considering that most attacks rely on stolen user credentials to access systems, identity and access management challenges also include reliance on the user community to protect their user ID and password. Often, users are targeted with phishing, pretexting, spoofing, and other similar scams to steal their access information. Sometimes the stolen information is used to access the user’s account which poses little risk to the organization and other times the stolen information is used to access business systems which lead to the breach of database files containing huge number of data. The most likely users who are targeted to access business systems and databases are employees who have administrative access to systems.

Admin accounts which are used to manage user access in systems offer the best information that hackers need to access systems. However, not only identity and access management challenges include monitoring privileged account activities to prevent and detect unauthorized access such as denying administrator access during off-business or unusual hours, but also tracking unused or orphan admin accounts is a challenge that security professionals must overcome with continuous monitoring and removal of such accounts.

These are some of the identity & access management challenges which can be addressed with a thoughtful identity and access management strategy. For example, as IAM tools improve, lower costs are justified, and authentication mechanisms move from passwords to potentially less compromisable systems such as biometric authentication, system intrusions will overtime diminish.

Identity and Access Management blog, articles, news, analysis and reports
Visit our blog to read other articles.

Information security outsourcing presents certain risks that companies must manage. As more companies decide to outsource certain aspects of their identity management and security services, and many security service providers offer security outsourcing solutions, companies must take responsibility for managing their security service providers.

Information security outsourcing risks and managed security service provider MSSP challenges

All organizations review their expenditures periodically and often assess the need to make strategic changes in order to reduce operating costs. Information security is not exempt from this process, and nor should it be. Sometimes, as a result of this cost review process, outsourcing appears a cheaper alternative and considered for the path forward as the company makes the decision to make the strategic change.

Cost is not the only decision factor for outsourcing security and identity management services. Outsourcing scope is often determined internally based on the cost/benefit analysis, availability of expertise, and quality of services in areas where the business may be adversely affected due to the lack of adequate security.

Many service providers manage security operations from their offshore facilities which is why they can manage security cheaper. But, this doesn’t come without added risks as offshore people will have privileged access to business systems and customer data which brings up the following concerns and questions:

  • What are the service provider’s hiring and employee management practices?
  • Do they hire cheap, unqualified, and unethical people to remain competitive in the offshore outsourcing business?
  • Do they provide adequate employee training?
  • Would they notify their customers if they discover data theft or system intrusions?

There are two main solutions to address the above concerns after the outsourcing scope is defined:

  1. Develop comprehensive Service Level Agreements, and,
  2. Audit them for compliance.

Selecting a Security Provider

The process of selecting a security provider is somewhat like speed dating before getting married. In the beginning of the outsourcing process, a few pre-selected service providers are invited for presentations to convince the company why outsourcing makes sense in case there are still some undecided managers and why the company should select them. The security solution providers are often very respectful no matter how unreasonable an organization might be as they want to be selected for the outsourcing project. However, this attitude often changes for the worse after the contract is signed.

To select the finalist, the quality of the service is often validated by references from other customers and potentially a site visit. Existing customers usually praise the service provider for a flawless service backed up with monthly colorful reports. One should not expect that the service provider will report all findings from their vulnerability assessments and penetration tests, especially if they have been tasked to secure the infrastructure and related systems or data. This is a SOD (segregation of duties) and COI (conflict of interest) issue of the highest levels. If a vendor must secure systems as part of its outsourcing obligations, and provide security risk reports, their reports must be validated with some tricks.

Common Security Provider Challenges

The most common problem with MSSPs (managed security service providers) which monitor security for a variety of customers is that  typically, the MSSP has a SOC (security operation center) with lots of monitors displaying plenty of charts and alerts. Overloaded staff who monitor the monitors are told to focus primarily on the top five paying customers listed on a whiteboard in front of them. If you aren’t on the whiteboard, your systems are not a priority.

Another challenge relates to highly technical and specialized tasks such as penetration testing for detecting vulnerabilities as quickly as the old ones are remediated. There is often no evidence that the individual completing the security testing used a quality tool or a freeware scanning tool. There is also no immediate proof that the tester has adequate skills nor is there any proof that all detected vulnerabilities are reported due to the COI factor as I have previously mentioned.

Assurance Solutions

The major information security outsourcing risk is that security assurance is greatly reduced when incompatible tasks are outsourced to the same MSSP which creates SOD and COI issues. An example is outsourcing web application management and web penetration testing to the same vendor. This is not different from cases in which organizations assign the security responsibilities to the IT and operations staff. What incentive would they have to report security issues to the executive management? Often, CISOs who are in charge of system security report to the CIO who is in charge of the IT systems and operations. Why would a CISO report all security issues to the CIO specially if the CISO feels vulnerable and why would a CIO report the security deficiencies of the systems he is tasked to manage to the executive committee? It would be like committing suicide.

Separating operations from oversight is the only assurance solution whether this is done internally or outsourced to another vendor to oversee the activities of the MSSP. This is not different from organizations which do not outsource information security, yet, they retain a CISO who reports to an executive outside of the IT group or to the board regarding the security posture of the organization across the enterprise. 

Whether outsourcing security services or keeping the security capabilities in-house, the security governance and oversight group acts as a watchdog, providing assurance that the security of the enterprise is being properly managed and reported correctly and completely. The internal system owners, IT folks, and security service providers should be responsible for securing the enterprise systems and the security team should ensure that this happens. Otherwise, management has no guarantees that security matters are being reported accurately and completely.

Steps to Manage Information Security Outsourcing Risks

  • Clearly define the outsourcing scope in the contracts and establish a complete set of Service Level Agreements (SLA) with org charts, roles and responsibilities, tasks, and timelines.
  • Address key issues related to staff management in the agreements such as hiring, training, conflict resolution, termination, and access monitoring.
  • Audit against SLAs to ensure compliance with agreed upon procedures. This is similar to any vendor assurance audit and should be done by the internal oversight team or an independent party separate from the party providing the services.
  • Request oversight team sign-off when deploying tools, systems, or changes to make sure security is properly tested.
  • Ensure all internal or service provider staff are subject to social engineering tests and mock incidents, ensuring their response is appropriate.
  • Build known vulnerabilities into applications before commencing penetration testing to ensure the service provider reports all findings.
  • Finally, avoid commingling operations with security. This creates huge information security outsourcing risks around SOD and COI. Companies are advised to own the security governance and oversight function and separate the role from all IT and business operations.
Identity and Access Management blog, articles, news, analysis and reports
Visit our blog to read other articles.

Evolving threats and new security incidents continue to trend in identity management and cybersecurity news across the industry. Enterprises and IT professionals recognize the need for better security protocols in the face of newer, bigger and more intimidating threats. “As threats and attacks increase, it’s important for organizations to design and implement customized layered security based on a comprehensive risk assessment to protect systems and data from unauthorized access in light of these current trends” says Henry Bagdasarian, Founder of Identity Management Institute.

Latest identity management, access management, and cybersecurity news update

Blackmail Comes to Ransomware

Ransomware is one of the biggest threats in recent years with a darker twist. As businesses improve ransomware detection and mitigation, hackers are upping the ante by launching attacks involving a combination of data theft and system lockdowns. Many are no longer simply demanding ransom payments in exchange for restoring system access. Now, hackers are threatening to expose stolen data if their targets refuse to pay.

This leaves businesses with little recourse but to meet hackers’ demands. Restoring data from backups may allow organizations to continue operating, but it doesn’t prevent hackers from leaking confidential information on dark web forums or posting it on public websites. Data leaks threaten user and customer security and put businesses at risk of being fined for privacy law violations.

Hackers are using the threat of these consequences to collect higher ransoms; however, companies have no guarantee stolen data won’t be leaked even after paying up. Focusing on strong, strategic identity management practices can help protect networks from such attacks and prevent incidents of catastrophic data theft and loss.

Ransomware Cases

A criminal gang which was behind the REvil (Sodinokibi) ransomware extorted Grubman Shire Meiselas & Sacks, a New York-based law firm which represents many celebrities, threatening to release sensitive files and data on the company’s clients following a successful hack and ransomware infection unless the the firm pays a $42 million ransom demand. After lawyers’ refusal to pay the ransom, the hackers leaked 2.4 GB of stolen data on Lady Gaga. The data reportedly includes contracts between the artist and her producers, live performers and other collaborators.

In addition to doubling the ransom demand, hackers also made another veiled threat against the celebrity law firm, threatening to release files related to US President Donald Trump. As a warning shot, hackers published the first batch of President Trump’s ‘Dirty Laundry’ emails after being branded as cyber terrorists. The gang threatened to publish Trump’s dirty laundry if the biggest cyber-ransom ever, $42 million was not paid.

Coronavirus Goes Cyber

Coronavirus outbreaks around the world have dramatically increased instances of searches for the name of the virus and related keywords. Hackers are exploiting this popularity to launch a wave of new phishing and malware attacks.

By hinting at conspiracy theories and playing off fears, hackers can potentially convince users to click on links in or download files from malicious emails. Instances of this type of phishing are occurring in various languages around the world. Researchers have uncovered numerous “unique” malware files associated with the trend.

People may receive emails citing a mysterious coronavirus cure or promising more information about a supposed new outbreak. If the phishing attempt isn’t recognized and a user’s device is infected, the malware can begin capturing account and login information through the use of keystroke logging.

Businesses need to be particularly diligent about alerting employees to these malicious phishing campaigns. It’s easy for people to panic and give into fear in the face of an apparent epidemic. Raising awareness can prevent reactive mistakes from undermining network security.

Blockchain will Transform Cybersecurity

Blockchain will transform cybersecurity in many ways and play an essential role in cybersecurity. Blockchain technology will contribute to confidentiality, integrity, availability, and non-repudiation which will elevate cyber and data security to unprecedented levels. Many businesses will start to leverage many of the blockchain characteristics such as smart contracts and decentralized data storage to improve their transactions and keep system access and data safe.

Blockchain Identity Management Market Shows Impressive Projections

Valued at $107 million in 2018, the market for blockchain identity management is projected to hit $11.46 billion by 2026. A look at what’s driving the growth reveals the desire for a decentralized self-sovereign identity solution providing up-to-date user information in real time. Companies and organizations are looking for identity management options with the ability to provide better, more scalable security solutions, and the blockchain shows promise in fulfilling these needs.

The concept of a single authentic identity stored immutably in the blockchain has applications across many industries. From banking to healthcare to business networks, blockchain identities could be used to build trust between all parties by using numerous authentication factors to verify individuals. At the same time, the blockchain could offer improved privacy protection to help both users and organizations maintain data security across platforms.

Zero Trust Implementation Drags in the Face of Doubts

Continuous authentication through zero-trust security has the potential to significantly improve identity and access management, but IT and cybersecurity professionals still lack the confidence necessary to implement the framework within their organizations.

According to a survey conducted by Cybersecurity Insiders, two-thirds of cybersecurity professionals are interested in using zero-trust security models, but one-third don’t feel equipped to actually deploy the strategy. Making the move to zero trust does require more effort than implementing other protocols. However, removing barriers to implementation allows businesses and organizations to address some of their most pressing security concerns, including:

• Endpoint security
• Privileged account management
• Vendor and other third-party account access

Laying a framework for transitioning to zero-trust security can guide security professionals and the companies with which they work in mapping out the steps necessary to cover all vulnerable areas of the network with this comprehensive form of access management.

The biggest takeaways for IT departments, cybersecurity professionals and enterprise executives are the need for stronger security and continuing user education. Changes in common threats like ransomware suggest further evolution in the future. Organizations need to be ready with appropriate defenses and responses.

Educating users minimizes the risk of the kinds of errors that lead to breach activity. By coupling educational initiatives with ongoing security improvements, organizations can create stronger protections against known threats and any new attacks appearing in the future.

Subscribe to Identity Management Journal