Identifying, Managing and Preventing Access Creep

Privilege or access creep poses a threat to security in all networks but can be a particular problem in larger companies where many employees share enterprise resources and inappropriate access levels often go unnoticed for a long period of time which can potentially lead to devastating breaches.

Understanding Access Creep

Privilege creep occurs when employees accumulate more access rights than are required to perform the tasks associated with their positions. Also called access creep, the process occurs gradually over time and is often the result of: 

• Failure to revoke temporary access granted for special projects 
• Updated job duties or requirements 
• Promotions or changes in position within the company 

In all these cases, employees may retain access to data, applications and resources unrelated to their duties, thereby putting the system at risk in a number of ways. The most notable of these risks include: 

• Increased potential for insider threats resulting from the use of excessive access for personal gain or retaliation by disgruntled or dissatisfied employees 
• Hackers’ ability to infiltrate higher levels of the network using a single set of stolen credentials 

Accumulation of unnecessary privileges also poses a threat to compliance, especially in enterprise environments handling highly sensitive data, such as Social Security Numbers or health records. Failing to maintain compliance with privacy laws and regulations or suffering a breach in which large amounts of data are lost or compromised can have severe financial and reputational consequences.

Excessive Access in Privileged Accounts

Some users within enterprise systems, such as administrators and managers, require access to sensitive data or resources to do their jobs efficiently. Services and applications may also need a higher level of access to ensure workflows proceed without interruption and communication across the network is maintained. Alarmingly, the 2016 Verizon Data Breach Investigations Report revealed 53 percent of breaches result from the misuse of credentials associated with privileged access. It’s not uncommon to find credentials for sale on the Dark Web, and a hacker needs to purchase only one set to undermine the integrity of an entire enterprise system.

In many cases, users make it easy for hackers to obtain login information and access networks without buying credentials. About 80 percent of access breaches in enterprises result from weak or stolen privileged account credentials, and once hackers hijack these accounts, it can be difficult to determine the true extent of a breach. Privilege creep exacerbates the problem by extending hackers’ access deeper into the network. It can take IT professionals a considerable amount of time to sort through access information, pinpoint the cause of the breach and implement countermeasures to restore network security. 

Smart Strategies to Maintain Appropriate Access Levels

Proper identity and access management strategies can prevent privilege creep and reduce the risk of associated data breaches. Enterprises must focus on following best practices to establish and maintain strong identity governance policies.

Least Privilege

The principle of least privilege provides a baseline for managing all user accounts. By granting each user the lowest level of access necessary to fulfill his or her role within the company, enterprises can ensure smooth workflows while preventing unauthorized access across the network. Enterprises should also consider implementing role-based access in lieu of user-based methods to assign access levels based on the tasks a user must complete rather than associating privileged access with individual accounts.

Reduce the risk of access creep with periodic access audit and certification.

Auditing and Recertification

Routine access audits clarify access needs for enterprise users and pinpoint areas of weakness, including abandoned or orphaned accounts. Removing these accounts eliminates points of weakness hackers could otherwise exploit. Periodic recertification subjects active user accounts to scrutiny to determine if current access levels are appropriate or need to be adjusted. These processes are an essential part of access management and could benefit the 52 percent of enterprises unable to account for all privileged credentials within their networks. Clear policies for managing temporary access and processing changes in employee roles within the enterprise reduce the risk of access privileges extending beyond what’s appropriate. Identity Management Institute members include experts in access audit and certification.

Modernizing Access 

Many enterprises continue to rely on passwords and other outdated authentication methods, and a surprising 54 percent use paper or Excel spreadsheets to store details about access credentials. In situations where the use of passwords remains necessary, credentials must be managed in a secure centralized location to prevent loss or compromise. Switching to multi-factor authentication relying on stronger methods, such as the use of hard tokens, one-time PINs and geofencing, makes it more difficult for hackers to penetrate deep into networks. 

Preventing privilege creep at the enterprise level starts with clarity regarding access needs throughout the company and the establishment of strategic access management strategies. With the use of intelligent identity management tools and strong authentication methods, it’s possible to manage employee access to reduce the risk of internal and external breaches resulting from the misuse or compromise of privileged credentials.

Subscribe to the Identity Management Journal to receive periodic announcements and articles.

Identity and access management certifications

Identity and Access Management in Cloud Platforms

As businesses increasingly leverage cloud storage services, identity and access management in cloud platforms has become a major challenge and risk concern for cloud users.

Identity and access management in cloud platforms

Overview of Identity and Access Management in Cloud Platforms

The rapid migration of systems and data to the cloud with cloud storage accounting for $50 billion of the total amount of $266 billion spent on public cloud services by the end of 2020 raises unique concerns regarding data security, identity management and access control. As more businesses of all sizes opt to invest in the tools offered by popular cloud platforms, it will be increasingly necessary for executives and their IT departments to develop the appropriate identity and access management (IAM) policies designed to address the emerging concerns.

Cloud platform providers are responding to the need for stronger security with integrated IAM solutions. Knowing what offerings are available and how to leverage the tools included in each platform provides a framework for smarter, stronger IAM policies made to address the growing number of potential vulnerabilities and new types of risk associated with connected devices and remote workers in modern businesses.

Cloud computing tools are most commonly offered in two ways: software-as-a-service (SaaS) and platform-as-a-service (PaaS). In a typical SaaS model, the customer pays a monthly or yearly fee to use an application or software platform managed entirely by a third-party provider. PaaS offers more flexibility by allowing customers to control which apps are deployed on a third-party platform.

Cloud Platform Providers

Top cloud platform providers give businesses flexible, customizable cloud environments in which to build networks of integrated and complementary applications designed to support more efficient workflows, improve collaboration and increase productivity. Each provider has its own suite of available applications and range of features to address the diverse requirements of today’s connected businesses.

A white paper published by Identity Management Institute for its members offers analysis of the 3 major cloud platforms Amazon, Microsoft, and Google.

The Role of Middleware for Identity and Access Management in Cloud Platforms

The job of middleware is to connect client requests made via a network to the data being requested. In cloud environments, these tools may be bundled as part of a PaaS offering or obtained through another provider. The link created by middleware serves to bridge the gap between the front end of an application, which the user sees and interacts with, and the back end, consisting of computers, servers and data storage.

For the purposes of IAM, middleware can be used to simplify authentication and user access across extensive suites of cloud-based applications. Third-party authentication options like Okta, Ping Identity and Symantec VIP are known as authentication-as-a-service (AaaS) and are part of the growing number of cloud-based services being established to support the many businesses migrating to the cloud.

Conclusion

Preserving data integrity requires IAM policies designed to clearly define user roles and privileges and control access to applications within cloud computing platforms. Businesses planning to invest in cloud platforms and move more computing infrastructure to the cloud must carefully assess the security controls available and seek PaaS solutions designed to integrate with, supplement and strengthen existing security frameworks.

As businesses move into the future and embrace updated technologies, flexibility in cloud environments will become more important, and security concerns will continue to evolve. Today’s top cloud platform providers offer scalable, customizable solutions with built-in IAM tools, and it’s up to IT specialists to identify the unique concerns of the businesses for which they work and choose the best solution to address workflow needs and security requirements.

Sarbanes Oxley Access Management Requirements

The Sarbanes-Oxley (SOX) Act of 2002 is just one of the many regulations you need to consider when addressing compliance. Also called the Corporate Responsibility Act, SOX may necessitate changes in identity and access management (IAM) policies to ensure your company is meeting the requirements related to financial records integrity and reporting.

 

What is Sarbanes-Oxley (SOX)?

SOX was passed in July of 2002 in response to a rash of incidents resulting from malpractice in accounting. The regulation added to existing guidelines and included “reforms to improve financial disclosures from corporations and prevent accounting fraud” with the aim of protecting investors from “fraudulent accounting activities.”

All publicly traded companies located or doing business in the U.S. are subject to SOX regulations. The act:

• Increases corporate responsibility for financial reporting
• Establishes new accounting guidelines
• Mandates protections against accounting fraud
• Imposes more serious punishments for noncompliance

Records collected and stored by companies affected by SOX are subject to a number of protocols intended to increase accuracy in reporting and discourage unlawful falsification and destruction of records. With strict rules governing financial reporting and how long records are stored, SOX changes the way many businesses approach accounting.

SOX Compliance Requirements

The first step in SOX compliance is to establish an “accounting framework” to create verifiable paper and data trails for all financial activities. Every action with the potential to affect financial reporting must be traced and documented as proof of compliance, including changes made to financial and accounting software.

In addition, companies must establish internal controls designed to prevent fraudulent activities and reporting. CEOs and CFOs are required to personally certify all records as “complete and accurate” in accordance with section 302 of SOX, affirming they’ve reviewed the controls at least once in the past 90 days.

Section 404 outlines the requirements for monitoring and maintaining controls. Using a framework like COBIT, companies must conduct an annual audit to determine how well the controls are working. and report the results directly to the Security Exchange Commission (SEC). All audit records, whether physical or digital, must be kept on file for no less than five years.

Should a security breach compromise finances or records, SOX regulations require affected companies to report the incident as soon as possible.

Risk of Noncompliance

Failure to comply with SOX can incur serious penalties. Company executives who certify false reports can be fined up to $1 million for each instance, sentenced to up to 10 years in jail or both. Willful certification of false reports carries a fine of up to $5 million, a jail term of up to 20 years or both. The severe nature of these penalties drives home the importance of having strong security measures, especially since a single accounting error can compound and create several inaccurate reports if it isn’t caught in time.

How Does IAM Relate to SOX?

Because both physical and digital records are affected by SOX, access management is an integral part of compliance. When the act was first passed, many businesses weren’t yet dealing with the complexities of connectivity seen in modern enterprises. However, the requirement to put “adequate internal controls” in place for “financial reporting and governance” extends to IT, especially in environments where multiple device types connect to the corporate network from a variety of locations and a great deal of information is handled in the cloud.

Strategic IAM practices control several factors with the potential to affect financial reports:

• Insider threats
• Data breaches
• Human error

By automating activities such as user provisioning and deprovisioning and implementing granular conditional access controls, companies minimize the risk of unauthorized access and reduce instances of privilege creep. Assigning identities to devices makes it easier to control how and where employees access corporate networks, helping prevent some of the problems associated with establishing and enforcing BYOD policies.

Business IAM solutions also include automatic logging and reporting tools so that clear reports can be generated for every audit. Since corporations tend to have large numbers of employees with various levels of network access, automated logging and report generation are essential for SOX compliance. Without these tools, it would be nearly impossible to track the actions of every user and every device, and suspicious behavior could escape notice long enough to cause serious problems.

All digital security policies, including IAM, should be evaluated for efficacy as part of the annual SOX compliance audit.

Access Management Controls

For SOX compliance, organizations should keep the following access management areas in mind:

  • Manage access rights during on-boarding, role changes, off-boarding
  • Ensure Segregation of Duties (SoD)
  • Maintain access control matrix
  • Perform periodic access audits
  • Automate reporting

Staying in compliance with regulations like SOX is important for the safety of your company and the data you handle. If you haven’t yet put measures in place to ensure compliance in regards to financial records and reporting, work with your IT department to develop an IAM strategy designed to minimize errors, prevent unauthorized access and secure all records during transmission and storage.

Read additional articles in our IAM blog.

Mitigating the Growing Risk of Identity Theft

The increasing number of connected technologies used by businesses and consumers is creating more points of data vulnerability. Each new endpoint provides a potential “in” for hackers and increases the risk of identity theft from data exposure.

Business owners must recognize the growing identity theft threat to their companies, employees and customers and take steps to mitigate the risks and ensure personal data stays out of the hands of malicious third parties.

More Technology, Greater Risk

The vision of a completely connected world, once realized only in science fiction, is quickly becoming a reality. Internet of Things (IoT) technology forms an expanding web of devices in constant communication with each other and with a variety of networks. This connectivity permeates every aspect of business and personal lives and has greatly increased the risk of identity theft.

According to a survey by The Harris Poll, almost 15 million people had their identities stolen in 2017 and experienced nearly $17 billion in total losses. The Consumer Sentinel Network lists identity theft as the second most common reason for fraud reports, surpassed only by debt collection fraud.

Why are connected technologies of particular concern when considering identity theft risk? IoT devices constantly collect and send data about users, including intimate details most consumers never realize they’re sharing. Modern hackers have access not only to identifying information but also may obtain data about individuals’ personal lives, right down to their fitness habits, the groceries they buy most often and even rough maps of their homes.

Today’s Biggest Threats to Identity

Although the Federal Trade Commission lists employment and tax fraud and credit card fraud as the two most common forms of identity theft, account takeovers are becoming more attractive to modern hackers. More connectivity means hackers can gain access to a larger database of information and launch more widespread attacks using a single set of stolen credentials.

In the 1,597 data breaches recorded by the Identity Theft Resource Center in 2017, hackers gained access to users’ names, social security numbers, birthdates and driver’s license numbers, all of which can be used to impersonate an individual or mine for more data. However, to steal an account, all a hacker needs is a user’s login information and a strategy for flying under the radar when committing fraudulent acts.

The risks associated with this type of identity theft are seen in the increasing popularity of online fraud, especially in the realm of online payments. Over 80 percent of credit card fraud is now committed in “card not present” situations, such as the use of digital payment gateways. Electronic Health Records (EHRs) are also popular targets, although hackers seem to be developing a greater interest in social security numbers when obtaining user data.

Business Identity Theft?

Individuals aren’t the only ones at risk. Businesses can also fall victim to identity theft. Both the high volume of activity and large transactions occurring at the corporate level attract hackers looking for big payouts. Unlike in data breaches, however, hackers committing business identity theft don’t infiltrate a network to steal information. Instead, they impersonate the identity of a business to commit fraud.

Businesses of all sizes are susceptible to this form of identity theft, but small businesses may be at a greater risk due to a tendency to ignore potential threats. Over half of small businesses have no concept of their level of risk from cyber attacks, and 58 percent fall victim to malware as a result. Business identity theft can affect credit score, cash flow, tax filings and brand reputation.

Strategies to Safeguard Identity

Business owners and corporate IT specialists must be aware of the risks associated with the unique nature of their onsite networks and the ways in which employees and customers connect to and interact with these networks.

Identity theft “red flag” risk assessments and routine security audits reveal points of weakness and the need for stronger safeguards and better access management polices. Using information gathered from these assessments, businesses should:

• Invest in updated security software designed to handle connected technologies
• Consider incorporating machine learning into security protocols
• Review and update access permissions
• Implement data encryption tools
• Establish protocols for user provisioning and deprovisioning
• Create policies limiting which company details can be shared publicly
• Continually educate employees on how to minimize risk

Securing internal networks with these tactics closes many common loopholes hackers use to access personal information and helps to protect businesses, employees and customers from the devastating consequences of identity theft.

Although the rapid spread of new technologies is putting personal information at greater risk for theft, business owners can take steps to increase security and protect proprietary and consumer data. Technology will continue to shift and expand, and diligent awareness of threats is essential to preserve data privacy and prevent identity theft.

Call Center Employee Fraud Training

ncidents of call center fraud are on the rise according to various call center fraud reports. This is partly due to the migration of scammers from online channels, where breaches are becoming more difficult to commit, to the largely unprotected and vulnerable environment of call centers.

Read more

The Evolution of Authentication

The evolution of authentication has been somewhat slow across organizations when compared to the fast changing technology and cybersecurity threat landscape.

The increasing complexity of systems is leading to a need for more secure authentication methods. Although passwords are a ubiquitous form of verification, allowing users to access applications and perform actions within a system, there have always been problems with this method. Creating secure passwords and managing them properly is difficult when users have dozens of different accounts and log in from multiple locations throughout the day.

The evolution of authentication by Identity Management Institute

An answer to the problem may be found in password-less authentication methods. According to a survey by Wakefield Research, 69 percent of organizations are considering phasing passwords out in the next five years, opting instead to take advantage of passwordless models to increase security and make logins easier for both employees and customers.

Basics of Passwordless Authentication

The idea of a passwordless authentication model is straightforward. Instead of entering credentials consisting of a username or email address and a password, users verify their identities with an alternative method. The change is meant to address the problem of passwords standing in the way of reliable security, workflow efficiency and even customer retention.

Options for password-less authentication include:

  • Biometrics – Already in use in smartphones and other devices, biometric logins consist of a unique biological identifier, such as a fingerprint. However, until biometric technology improves, this may not be the most secure choice unless combined with other options.
  • Email – Upon entering his or her email address, an existing user is sent an email with a verification link. Clicking the link completes authentication and allows access.
  • Token or one-time code – Instead of a link, users receive a token or code they then enter into the website or application. This code is attached to every action taken during a session and decrypted as users interact in real time before being destroyed when the session is terminated.

These new authentication options eliminate the need for passwords and the potential security risks associated with poor password management.

Passwordless Authentication Benefits

Getting rid of a familiar form of identification to increase security may seem counterintuitive, but passwordless authentication has the potential to increase security for both your customers and the users within your organization. Making the switch addresses common problems with password security:

  • Weak passwords
  • Poor password management
  • Accidental use of default settings
  • Using the same password for multiple accounts
  • Not changing passwords regularly

Many of these issues result from “password fatigue,” which is experienced by users asked to create passwords for every website and application they use and enter these passwords numerous times throughout the day. This often leads to apathy in password creation and can threaten system security.

Passwordless authentication is also more convenient. Customers don’t like juggling logins for dozens of sites and tend to abandon those requesting the creation of yet another account. Employees required to log into multiple applications during the course of standard workflows are less efficient, and tasks slow down even more if a password is forgotten and needs to be reset. When no passwords are required, all users enjoy a more seamless experience.

Passwords Elimination in the Evolution of Authentication

Password fatigue explains the phenomenon of passwords becoming weaker as a user is asked to create more accounts. After a while, users no longer care if the password is secure and will use anything just to be able to gain access. This can create a serious security problem in your system. Weak passwords, use of default login options and stolen credentials account for 63 percent of breaches (Verizon). If even one customer’s account is hacked, all the data stored by your company is at risk. The same is true for employee accounts across critical business applications.

Customer retention rates are also affected by password fatigue. Seventy-five percent of customers stop using a service or website if they need to perform a password reset, and 30 percent abandon their hopping carts if checking out requires account creation. This is of particular concern when it comes to first-time or one-time customers. You could lose out on lucrative sales during popular shopping seasons or drive away customers who may otherwise have become loyal shoppers if you don’t have an alternative way for them to log in.

In addition to these considerations, your organization could benefit from passwordless authentication if:

  • Employee password management is poor
  • Workflows continue to hit bottlenecks due to excessive login requirements
  • Your system network is expanding to include more applications
  • A significant number of customers are abandoning carts at checkout
  • Password security problems have led to breaches in the past

There may be some situations in which it makes sense to retain the use of passwords or use a method like multi-factor authentication instead. Base your decision on your company’s needs and the unique security requirements of your network.

Passwordless Model in the Evolution of Authentication

If you decide to make passwordless authentication part of your security protocol and authentication evolution, the first step is to research the options to find a reliable provider. Request demos from vendors to see how the authentication process works, and get all the details you can about the security of the process.

Implementation details are specific to providers, but your chosen vendor should work with you to help you set up your passwordless login system. Let all users, both employees and customers, know you’ll be making the switch, and provide clear instructions for use of the new system.

Once passwordless authentication is in place, monitor performance to determine if it delivers the desired results. You should see a drop in shopping cart abandonment on the customer end and an increase in workflow efficiency for your employees.

The rise of passwordless authentication may usher in a time when no system or application requires a password for access in the evolution of authentication. Companies looking to streamline workflows, update security and offer an alternative to customers experiencing password fatigue can benefit from switching to passwordless options. Since changes in technology inevitably bring new security concerns, it’s time for organizations to start adopting alternatives to outdated authentication methods and bring identity management strategies up to date.

Visit our blog for more articles.

Malware Remains Most Popular Attack Method

The identity and access management (IAM) landscape is always changing, and staying on top of the latest news can help you protect yourself and your business from vulnerabilities. From major market expansion to the latest attack on Facebook, here’s what you should know about IAM this month.

$14.82 Billion IAM Market Share Predicted

By 2021, the global market share for IAM is expected to exceed $14.5 billion in U.S. dollars, representing a compound annual growth rate of 12 percent. This significant jump reflects growing security concerns as companies adopt more cloud-based applications and continue to invest in SaaS solutions. An increasing awareness of compliance requirements is also driving the market as regulations are updated.

Facebook Breach Blamed on Access Token Error

Facebook’s latest breach affected an estimated 30 million users, but it was neither complex nor sophisticated. Personal information, including check-ins, searches, contact information and profile details, was stolen from 14 million accounts, and contact information from an additional 15 million accounts was also compromised.

Hackers gained access to data through a simple flaw involving video previews. When users chose to view a birthday video using Facebook’s “View As” option before posting it to their profiles, right-clicking to obtain the source code for the page revealed an access token for the user from whose perspective they were previewing. Hackers were able to scrape access tokens for millions of users by exploiting this vulnerability,

Facebook says the problem was fixed as of September 27, but as with any breach, users should continue to exercise caution.

Malware Remains Most Popular Attack Method

According to research by Positive Technologies, the frequency of malware attacks dropped from 63 percent to 49 percent between Q1 and Q2 this year. However, attacks involving compromised credentials increased from seven to 19 percent.

Malware is still the most popular form of cyberattack and can be used to steal credentials for use in more sophisticated or extensive breaches. Targeted attacks executed for the purpose of extorting money from companies or stealing valuable data are still common, meaning you need to be diligent across departments in your company. A single phishing email, compromised file or infected employee device can provide an open door for hackers to undermine your IAM framework.

Federated Identities May Give Way to Consolidated Identities

The current trend in using federated identities may need a makeover to keep up with the complex security concerns and requirements of modern businesses. A federated identity allows a user to log into multiple services with one set of credentials, such as when you access a third-party website using your Facebook or Google account. A federated identity supplies a single key for cross-domain interactions and interactions between software platforms from different companies, allowing users to access a variety of services without the need for all providers of these services to use the same kind of authentication technology.

Consolidated identity is being proposed as the next wave of IAM within enterprises. Currently, employees using multiple tools to do their jobs likely have to log into each platform with a separate identity. Doing so creates a distraction, slows down workflows and makes it difficult to work efficiently. A consolidated identity combines access rules and authentication protocols to allow access across siloed services based on a user’s needs and security level. This aggregation of access rights can greatly improve time management and increase productivity.

Google Introduces New IAM Tools

Identity management and security is an increasing concern as the adaptation of cloud platforms becomes more widespread and companies are beginning to rely on a greater number of cloud-based applications for daily business tasks. Google recognizes the complex issues involved in enterprise IAM and has been working on new tools to improve cloud security.

“How do we rethink identity in a cloud-based world?” was the question posed by Karthik Lakshminarayanan, Google’s director of product management. The company is answering the question with:

  • Cloud Identity for Customers and Partners (CICP), a tool to add IAM to apps for better security
  • Secure LDAP to allow for seamless access to access both new and legacy applications
  • Cloud Identity-Aware Proxy (IAP) for context-aware access, making it possible to control data and application access based not only on credentials but also the context of a request
  • Location restrictions for the Google Cloud Platform to prevent the unauthorized creation of resources in specific offsite locations

Some tools are still in development, and others are being finalized to help make IAM easier for businesses working with sensitive data in the cloud.

Continue to monitor the latest IAM news and read new articles to stay on top of industry changes and get alerts regarding security concerns. New product and service releases and innovations from big players in the industry can transform your approach to IAM and ensure better security for the future. And, don’t forget to get certified.

Employee Offboarding Best Practices

Companies failing to follow proper employee offboarding measures are at risk for data loss, cyberattacks and other malicious activities. Regardless of the reason for an employee’s exit, offboarding is an essential part of the transition process. Protect your system and all sensitive data with these six critical identity management procedures.
employee offboarding best practices

Collect All Company-Owned Devices

Company-issued smartphones, tablets, laptops and other devices should be turned in before an employee leaves for good. These devices not only contain sensitive information but also represent a significant monetary investment. Be sure to collect all other items used for data transfer and storage, such as memory cards and flash drives, to prevent confidential information from leaving the premises.

Retrieve keys and security cards to ensure employees can’t gain physical access to the building once their tenure is over. Being able to get in and out of the office without checking in or making an appointment literally leaves the door open for serious breaches if the conditions of departure are less than cordial.

Terminate Personal Device Access

If your business has a BYOD policy, employee-owned devices may retain information, applications and other company assets. Removing data and programs pertaining to company activities is a key part of offboarding. Even if no ill will is intended, employees can easily walk away with proprietary data on their personal smartphones, tablets, laptops and external storage devices. If passwords were stored using tools on any of these devices, hackers could gain access to your system with stolen credentials long after an employee has left the company.

Revoke Network Access

The identity and access management (IAM) solution your company uses should have tools for managing the entire employee
lifecycle, including offboarding. When the time comes to remove a user from the system, take advantage of these tools to completely eliminate the employee’s unique

identity. Don’t be tempted to reuse the account with different login credentials for the next person taking over the position. A new employee may not need the same level of access even if he or she performs similar duties, and rolling accounts over may cause problems with “privilege creep,” in which an employee accumulates more access rights than necessary to perform his or her job.

Access to company applications and third-party cloud-based programs used by your business for communication and collaboration must also be revoked. Change any common passwords for these applications or other system tools, and make sure related apps are wiped from personal devices. If an employee-owned device has its own identity within your system, remove this privilege when the person leaves.

IAM software makes network access management much easier by centralizing all information about each employee’s credentials, level of access and privileges so that you can be sure all points of vulnerability have been addressed and don’t have to search through every application to terminate access.

Remove Employee Data from Systems

Once access has been revoked, make sure the names of employees who no longer work for your company don’t show up on contact lists, in meeting rosters or as the primary contacts for projects. Forward all communications from terminated employee accounts to a manager or supervisor, and communicate clearly with other employees to ensure everyone is aware who has been offboarded and who is responsible for picking up their tasks until a new hire is made.

Follow a Set Procedure Every Time

Go through the same steps with each employee you offboard. Adhering to a plan ensures you don’t miss any critical actions and greatly reduces the risk of disgruntled employees wreaking havoc once they’ve left. Employees in good standing are saved the potential embarrassment of and backlash from accidental data leaks. Create a checklist of best practices, and follow it to the letter to keep your company and your employees safe.

Keep Records

Compliance is an important issue for any business handling sensitive information, interacting with clients and customers or conducting transactions. You may be subject to additional compliance rules depending on the industry in which you operate. Proper offboarding is necessary for compliance, especially in cases where the information you store could be stolen, sold or publicly distributed by employees with malicious intentions.

If your IAM solution doesn’t already keep detailed logs, enable the option or upgrade to a system with this capability. Logs can be used in the event of a compliance audit to prove you followed your offboarding procedure correctly and no loose ends were left to create vulnerabilities. Furthermore, logs are necessary for any critical investigation as a result of security policy violations and data breach cases.

Following the same offboarding procedure with every candidate reduces the risk of accidental or deliberate data theft and eliminates as many points of vulnerability within the system as possible. Make offboarding part of the process of managing the employee lifecycle to avoid the potential for serious security problems down the road.

Things Now Have Identities

In the ever-changing IoT landscape, things now have identities. With the number of connected IoT devices set to reach 75 billion by 2025, having a strong identity and access management (IAM) policy is more important than ever. IoT technology is now an integral part of the business world and may represent as much as 6 percent of the global economy in the near future. Such rapid expansion in the network of devices connected to the systems within your business requires a new approach to access and security.

Identity and Access Management in an IoT World

What once involved keeping track of one identity per user within a network has evolved into a complex web of monitoring and managing the interactions occurring between users and devices both onsite and in remote locations. Further complications can arise from transient access, in which devices connect to the network only part of the time and may or may not be running in privacy mode when they do. Each device is associated with its user’s unique identity, but the device itself is able to communicate with other devices, and perform actions such as access and transfer data.

This pivotal shift comes at a time when companies are still trying to get a handle on IoT technology and implement identity management protocols capable of handling the unique combination of corporate, employee-owned and remote devices connecting to their networks every day. Each new device creates additional points of vulnerability, and the more complex the web of connectivity, the more robust the related security measures need to be.

Whereas IAM used to require only associating a user with a device, it now must also bridge the gap between devices and networks or systems. This necessitates a fresh approach to identity management to prevent a situation in which device use gets out of control and creates security gaps your current protocols can’t handle.

Say Hello to the Identity of Things

A new concept known as the identity of things (IDoT) has arisen to describe the relationship between IAM and IoT. As the nature of connectivity changes, IDoT offers solutions for handling new types of digital interactions by proposing unique identities for the devices themselves. This essential evolution of IAM makes it possible for your company to handle not only the employee lifecycle but also the lifecycle of every device requiring access to your network.

To properly control access for both users and devices, a modern IAM protocol must take into account the kinds of data each device will access, handle or store as it interacts with other devices and programs in a network. Each device needs to be integrated into the network to facilitate seamless communication regardless of device type, manufacturer or operating system. Requiring device registration and creating specific protocols for transient devices helps to prevent unauthorized data access and makes it possible to monitor for unusual behaviors across the network. When sensitive or proprietary data is involved, you also need to consider what data manufacturers collect when monitoring device performance and put in place to protect against accidental access to confidential information.

The Future of the Internet of Identities

The expanding network of connected “things” with their own identities is creating a new landscape for IAM in which users control devices with collections of attributes and the ability to carry out multiple functions within a network. Dubbed the internet of identities (IoI), this matrix of connectivity presents fresh security challenges requiring:

  • Employee training and background checks to ensure device security;
  • Detailed protocols dictating when and how data can be accessed by specific devices;
  • Privacy and security rules to govern inter-device communications and connections;
  • Updated security protocols and standards;
  • Use of behavioral analytics to detect unauthorized access attempts; and
  • Centralized IAM and security procedures to prevent bottlenecks and preserve open communications.

With these changes, identity management will increasingly focus on securing the relationships between connected devices to allow businesses the freedom to take advantage of IoT technology without falling victim to the vulnerabilities inherent in such a system.

As IoT connectivity continues to evolve, businesses without a robust approach to IAM and device security will become more vulnerable to cyber-attacks. Prevention is the best approach, which requires getting a handle on the current state of device use within your company and preparing for a steady increase in the use of IoT technology over time.

Getting ready for changes in IDoT and IoI today will make it easier to comply with new protocols and standards as they’re developed and released. IoT is set to have a $3.9 trillion impact globally by 2025, so implementing smart identity management strategies now has the potential for big payoffs in the future. An updated security policy and a solid training plan for employees prepares your company to step into the future of IAM with the lowest possible level of risk.

Visit the blog page to find another article.

6 Best Practices for Managing the Identity Lifecycle

Every time organizations hire a new employee, he or she needs access to essential information, apps and processes to successfully perform daily tasks. With the cost of data breaches at $4 million per incident and businesses losing an average of $158 for every stolen record, it’s crucial that organizations grant and manage access with the utmost care.

Employee identities and the information to which associated credentials allow access must be carefully managed throughout each team member’s time at your organization. Defined by Techopedia as “the full life cycle of identity and access for a user on a given system,” identity lifecycle covers every aspect of identity and access management (IAM) from the moment a person is hired to the moment they leave the company.

With constant changes in technology and the dynamic nature of employees’ access needs in the modern workplace, it’s essential to follow these 6 IAM best practices throughout the employee lifecycle.

Cover the Basics

IAM should begin with the most straightforward steps for better security:

  • Enable multifactor authentication,
  • Create and enforce a Bring Your Own Device (BYOD) policy, or consider a Corporate-Owned, Personally Enabled (COPE) policy as an alternative,
  • Update all tools, platforms and apps regularly, and
  • Encrypt all data during sending and receiving.

Proper employee training also ensures all staff members understand policies and procedures, thereby minimizing the risk of error and reducing vulnerabilities resulting from ignorance.

Start with Smart Provisioning

Role- and attribute-based access control methods assign employee access based on the minimum levels necessary to complete tasks. This makes it easier to allocate privileges to new employees. Instead of guessing what access they’ll require and running the risk of being too liberal, your system can be set to automatically assign the right level of access at the time of hiring. Real-time provisioning ensures access is available to all employees from day one. Adding a single sign-on (SSO) process streamlines the procedure, allowing staff members to use multiple apps using just one set of credentials.

Use Automatic Updating

SSO also eases the burden on your IT department when paired with automatic updating. An increasing number of apps are required to manage modern businesses, and your IT team doesn’t have the time to update provisions across apps or create new rules every time you adopt another platform.

Look for a solution designed for adding apps centrally and creating the proper provisions across all of them at the same time. As the apps you use change, employees gain instant access based on existing permissions, preventing bottlenecks in essential workflows.

Prevent Privileges from Piling Up

Privileged accounts give specific employees access to the most sensitive data and processes within your system. However, employee responsibilities change over time, and it may not always be necessary for high-level permissions to remain in place. Privilege levels must be adjusted accordingly as part of regular automatic updates. By revoking access as soon as it’s no longer needed, you minimize vulnerabilities and shut the door on hackers who target these types of accounts.

Put Up a (Geo) Fence

If your company has a team of remote employees or otherwise allows remote access to data, geo-fencing can cut down on the risk of sensitive information being accessed from the wrong places. Many employees still use public Wi-Fi connections to perform business tasks, and logging into your system while sipping a latte at Starbucks can throw the door wide open for hackers.

Geo-fencing adds another layer of protection by preventing access outside of specific locations. If you choose to implement a “fence,” make sure your access rules don’t create situations so restrictive your remote staff members can’t do their jobs.

Have a Plan for Deprovisioning

Around 49 percent of former employees log into their accounts after leaving a job or being let go. Deprovisioning prevents this type of unauthorized access by completely revoking privileges as soon as a person no longer works for your company. Like provisioning and continuous certification, deprovisioning can be automated to offload your IT department from the tedious task of revoking permissions and removing roles. This is especially important in cases where an employee’s exit was less than cordial and your company could be at risk for a malicious attack if the account remains open.

Adopting a framework for proper identity lifecycle management gives you more control over the information to which you employees have access and decreases the likelihood your company will suffer a data breach. Even in a world where BYOD and remote work have become everyday realities, following best practices for managing identity and access keeps your company safe and ensures no accounts are left open to enterprising hackers. Working with a professional can make it easier to identify weaknesses in your current systems and implement the best fixes for your business model.

Learn about audit and certification of your IAM program.