Challenges in IAM and Cybersecurity Standards

As technology continues to evolve and use cases increase in complexity, businesses and organizations need more guidance from individuals skilled in data protection and breach prevention. Cybersecurity remains a top concern for anyone handling sensitive information, but recent incidents and study results indicate an alarming lack of understanding regarding the importance of access control and unified security management.

Some organizations are taking steps to implement better protocols, but others still struggle with vulnerabilities and lack the tools or education to meet the security challenges presented by modern network configurations and diverse modes of access. The following cases highlight some of the major concerns IT and cybersecurity professionals need to address.

Department of Defense Creates New Cybersecurity Standards

In July 2019, the U.S. Department of Defense (DoD) publishes a draft of its new five-level cybersecurity standards system for contractors and subcontractors. Known as the Cybersecurity Maturity Model Certification (CMMC), the standard is being developed to create a unified approach to security when dealing with sensitive government data and prevent potentially catastrophic security incidents. The Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute are major players in CMMC development. 

Current inconsistencies in contractor security processes cost the government billions of dollars every year, which includes the loss of intellectual property. The CMMC seeks to address and combat this loss by enforcing standards through third-party compliance audits, ongoing risk mitigation and the collection and analysis of metrics. Because DoD data is highly sensitive and a breach could present a threat to national security, rigid enforcement is required to ensure the safety and privacy of information at all times.

Full implementation and inclusion in contractor agreements is expected to begin at the start of 2020 with the goal of being able to monitor and protect the entire supply chain. 

Over 600,00 Patients Affected by Oregon DHS Breach

The effects of a breach at the Oregon Department of Human Services (DHS) in January 2019 are still being felt as notifications go out to the 645,000 people whose records were compromised. This is significantly more than the original estimate of 350,000 and is a sobering reminder of the widespread problems just a few compromised accounts can cause.

Hackers used a phishing scam to steal the credentials of nine DHS employees, which granted access to emails, messages and attachments. Although it’s unclear whether the hackers actually looked at or did anything with the data, it took 19 days for the DHS to detect the breach, perform a password reset and put an end to the unauthorized access. During this time, hackers may have had the chance to view private patient data, including health information and social security numbers. Over 2 million emails were affected by the breach.

The DHS provides training to help employees detect phishing emails and employs multi-factor authentication for login procedures, but some are still questioning the efficacy of these methods in the aftermath of such a massive event. Additional measures may be necessary to prevent similar incidents from occurring in the future and protect patients from fraud and identity theft.

Identity and Access Management Challenges

According to a study conducted at the 2019 RSA Conference by access management firm One Identity, businesses continue to struggle with Identity and Access Management. 34 percent of attendees consider privileged identity management (PAM) to be one of the most “difficult operational tasks” for businesses, followed by user password management and lifecycle management. Seventy-one percent cited data loss as a top security issue, and 44 percent recognized both insider and outsider threats as significant concerns.

Despite these findings, only 14 percent of respondents felt better access control would have a positive effect on cybersecurity. This suggests businesses understand the potential threats of poor identity and access management (IAM) but fail to see why strong IAM policies are necessary to protect sensitive data.

Statistics from employee respondents shed light on the significant threats resulting from improper or inadequate IAM protocols. Among those polled:

• 70 percent would look at sensitive files if granted unlimited access
• 60 percent would take company data with them when leaving their positions if they knew they wouldn’t get caught
• 40 percent have shared passwords with someone else

Based on such responses, problems potentially resulting from insider threats alone should be enough of a concern to prompt companies to adopt stronger strategies for provisioning, deprovisioning and access management. Implementation of tougher controls under the guidance of knowledgeable cybersecurity experts can mitigate risk and reduce the likelihood of data loss or compromise. 

For IT professionals, these changes and challenges present opportunities to aid businesses and organizations with developing improved strategies for cybersecurity, breach prevention and employee access control.

Cybersecurity certification and ongoing education prepares those in the IT industry to build defenses against the latest threats and implement the best protective technologies available.