The benefits from reduced infrastructure costs, simpler service delivery and reduced time to market are extremely compelling and as a result most businesses are embarking on a digital transformation strategy in some form or other. The adoption of cloud-based solutions, increased mobile working and innovative consumer services also present a series of additional or new cyber risks that need to be understood and addressed.
Northern Ireland businesses of all sizes need to be prepared to withstand the growing numbers of high impact cyber security threats, but especially need to be aware of the challenges that result from doing business in today’s digital market place. If these threats are not managed, the results can hit hard causing financial losses or damage to business reputation. New legislation in the form of the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Directive, come into effect in May 2018 and will put additional emphasis on many organisations to fully assess the data that they hold, the associated risks and to ensure that they have effectively managed these risks through the application of appropriate security controls. This will typically be best achieved through a combination of security policies, staff culture and technology.
Finding the right balance between privacy compliance and the urgent business-driven demand to open existing IT infrastructures to entirely new classes of identities and applications is a challenging task that requires control and checks to be in place and calls for a well-defined and structured information security approach. Central to this approach, identity and access management (IAM) is fast becoming the most significant control in protecting information, revenue and business delivery.
So, what is IAM? It is typically a combination of policies, processes and systems which assist in binding an individual (which could be a customer, supplier or staff member) to a set of access permissions within your IT systems which then allow them to perform a function, to access specific data or even to administer your systems. Technically it may comprise of components, such as directory services, authentication systems and elements of your systems that use and store authentication and authorisation information. A good IAM implementation will comprise of a number of key elements.
• Policy – This will establish who is authorised to access your systems, data or roles, how access is requested/granted and when access should be revoked.
• Security Architecture – It is important that your IAM solution is properly designed, appropriate for your business and established as early as possible in the digital transformation process
• Identity – There is a need to confirm the identity of a user, both initially and for each subsequent interaction with your systems.
• Privileged user management – Additional processes and security controls that need to be implemented to protect sensitive operations in your systems
• Audit and monitoring – It is vital to know when breaches of policy or controls occur, and this requires supporting processes and technology to identify, alert and support investigation of such incidents
Today, most organisation have made considerable progress towards implementing identity and access management within an organisation’s on-premise application and data. IAM solutions can automate the provisioning and de-provisioning process, giving IT full power over the access rights of employees, partners, contractors, vendors, and guests. Such automation can help the enforcement of strong security policies whilst helping to eliminate human error, however it also introduces the question of ‘who polices the police?’.
Regulatory compliance concerns continue to be a major driver for control over identity and access to business data. Much of the onus to provide adequate corporate governance for existing and future legislative compliance can fall on the IT department. Ensuring support for processes such as determining access privileges for specific employees, tracking management approvals for expanded access, and documenting who has accessed what data and when they did it, can go a long way to easing the burden of regulatory compliance, aid audit processes and provide vital evidence should a breach occur. While the benefits of having control over identity and access are clear, the associated cost and complexity of implementation should be measured against the cost of a potential security breach or of the inefficiencies inherent to the manual provisioning and de-provisioning of system access.
With the transformation journey often driving companies to expand their use of cloud services, frequently from multiple vendors, additional challenges can be encountered such as consistency of policy enforcement and control of disparate authentication mechanisms. As identity and access management becomes increasingly complex, the ability to create policies based on granular, contextual information will become more and more important. IAM solutions that can collect and make decisions based on user identity, location, device, and the requested resource will allow enterprises to deliver quick access to bona fide employees, partners, contractors, or guests—and easily revoke or deny privileges to unauthorised users
Enterprises can then enhance authentication where required, such as requiring multi-factor authentication when additional privilege is being requested or if the user is coming from an unusual location or device. This can help reduce user frustration by delivering seamless access to both office and cloud-based applications through policy driven single sign-on (SSO) and only presenting additional user interaction requirements when necessary. This strongly supports recent NCSC work on how to improve an organisation’s security culture which can be summarised as “security that doesn’t work for people, doesn’t work”. This means that alongside the ability for security technology (such as IAM) to make security more transparent and user friendly, organisations need to be prepared to change policies to match their digital transformations and to encourage users to raise issues if/when technology is hindering them from doing their jobs efficiently. Failing to do this will lead to users finding security workarounds, which in turn can only result in hidden risks (that can’t be managed).
2018 will continue to present security challenges to the business community. Those who accept this in advance, understand their risks and apply appropriate controls and measures are less likely to impacted than those that don’t – it’s really that simple. In 2017 every major breach had a common denominator: compromised privileged accounts. They are an essential element of most cyber-attack lifecycles and securing them must be considered a priority.
Cyphra work with a number of leading vendors to help businesses consolidate, control, and simplify access privileges, whether the critical applications are hosted inhouse, external data centres, private clouds, public clouds, or a hybrid combination of all these spaces. Cyphra help enterprises to answer the ‘policing the police’ question and demonstrate compliance by implementing ‘Privilege Access Management’ solutions. Enterprises can readily make password issues a thing of the past by federating user identity and extending secure single sign-on (SSO) capabilities to, cloud-based, web-based, and virtual applications. SSO can integrate password management across multiple domains and various authentication and attribute-sharing standards and protocols – in lay man terms user frustration diminishes and the costs reduce.