The top 6 identity security issues facing businesses today
Scott Hesford from BeyondTrust outlines the key identify security vulnerabilities facing organisations and offers tips for bolstering resilience.
When it comes to implementing effective IT security, one of the most important elements to consider is the way in which identities are managed.
Within corporate IT infrastructures, an identity represents a one-to-one relationship between a human and their digital presence. This digital presence, however, can have multiple accounts, multiple credentials and an infinite number of entitlements in electronic format.
This is what makes identity security so important. It’s vital to be able to map identities back to the person to whom they belong while also validating their privileges.
However, there is a range of challenges that can be encountered when it comes to achieving this mapping. Six of the most important to consider are:
- When staff share the same names:
If a member of staff has a common name, it’s likely there will be someone else within the organisation with the same (or similar) name. This can be an issue where corporate email addresses are based on a combination of first and last names.
Some businesses avoid this by adding a middle initial or a number as a suffix, however, multiple entries in a global address list can make finding the right individual difficult.
Instead, consider adopting an account nomenclature based on full names, including middle initials, to avoid this conflict. This approach will help stop emails being mistakenly sent to the wrong people, which could result in the inappropriate divulging of sensitive information and possibly create data privacy issues.
- When an organisation has “floating” employees:
If a business has staff that “float” regularly between departments or office locations, it can create identity classification problems. A means has to be found to register these identities in the organisation’s identity governance solution and central directory stores.
Floating employees generally have broad entitlements, and, at any given time, it can be hard to report what their proper access rights should be. Ensure the privileges of all floating staff are checked on a regular basis.
- Over-provisioning of access rights:
Administrator account rights allow a digital identity to have widespread access across an IT infrastructure, however, when these rights are over provisioned, it can cause significant security problems. Forrester has estimated that 80 per cent of data breaches are related to compromised privileged accounts.
A challenge for most environments is the certification of who has administrator rights and whether they are actually required. Alternatively, implementing the principle of least privilege, including just-in-time access can significantly mitigate risks around access rights.
- Issues around mergers and acquisitions:
Mergers and acquisitions can be a stressful time for anyone in a business. When plans are implemented to consolidate IT domains, identities, applications and policies, best practices can often be inadvertent casualties.
This, in turn, can lead to identity problems ranging from over provisioning to multiple accounts and domain names that do not follow an established pattern. This can lead to a cascade of additional identity-related problems, including applications that only work in some domains. If a business fails to merge standard operating procedures and establish technology baselines first, any subsequent identity management initiatives will suffer.
For this reason, it’s essential to establish security, identity policies, and provisioning baselines during the outset of any merger or acquisition. This will then provide support for future activity.
- The rapid growth of non-human identities:
Traditionally, digital identities have been primarily associated with human users. However, modern computing environments now incorporate many types of non-human identities. Things such as robots, internet of things (IOT) infrastructures and control systems all have identities that could be compromised by cyber criminals.
To resolve this problem, all machine-based identities need to have ownership assigned in the same way as human users.
- Third-party identities:
Businesses will often rely on trusted vendors and partners to undertake specific functions, and it is likely many of them will require access to the corporate IT infrastructure. A business will need special controls to manage these vendor identities, validate that all their activity is appropriate, and provide an audit trail of activities conducted by third parties.
The IT team should consider creating controls to manage these identities outside of typical directory services and avoid assigning generic accounts like “Consultant1” or “VendorABC’. The users should have actual account names for the duration of their services, while allowing for a management paradigm that reflects the simplicity and often transient nature of their access.
Access rights should also be assigned following a model of least privilege, have strong monitoring capabilities, and be simple enough to administer that the burden of management is nowhere near as complex as managing employees.
By considering these issues and taking appropriate steps, businesses can ensure they have in place a robust identity framework that supports staff while also delivering effective security for digital assets.
Scott Hesford is the director of solutions engineering, Asia-Pacific and Japan at BeyondTrust.