When HR becomes the cyber police
Identity and Access Management
Lennie Tan, Vice President and General Manager, One Identity, Asia Pacific & Japan
An area that tends to be overlooked in the recent spate of data breaches, such as the ION Orchard breach impacting nearly 25,000 loyalty program members, is Identity and Access Management (IAM). Lack of policies governing the administrator account created a hidden door to legitimately access ION’s servers leading to the breach.
IAM is all about ensuring that the right people have the right access, to the right resources, and that you can prove that all the access is right. Both HR and IT professionals have to work hand-in-hand to ensure a robust IAM framework.
There’s a lot that goes into getting all those things “right.” First, IT must set up the accounts that enable a user to get to the right stuff – that is often called provisioning (and its dangerous sister, de-provisioning).
Second, in order for that account to grant the appropriate access, there has to be a concept of authorization which provides a definition for what is allowed and not allowed with that access.
And third, there should be some way to make sure that provisioning and de-provisioning are done securely (and ideally efficiently), and that the associated authorization is accurate – i.e. everyone has exactly the access they need, nothing more and nothing less. However, for IT to even embark on this process, HR needs to establish the levels of access for every employee.
In a recent research commissioned by One Identity, many compelling insights pertaining to the dangers of old-fashioned practices for provisioning and de-provisioning and authorization were revealed. Stated plainly, the practices and technologies that served HR and IT professionals so well in the past, simply are inadequate in today’s digitally transformed world.
One of the key insights from the research revealed that the risks of dormant accounts (accounts not de-provisioned after employee leaves, for example) is not that they exist, but more on what they could be used for. Most high-profile breaches are the result of a bad actor compromising a legitimate user account. That could be gaining access through phishing or social engineering or hunting for and finding a dormant account that the organisation doesn’t even know exists. Once in, a series of lateral moves and rights escalation activities can result in access to those systems and that data that you are trying to protect.
Insights from Singapore organisations
The research revealed other intriguing insights as well as on organisations’ perception on their IAM practices in Singapore:
- Only one in four (22%) expressed that they were “very confident” that user rights and permissions are correct. That means that three-quarters of our respondents were unsure of the fundamental aspect of access control – authorization. Any user with excessive rights (rights that are more than necessary to do the job) is an easy path for bad actors to execute those lateral moves they are so good at.
- Only 19% of respondents here are “very confident” that users are de-provisioned properly. By properly, we mean fully and immediately – only 7% of respondents reported that users were de-provisioned immediately upon a change in status. De-provisioning is the process of turning off accounts and revoking rights when they are no longer needed. Poor de-provisioning, either through outdated and cumbersome manual processes or limited tools, is the primary cause of dormant accounts.
- In fact, 100% reported that while they have a process for de-provisioning, it requires IT intervention. In other words, someone has to put hands on a keyboard to make it happen. Any amount of time that an unneeded account remains “open” is an invitation for disaster as evidenced by so many of the high-visibility breaches over the past several years.
How can HR contribute to cybersecurity?
So how can HR and IT work together to circumvent breaches? There are many ways to modernise these processes and get IAM right. Here are a few suggestions:
1. Determine a single source of the truth for authorization. HR must define business roles once and use them in all instances. And most importantly, let the line-of-business be the decision makers here. Many instances of inappropriate rights are simply the byproduct of IT doing the best they can with the knowledge they’ve been given. It’s all too common for the line-of-business to ask IT to “give Joe the same rights as Bill” when there was no oversight into what rights Bill has, how he got them, and whether they are still appropriate for the job he does. As such, HR needs to work with IT in this area to improve the IAM processes.
2. De-provision immediately and completely. Tools exist that can update permissions at the instance status changes in an authoritative data source. For example, as soon as an employee’s status in the HR system switches from active to inactive, that user’s access rights across every system in the enterprise (including cloud-based services) can also be immediately terminated as well – effectively closing all those doors and eliminating dormant accounts. In this respect, HR has to ensure employee access levels are up-to-date.
3. Implement identity analytics. A new class of IAM solution called identity analytics will proactively and constantly evaluate your systems to find instances where user rights are out of alignment with what is “right.” These technologies quickly find dormant accounts, mis-provisioned accounts, and instances of rights elevation that are often the smoking gun in breach detection and prevention.