Assessing the security of your Identity and Access Service can be a daunting, complicated, and humbling task. However, the assessment of whether you need to overhaul upon your Identity and Access Management (IAM) security can be boiled down into six simple questions. Here are the identity and access security questions that need to be answered in every instance where systems are accessed:
- Who has access?
- When did they get access?
- How did they get access?
- Who authorized their access?
- Is their access privileged?
- How are they using their access?
By earnestly and honestly considering your readiness in answering those basic queries, you have your golden metric: If you can reliably answer all six, your Identity and Access monitoring is at least decently secure. Fail to provide a satisfactory answer to even one, and you will know that your security needs immediate rectification.
To really understand why these questions are so vital, each must be individually unpacked. Let’s get to the core of why they are important, what each failure to answer means for your enterprise, and how Simeio services provides you with an instant and accurate answer.
1. Who has access to what?
Regular review cycles of privileges and access are crucial to maintaining the principle of least access and overall identity hygiene. Asif Savvas, Simeio’s Chief Product Officer, states that, “the periodic standard is quarterly review, but it’s better to be proactive instead of reactive, where review is ongoing and based on just-in-time access.” This translates to making critical feature access in your Identity and Access Service a matter of direct authorization rather than vulnerable standing privileges.
Savvas goes on to say that “the right way to do it is a policy of zero standing privileges with continuous access for common tasks.” In essence, the review process can be driven by the the need of the specific access and the criticality, with privileged access reviewed every month and only provisioned with a preset end-date. Reviewing all these permissions manually on an enterprise-level scale can become a heavy commitment, so a modern automated review system should be strongly considered.
Ignoring the substantial security risks, failure to maintain a tightly controlled identity environment is a recipe for inefficiency. In a poorly curated Identity and Access Service, users often have too much access to features they don’t or infrequently use. This translates to a guaranteed resource drain due to paying for more licenses, identities, and even memory allocation than you need. The potential costs from a breach are even worse.
Failing to account for this question will leave you with many users with inappropriate privileges including terminated employees, which can be especially damaging for cloud systems. When this overextended access is abused, your enterprise stands to lose reputation, intellectual property, and customer data.
Simeio has carefully considered these factors and built our Identity Orchestrator (IO) to cover all facets of identity management. Our IO combines identity analytics with automatic flagging to not only tell you who has access but control that access from a single pane.
2. When did they get it?
You might wonder why timeframe is so important compared to something like point of origin. In fact, knowing the “where” has merit as well. Sanjay Pagar, Simeio’s Director of IO Engineering, explains that “some accesses are available to specific regions, so if a login happens outside of those regions, that’s a clue to suspicious activity.” However, while location can be important to detecting a breach, timeframe reveals so much more.
How long someone has had access is crucial for determining the scope of threats. Without knowing when a potential breach took place, you cannot pin down where in your records you should be looking for suspicious activity. This is even worse in the case of protracted attacks which went on for months or even years before detection.
Simeio addresses these (and as will later be seen, many other) needs through our Identity Timeline, an integrated IO feature providing a view of who got access to what and when. The timeline logs everything: access requests, the viewing of specific files, logins, and logoffs and brings all that information into a single view.
3. How did they get access?
One of the biggest advantages for cyber security experts is that there’s no way to log in without valid credentials. The initial login is vital to hackers’ attack strategy; it cannot be spoofed or circumvented on first contact. All alterations to enterprise data can only be performed after the breach, never before. This gives vital clues to discovering how the identity was compromised; if you cannot pin down how this stolen access was obtained, you’re in trouble.
Failure to guard against bad actors getting into your Identity and Access Service carries serious legal ramifications for your enterprise. But the real issue of failing this test is much more immediate. Even if you know a security gap exists, you cannot plug it up if you can’t point to how the hacker was provisioned with access. It’s humiliating to know that your system is being hacked yet be unable to stop it due to not knowing where to look.
Simeio’s Identity Orchestrator can automatically lock out of band access and carry out immediate termination in a matter of moments. You can stop breaches before they start by flagging and locking out any access or usage outside of acceptable parameters.
4. Who authorized their access?
If a hacker successfully breaches an identity, they can move laterally throughout the Identity and Access Service, accessing features and data within the scope of the hacked identity’s clearance. So long as the hacker has not breached your Privileged Access Management (PAM) system, you should be able to fall back on your PAM controls to track down the culprit.
If you can’t trace the hacker through PAM, the problem becomes a more dire version of failing to answer how someone got access. Not only are you dealing with the consequences of a breach, but you now have careless provisioner, vendetta-driven bad actor, or a corporate spy running loose. What was once a single entry point becomes a dagger over your head, a bad actor ready to strike again.
Fortunately for Simeio’s clients, Identity Timeline comes to the rescue yet again. With the timeline you can enable automatic alerts of suspicious activity such as mass approvals or unauthorized identity creation, prompting an investigation before it’s too late. Whether your breach stems from a lax security practice or a malicious actor, the Identity Timeline catches them both.
5. Do they have privileged access?
More than any other metric, this is the question that tells you how serious the breach is. An identity breach allows lateral system abuse, but privilege breach gives free reign from top to bottom. A PAM hack is the nightmare scenario: the hacker has ALL privileged credentials and can bring the entire enterprise to a standstill. This can bring payment processing, shopping systems, and even physical machines to a crashing halt. Skimming credit card data, additional credentials for future use, and even intellectual secrets become ripe pickings.
Imagine catching such a breach in the early stages and not reacting in time due to ignorance of the compromised privileges. Not knowing means you won’t know to go to high alert, wasting vital minutes which could have saved you from a catastrophic lockout or even a full system wipe.
Of course, any breach is a problem and any malicious activity should be investigated, but false positives happen, especially with an unintegrated system. Not all breaches are of equal severity, and allocating your limited resources means sometimes you need to pick and choose where you divert your attention.
But for enterprises with Simeio’s Identity Timeline, catching high-priority breaches is a forgone conclusion. You receive real-time alerts and notifications whenever privileged accounts are used, altered, or even viewed by synchronizing the Timeline with Identity Analytics.
Furthermore, the fact that Simeio handles your PAM security from our end means that compromising your Identity and Access Service is much more difficult than if a hacker could simply focus their attacks on your enterprise’s systems. By partnering with leading PAM solution providers for e.g. Cyberark, we ensure that your privileged access stays under your control.
6. How are they using it?
This final question is of foremost importance. Without the knowledge of access use and, by extension, misuse, you’ll never even know about suspicious activity in the first place. Without anything to clue you in that something is amiss, you can’t catch bad actors. At all.
You can’t ID the people in your Identity and Access Service who don’t need access and the people who should not have it or those who have it, why they have it. You can’t recognize inappropriate usage if you don’t have a method for monitoring desirable usage. You can’t even gather basic efficiency metrics and you certainly can’t zero in on what a bad actor has managed to accomplish during their breach. You open the door to having the resources of the company turned against itself without records of how your systems are being used.
The end goal of the Simeio IO is to ensure you never need to ask this question because the answer is always right in front of you. Identity Analytics and the Timeline harmonize to give you a real-time comprehensive picture of the who, when, and how. From swiftly provisioning crucial permissions to automatically locking violations of the principle of least access, the IO boosts efficiency and security in tandem.
Learn how Simeio manages your identity fabric.