I wish I had budget to hire this stellar cast to play a team that has to risk everything to make nothing happen in a film about access governance. It would be worth every penny if it helped slow the rate of breaches we see year over year. Our failure to ensure basic security protocols is a huge problem. The OPM breach shines a light on this issue and this Business Insider article from Adam Elkus does a great job characterizing our disdain for all things boring:
“Despite the immense amount of energy and activity that we pour into understanding the nature of cybersecurity and cyberpower more broadly, we persist in ignoring boring but immensely consequential flaws in our information architecture.”
The article is worth a read because it gets to the root of the problem: We like exciting things, not basic routines. Jon Oliver proves this using an amazing cast of auditors. Elkus says the same is true in IT security, “fantasizing about super-hackers and visions of cyber-doom are more fun than the boring but necessary drudgery, for example, of modernizing a decrepit and decaying federal information technology base or ensuring that basic security protocols are observed.”
I hope one of the take-aways from the OPM breach is that we see more interest in and priority given to boring IT projects. Especially access governance, since Ars Technica revealed how easy it was for attackers to get the user credentials to the systems that they attacked:
“A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what's new?’”
The thing is, you can ensure the least privilege principle no matter the state of your infrastructure. We’re finding a lot of companies still rely on spreadsheets for access certifications. Which is better than nothing, but since it’s time to risk everything to make nothing happen, how about taking advantage of a quick-win solution to shave tons of time from manual access certifications so your team can focus on the bigger, formerly-boring-now-exciting access governance projects?
I shamelessly admit this post is a plug for NetIQ’s access governance solutions. But, so what? The point I'm getting at is not choosing our products vs. others in the market. It’s how you go about proving your methods to document, review and revoke access privileges are working. Do you risk everything to make nothing happen?
When it comes to access governance, nothing will happen if you focus on these areas of risk:
You need to ensure any changes to access conform to corporate policies, that access already granted is appropriate, and that you can detect any security or compliance issues. First try to understand the actual state of identity and access privileges in your environment then work toward putting detective and preventive controls in place. And do this while keeping efficiency in mind. Reducing tedium makes projects less boring.
- Limited Visibility: In many organizations, there is no “single version of the truth” when it comes to identifying who has what credentials. Applications, databases and hardware devices store credentials locally, and even if tools like Active Directory are in place, 100% of the environment is not covered. Even more challenging is gaining a consolidated view of all processes used to provision identity and access privileges. A centralized view exposes blind spots, such as SOD violations and orphaned accounts.
- Over-reliance on IT for Identity and Access Oversight: Relying exclusively on IT staff to enforce and perform identity and access oversight is shortsighted. Business managers better understand who should and shouldn’t have access to sensitive applications. Getting the right people involved in the process of identity and access management is a royal pain. But remember, we have to risk everything to make nothing happen, so here are a few tips that might help.
- Manual Processes: It’s true. Manual access certification processes are still used by many organizations. This is labor-intensive, inefficient and costly. But worse, it leads to unnecessary risk because organizations can’t mitigate weaknesses or respond to violations fast enough. Automated tools establish repeatable practices for a consistent, auditable, and reliable process.
- Focus on Detective AND Preventive Controls: Many organizations focus on finding areas of non-compliance and correcting them after the fact. Without a doubt, detective controls are a critical element of access governance. But they are not enough if your goal is to risk everything to make nothing happen. Preventive controls are also needed. Which is why it’s important to measure risk over time in order to evaluate the effectiveness of controls. Without a risk-based approach, it’s challenging for an organization to focus on internal controls and audits where it matters most.
What do you do to risk everything to make nothing happen? Please share, because anything is everything if nothing happened. And if something happened, tell us about it. Your something will help someone else make nothing happen.
Check out these resources to learn more about how NetIQ can help you:
- NetIQ Flash Point Paper: Contractor Access: Mitigating Security and Risk Issues