Part 1: Mitigating the risk of internal breach

Situation: Threats are commonly internal

Companies spend considerable resources protecting against the threat of data breach – and rightly so. A data breach can result in large fines and, more importantly, a damaged reputation. While companies focus most of their efforts on mitigating the risk of external threats such as hackers or viruses, they often overlook internal breaches, which are more common.

Internal breaches can sprout from a wide array of motivations. Former employees may be unhappy about being let go; current employees may feel overlooked for an opportunity or simply want to impress a new employer by copying intellectual property or contact lists. The added danger to these threats is that they easily go undetected, as no one is looking for them and ex-employees are likely to know their way around the network.

A recent internal breach in 2017 saw the City of Calgary's payout fines of 92.9 million Canadian dollars. The source of this scandal was allegedly an email sent by a city staffer to an employee of another Alberta municipality, sharing the personal and confidential information of 3,716 municipal employees. Leaving your network unprotected can leave you vulnerable to these threats.

Manual process of access management:

As a manual process, there numerous weak points in the process of granting and revoking access. Employees can range from full-time, part-time, on-site, off-site, contract employees etc. Each employee reports to a manager whose job it is to alert IT of the access needed and at what level (read, write, edit, admin). IT then issues these permissions and user accounts in each related system/app/file share. Due to the time-consuming nature of this chain, it's often the case that managers request excess access in order to avoid the stress of getting additional access in the future. This leaves employees with access that they should not have.

Managers are responsible for notifying IT when an employee is terminated or off-boarded so that their access can be revoked. If this is not done immediately, employees may retain access to sensitive information after their term of employment and this is a primary cause of internal breach. These vast access rights lack the transparency and leave lots of room for human error.

So, what is the solution?

With one of the biggest threats to data security right under the noses of organizations, how can access become both efficient and ensure protection against the threat of internal breach? The level of security you employ would typically depend on the sensitivity of the data being protected and the compliance pressures within said industry. There are some universal steps that can be taken in any and all organizations that not only mitigate breach, but also make the whole process more efficient and cost effective than when approached manually.

A great place to start is automated provisioning and access governance. While these tools used to be expensive and accessible only by enterprise level organizations, competition in the industry and advancements in technology have made them affordable for any size organization. These solutions provide a centralized and transparent access process.

User Provisioning

Let's look at access in a chronological sense, starting with onboarding. Solutions such as Identity & Access Manager (IAM) create a connection between the HR system and the user accounts in the network (Active Directory, for example) to automate the entire process for intake, progression, and outflow. The changes are implemented quickly, faultlessly and efficiently. The HR system will track the personal details of employees, such as their name and address, employment start/end dates, department, position and cost center. IAM will synchronize user account information automatically between the HR system and the network. If changes are made in the HR system, they are detected by IAM and automatically updated/implemented across the network. Through the IAM dashboard, you can centrally grant and revoke access within the network.

Access Governance

With Access Governance, IAM can determine, on a per user basis what access rights a user should have. Based on the employee's role, an authorization matrix is used to determine the resources to which the employee has access. As an example, being able to perform certain transactions, access to a system, or access to specific physical locations. Access rights are recorded in a universally-manageable model and are then issued, changed, and withdrawn through this model. This type of Role Based Access Control (RBAC) allows managers to oversee and document exactly who has access to what and monitor any changes being made. Managers can also generate an overview of each user's activity and fully report on it using IAM Access Governance. The system automatically logs which employee performed a particular management activity, as well as the time it occurred.

Workflow Management and Self-service

We have now completed the first step of secure and efficient on-boarding with no user having excess access. Now, let's ensure that access can be maintained appropriately throughout their employee lifecycle.

With Workflow Management and Self-Service, employees and managers can request, check, and approve resources without any IT intervention. For example, an employee may request access to an application, a share, or to view reports. The approval process is part of a structured workflow within IAM. The manager can authorize the request and with our IAM software, it can be implemented immediately in the network. It's that easy. No more back and forth with IT, so employees can get the access they require and move forward with the tasks at hand. With IAM, it's possible not only to grant and revoke user account access, but also to a variety of other service provisioning processes including: requesting physical access to a work area, applying for a smartphone, or submitting a helpdesk ticket.

User De-Provisioning

The final stage of the user lifecycle is termination. De-provisioning should be your number one priority, as an ex-employee is more likely to use access maliciously. Just as with onboarding, synchronizing with the HR system, IAM can detect an employee's termination date and immediately disable the network account. IAM does this instantly in all systems and applications that are centrally connected. If for some reason an employee leaves early, ensure your policies include alerting IT or the Systems Administrator who can revoke all access with just one click on the IAM dashboard. The transparency provided by IAM mitigates access pollution so you can clearly see when all access is removed.

In today's competitive business landscape, a breach scandal can be all that's needed to sink an organization. It's important to protect not only against the external threat of breach, but also the more common internal threats that are often overlooked.
IAM replaces the copy-user, spreadsheets, user templates, and other types of manual, imperfect and error-prone access management practices. It ensures that employees maintain the correct authorizations appropriate to their roles. It also relieves the helpdesk and IT from mundane and repetitive provisioning tasks, allowing them to focus on other projects. IAM streamlines access management offering efficiencies that usually result in a positive ROI within the first year of implementation. The transparency and access trail offered can also relieve worries of compliance and auditing on polluted file systems.

In part 2 of this blog series, I will outline steps to further secure against internal threat in terms of a cloud IT environment.

Battle of the email solutions: exchange vs. google apps

In the industry I am in, with the job functions I perform daily, I see more and more organizations moving from an in-house email solution such as Exchange to cloud-based email solutions like Office 365 and Google Apps. This is due to many reasons and an easy way to see why is to compare Exchange and Google Apps.

Read more

How to manage credentials the easy way

A seemingly simple, yet tedious task for anyone in the information technology field is credential management. End users are given usernames and passwords for various systems in an organizations environment, and the hope is that the end users can manage these credentials with very little issue or assistance.

Read more

Account Management in Education: How Can It Be Improved?

Many school districts and even some higher-learning institutions have their technological infrastructure run by a skeleton crew due to things such as politics and budgetary constraints. Situations such as this can often lead to many issues within the organization: Lack of network resources for end users Inability to properly support end users and systems No time to research and implement newer technology This causes frustrated overworked admins to think outside the box and turn to other solutions, such as software-based, automated or semi-automated identity management.

Read more

Group Policy Object; What is it and how can it allow for seamless deployment of software

In any organization from a small business to a large enterprise, control over user’s access to various resources on the network is a key component of managing the corporate environment. Access to resources such as network shares and printers to things such as settings on local stations, are just some of the items an administrator wants to manage centrally and cohesively. A common method to manage domain resources like this is via Group Policy in Active Directory.

Read more

What is the Next Step in the Evolution of the Password?

Passwords are the most common form of authentication and the current de-facto standard. In fact, passwords have existed in tech since the early 1960’s when they were implemented at MIT for the time sharing system on their computer systems for researchers. In order to allow multiple researchers to have their own personal “profile” when logging in each user was given a login name and password. This allowed each registered user to access the system for their weekly time allotment.

Read more