Situation: Threats are commonly internal
Companies spend considerable resources protecting against the threat of data breach – and rightly so. A data breach can result in large fines and, more importantly, a damaged reputation. While companies focus most of their efforts on mitigating the risk of external threats such as hackers or viruses, they often overlook internal breaches, which are more common.
Internal breaches can sprout from a wide array of motivations. Former employees may be unhappy about being let go; current employees may feel overlooked for an opportunity or simply want to impress a new employer by copying intellectual property or contact lists. The added danger to these threats is that they easily go undetected, as no one is looking for them and ex-employees are likely to know their way around the network.
A recent internal breach in 2017 saw the City of Calgary's payout fines of 92.9 million Canadian dollars. The source of this scandal was allegedly an email sent by a city staffer to an employee of another Alberta municipality, sharing the personal and confidential information of 3,716 municipal employees. Leaving your network unprotected can leave you vulnerable to these threats.
Manual process of access management:
As a manual process, there numerous weak points in the process of granting and revoking access. Employees can range from full-time, part-time, on-site, off-site, contract employees etc. Each employee reports to a manager whose job it is to alert IT of the access needed and at what level (read, write, edit, admin). IT then issues these permissions and user accounts in each related system/app/file share. Due to the time-consuming nature of this chain, it's often the case that managers request excess access in order to avoid the stress of getting additional access in the future. This leaves employees with access that they should not have.
Managers are responsible for notifying IT when an employee is terminated or off-boarded so that their access can be revoked. If this is not done immediately, employees may retain access to sensitive information after their term of employment and this is a primary cause of internal breach. These vast access rights lack the transparency and leave lots of room for human error.
So, what is the solution?
With one of the biggest threats to data security right under the noses of organizations, how can access become both efficient and ensure protection against the threat of internal breach? The level of security you employ would typically depend on the sensitivity of the data being protected and the compliance pressures within said industry. There are some universal steps that can be taken in any and all organizations that not only mitigate breach, but also make the whole process more efficient and cost effective than when approached manually.
A great place to start is automated provisioning and access governance. While these tools used to be expensive and accessible only by enterprise level organizations, competition in the industry and advancements in technology have made them affordable for any size organization. These solutions provide a centralized and transparent access process.
Let's look at access in a chronological sense, starting with onboarding. Solutions such as Identity & Access Manager (IAM) create a connection between the HR system and the user accounts in the network (Active Directory, for example) to automate the entire process for intake, progression, and outflow. The changes are implemented quickly, faultlessly and efficiently. The HR system will track the personal details of employees, such as their name and address, employment start/end dates, department, position and cost center. IAM will synchronize user account information automatically between the HR system and the network. If changes are made in the HR system, they are detected by IAM and automatically updated/implemented across the network. Through the IAM dashboard, you can centrally grant and revoke access within the network.
With Access Governance, IAM can determine, on a per user basis what access rights a user should have. Based on the employee's role, an authorization matrix is used to determine the resources to which the employee has access. As an example, being able to perform certain transactions, access to a system, or access to specific physical locations. Access rights are recorded in a universally-manageable model and are then issued, changed, and withdrawn through this model. This type of Role Based Access Control (RBAC) allows managers to oversee and document exactly who has access to what and monitor any changes being made. Managers can also generate an overview of each user's activity and fully report on it using IAM Access Governance. The system automatically logs which employee performed a particular management activity, as well as the time it occurred.
Workflow Management and Self-service
We have now completed the first step of secure and efficient on-boarding with no user having excess access. Now, let's ensure that access can be maintained appropriately throughout their employee lifecycle.
With Workflow Management and Self-Service, employees and managers can request, check, and approve resources without any IT intervention. For example, an employee may request access to an application, a share, or to view reports. The approval process is part of a structured workflow within IAM. The manager can authorize the request and with our IAM software, it can be implemented immediately in the network. It's that easy. No more back and forth with IT, so employees can get the access they require and move forward with the tasks at hand. With IAM, it's possible not only to grant and revoke user account access, but also to a variety of other service provisioning processes including: requesting physical access to a work area, applying for a smartphone, or submitting a helpdesk ticket.
The final stage of the user lifecycle is termination. De-provisioning should be your number one priority, as an ex-employee is more likely to use access maliciously. Just as with onboarding, synchronizing with the HR system, IAM can detect an employee's termination date and immediately disable the network account. IAM does this instantly in all systems and applications that are centrally connected. If for some reason an employee leaves early, ensure your policies include alerting IT or the Systems Administrator who can revoke all access with just one click on the IAM dashboard. The transparency provided by IAM mitigates access pollution so you can clearly see when all access is removed.
In today's competitive business landscape, a breach scandal can be all that's needed to sink an organization. It's important to protect not only against the external threat of breach, but also the more common internal threats that are often overlooked.
IAM replaces the copy-user, spreadsheets, user templates, and other types of manual, imperfect and error-prone access management practices. It ensures that employees maintain the correct authorizations appropriate to their roles. It also relieves the helpdesk and IT from mundane and repetitive provisioning tasks, allowing them to focus on other projects. IAM streamlines access management offering efficiencies that usually result in a positive ROI within the first year of implementation. The transparency and access trail offered can also relieve worries of compliance and auditing on polluted file systems.
In part 2 of this blog series, I will outline steps to further secure against internal threat in terms of a cloud IT environment.