Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

IT Compliance Lessons from College Football Recruiting, Part 2

Success in American college football requires a continuous recruiting process that demands continuous compliance oversight.

Success in American college football requires a continuous recruiting process that demands continuous compliance oversight. The difference between IT departments that tend to focus on compliance once or twice a year, and the lifestyle of compliance that college athletics departments instill is covered in part 1 of this series.

From an Identity and Access Management (IAM) perspective, the critical IT compliance control is the access certification process. Once or twice a year, business managers must review their employee’s entitlements and certify that the access is necessary, as a measure to enforce the least privilege principle. Everyone hates doing it.

This part 2 focuses on how to take access certifications from a point-in-time, bureaucratic process, to one that actually reduces risk and is less burdensome for business users.

Football

The turnovers: Two ways access certifications go wrong

Just like fumbles and interceptions derail a playbook plan, there are two ways that access certifications today are insufficient.

Imagine handing a football coach a clipboard with the names of all the team members in rows, a list of equipment they use in columns, and requiring an approval in each block. Most coaches would probably hand the task off to an assistant, who would mindlessly check each block and be done with it.

An ambitious assistant might create a giant rubber stamp with check marks, to reduce the inevitable hand cramping that occurs, when the process comes around six months later. And the time gap leaves oversize open windows of time for criminals to exploit.

The problems of giant rubber stamps and oversize open windows of time are the tragic flaws in today’s access certification regimes. It’s like trying to play football without offensive guards on the line – your opponent is going to exploit the gaps.

Advertisement. Scroll to continue reading.

The playbook of the future has to include more context and become more adaptive to the constantly-changing conditions, just like a well-coached team.

The game film: Tackling the challenge of context

Football teams watch game film to provide context for what they will see on the field. For access certifications, context must address two concerns – making it easier for business managers, and more consequential to security. That context must be based on risk scoring.

Risk scoring comes from a number of sources of information, for example:

• The sensitivity of the information that a user has entitlements to

• The time between access attempts

• The combination of entitlements that a user has

Risk-scoring algorithms have been used for decades to identify financial fraud, such as credit card theft. The approach has similar goals – don’t unnecessarily disrupt users from using their credit cards, and reduce the loss from stolen cards.

In the world of IT compliance, risk scoring can be used to elevate the highest risk users and entitlements to the top of the list for more extensive review. Business managers can focus there, reducing their workload and simultaneously reducing risk, addressing the rubber-stamping problem.

The sky box: Observing your opponent’s activities

Most offensive coordinators call plays from a suite high in a stadium, where they can see what their opponent is doing and adapt plays accordingly. Both teams constantly change what they’re doing to gain an advantage. But imagine if the coordinators only looked in once or twice a game.

For access certifications, that is what is acceptable. And for good reason – business managers have far better things to do. What is needed is a way to automate the activity monitoring and escalate the high-risk activities for an immediate certification.

Specific risk triggers could include:

• Time of day

• Location of access

• Multiple access attempts from multiple locations

• Accessing multiple sensitive files simultaneously

Again, the fraud industry uses similar approaches, and we see adaptive authentication techniques used for step-up authentication when a user logs in from an unknown work station, for example. Why not have immediate adaptive certifications when the risk level justifies it, to address the oversize time windows?

Two point conversion: Risk scoring is at the core of solving both challenges

The good news is that both the rubber stamping and oversize time windows can be addressed with risk scoring. Using the context of fraud detection to provide risk scoring in access certification is where the next generation of access governance must evolve. That’s like lining up for an extra point and getting two points on the conversion.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...