Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Is Your Identity and Access Management Out of Control?

Is Your Identity and Access Management Out of Control? (Part 1)

The answer depends on which controls you’re referring to.

Is Your Identity and Access Management Out of Control? (Part 1)

The answer depends on which controls you’re referring to.

In part one of this two-part series, we’ll see where you stack up on the question of whether your Identity and Access Management (IAM) is out of control.

If you are a fan of security controls, then you’re in luck, because there are plenty out there to choose from. There are those, such as the SANS Institute, who have attempted to rein in the proliferation of control models and guidelines from various institutes and agencies with their Critical Security Controls.

Identity and Access ManagementUltimately, it’s up to each organization to decide for themselves via coordination between the business, IT and auditors as to whether the controls that are in place are adequate. The SANS Critical Security Controls are helpful for security teams, but can prove challenging when trying to have a conversation between security teams, administrators, auditors and business managers who speak vastly different languages. Further complicating matters is the tendency of security professionals to view IAM as outside of the security domain.

Perhaps we can begin to answer the question of whether our IAM is out of control by agreeing that the lingua franca of security controls is their categorization as preventive, detective or corrective. Organizing controls using this ternary model provides a simpler means of communicating between the various constituents of controls, which is critical to addressing the question at hand.

Defining preventive and detective controls for IAM

Martin Kuppinger, founder and principal analyst at KuppingerCole Analysts, applies this simple ternary model of controls to IAM by explaining their evolution. In Kuppinger’s explanation, IAM has expanded from an original focus on preventive controls, where we manage users and entitlements in target systems, towards detective controls using Access Governance.

The access recertification process in Access Governance can provide a manual level of detecting improper entitlements, but because it carries the temptation of rubber-stamping by business managers and is time-bound (typically performed once annually), it can only be described as an incomplete detective control. User activity monitoring can round out detective IAM controls by recognizing unusual behavior associated with identities in near real-time.

Advertisement. Scroll to continue reading.

But regardless of the detective control used, the question is how can we reduce the response time to detected anomalies, since they can be a signal of a breach?

The addition of corrective IAM controls

In the model Kuppinger lays out, he contends that the next logical step will be corrective IAM controls.

To be fair, we have manual corrective IAM controls in place already. For example, if a business user leaves a company, but one of her entitlements is missed in the revocation process, then we rely on the access recertification process to catch that, with the corrective control often being a ticket entered to revoke that access.

But what is envisioned with corrective IAM controls is far more automated – and necessary – in light of the growth in threats and the changing landscape of business technology to be more inclusive of partners, contractors and customers, accessing sensitive data in the cloud or via mobile devices. Dependence on manual processes will be insufficient for the speed of response and corrective action necessary to contend with expanding future threats and attack surfaces.

Part two of this series will expand upon the role of process automation in closing the loop between preventive, detective and corrective controls.

Evaluating IAM controls

So how does your organization stack up? Here are some specific questions to consider, organized by our ternary model:

Preventive IAM controls

1. Are least privileges enforced for access to sensitive information?

2. Are separation of duties maintained appropriate to information security policies?

3. Is there consistent and rapid revocation of entitlements when user changes occur?

Detective IAM controls

1. Is access certification accurately performed on a recurring basis?

2. Is privileged user activity monitored to encourage adherence to policy?

3. Is abnormal user activity flagged for follow-up?

Corrective IAM controls

1. Is access revoked in a timely manner when abuse of privileges or over-credentialing is detected?

2. Is access revocation performed consistently throughout the IT environment?

3. Is the process for the forensic gathering of evidence invoked when abuse of privileges is detected?

These are good starter questions, and that will likely lead to even more considerations with your business partners and auditors. IAM is sometimes forgotten in the discussion of controls. However, it’s best to have these conversations when planning and evaluating controls, rather than after a breach.

Read Part 2 of this series on process automation for corrective IAM controls.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...