Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Is Your Identity and Access Management Out of Control? (Part 2)

Today’s attackers are far more sophisticated than they were a decade ago. While some continue to use brute-force methods, many have shifted to hijacking insider credentials as a preferred method of breach.

Today’s attackers are far more sophisticated than they were a decade ago. While some continue to use brute-force methods, many have shifted to hijacking insider credentials as a preferred method of breach. Security controls must include identity and access management (IAM) disciplines, as IT perimeters today are shifting towards access controls rather than relying solely on the perimeter technologies of the past.

In part one of this two-part series, we looked at the classification of IAM controls as either preventive, detective or corrective and provided specific self-evaluation questions for each. Here in part two, we will look more closely at the role of process automation for corrective IAM controls, as this is the least-mature component.

Process automation

How process automation can help

Automation is best defined by a process when there are repeatable steps, allowing faster response and efficiency. There is a cost to building automation, and the return on that cost must first be considered.

Process automation needs at least three components; a trigger, a diagnosis, and an action or actions, each of which could each be automated if there is sufficient repeatability.

The process trigger can come from the access recertification process or user activity monitoring, in the case of corrective IAM controls. For example, if a user is demonstrating abnormal behavior by suddenly downloading large sensitive data files, most organizations would want that to be a trigger for an automated response that restricts that user’s access or, at least, alerts a security team. Complicating things, false alarms will trigger processes, though, and need to be considered. Including a manual step at the end of the diagnosis component can help with this.

Not every part of a process can, or should, be automated. For this reason, it is often advantageous to have a “man in the loop” to make decisions and keep automation from running amuck. Automating a bad process just makes things bad faster. But the machine-repeatable parts of a process can take on the heavy lifting of gathering supporting data so that a better-informed diagnosis can be made of the situation.

Done correctly, process automation can be used for triggering and diagnosing, with corrective actions presented as a menu of options for overworked security teams. Once a manual selection is made, the actions can then be automatically implemented. Full automation that skips manual diagnosis and goes right to temporary corrective actions should also be considered for the highest risk scenarios involving the most sensitive data. A rollback option can be used in this case if the situation is determined to be a false alarm.

Advertisement. Scroll to continue reading.

Corrective actions in the context of IAM usually means revoking access, but not the identity in question. You will want to maintain a record of the identity for forensic work, which can also be automated, once the immediate risk has been addressed. This forensics work includes researching other activities of the identity through log reviews to determine if there is any additional damage.

The technology challenges

The technology to accomplish this is partially available in today’s IAM platforms that are capable of automated workflow execution, and have sufficient integration with enterprise systems and applications to revoke access when necessary. This can serve both the preventive and corrective roles. The detective role is provided by Access Governance and User Activity Monitoring technologies.

Once these foundational technologies are in place, then the next challenge is to define the process triggers, diagnosis and actions. Automation of these processes may require an IT Process Automation (ITPA) platform that integrates with and can command the other tools, and has the granularity to define steps that can be either manual or automated.

The ITPA platform must also be robust enough to handle the volume of events for potential triggers. If User Activity Monitoring is SIEM-based, then the ITPA platform must be capable of making trigger decisions faster than the event per second (EPS) throughput of the SIEM tool.

Completing the full circle of IAM controls

As I’ve written previously, today’s biggest security gap is identity. Security controls need to include IAM controls as a part of the program. Preventive IAM controls are the most mature component today, while organizations are just beginning to add detective IAM controls with Access Governance and User Activity Monitoring. Corrective controls in IAM complete the circle, as the corrective action of revoking access becomes the new preventive control. This closed-loop system is worth a funding investigation, as it has the potential to significantly reduce the risks presented by today’s threats.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...