Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Stop Blaming Users and Get Serious About Your IAM Practices

My name is Preston Hogue, and I’m a user.

(And so are you.)

My name is Preston Hogue, and I’m a user.

(And so are you.)

As the world continues to transform itself digitally, we users are constantly working with new technologies. We’re also using more technologies at once, in more places. Sometimes even before our first cup of coffee.

All of this ultimately leaves us more susceptible to making costly mistakes. Technology has proven over and over again that it evolves much more quickly than users’ ability to adjust. As a result, opportunities for error increase regularly and exponentially.

Today if a hacker knows someone’s email address or password, there’s a chance they can get into a bank account, an insurance account, LinkedIn, Salesforce, everything. And hackers have grown so sophisticated in their phishing attacks that even the most knowledgeable users — the very CISOs and security professionals who may be reading this article — can be duped into taking the bait.

So how is it that we can expect a higher level of sophistication from other users? Why do we continue to pin accountability for high-profile attacks on the user, when the security community hasn’t shifted its focus to where the risks are?

Responsibility must lie on the security community to understand the risks this ever-evolving landscape imposes on users, and to mitigate those risks by building more intelligent systems. We have to realize the promise of identity and access management (IAM), and become as comfortable protecting identities as we are protecting the network.

These days the app is the new perimeter, and identity is the key to that perimeter. But real IAM goes well beyond identity. CISOs need to be thinking about directory stores and policy engines that correlate to each user and the information they’re accessing.

Advertisement. Scroll to continue reading.

We’re seeing this kind of approach with some cloud access security brokers who are escalating authentication protocols based on the sensitivity of fields in an app. A user may log on with 98 percent access, but as soon as they touch a field with sensitive data behind it, the solution invokes multifactor authentication.

This allows the organization to get much more granular about who can access what. It’s a good example of implementing controls to compensate for the fact that, with cloud computing, users can access high-impact business data from anywhere in the world.

Another example is the type of malware protection being offered by modern endpoint protection platforms. The industry has long understood that much of the malware being thrown at users requires root/admin access, and today we know that root access gives malware authors more control over an infected device. By blocking root access to apps that lack preauthorization from the IT department, these types of solutions significantly reduce the risks involved with user mistakes.

And ultimately that’s what this shift is all about — mitigating that risk. The community has been focused on securing data, but the root cause of data breaches is often the risk associated with IAM.

None of this is to say that user awareness isn’t important. Everyone in the organization is still on the hook for their annual security training, and training should also be offered any time a new technology or access point is introduced.

But if we accept that even the most sophisticated users make mistakes, then the focus becomes mitigating the risk involved with those mistakes, and implementing appropriate controls based on the value of the data and the application.

Here the onus isn’t on users. It’s on the IT security organization. Each time new tech functionality is introduced, IT is responsible to understand whether that functionality will introduce new risk. We need to stop the cycle of continuing to give users new functionality and new forms of access and then just blaming them whenever something goes wrong.

Given the increasing complexity of today’s technology landscape, security is unmanageable without this shift in approach. Taking a deeper look at IAM is becoming the critical piece to protecting those keys to the network perimeter, so if and when a user does lose one, the gateway stays locked. 

Related: Researchers Devise Hopeful Defense Against Credential Spear Phishing Attacks

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...