Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Stop Blaming Users and Get Serious About Your IAM Practices

My name is Preston Hogue, and I’m a user.

(And so are you.)

My name is Preston Hogue, and I’m a user.

(And so are you.)

As the world continues to transform itself digitally, we users are constantly working with new technologies. We’re also using more technologies at once, in more places. Sometimes even before our first cup of coffee.

All of this ultimately leaves us more susceptible to making costly mistakes. Technology has proven over and over again that it evolves much more quickly than users’ ability to adjust. As a result, opportunities for error increase regularly and exponentially.

Today if a hacker knows someone’s email address or password, there’s a chance they can get into a bank account, an insurance account, LinkedIn, Salesforce, everything. And hackers have grown so sophisticated in their phishing attacks that even the most knowledgeable users — the very CISOs and security professionals who may be reading this article — can be duped into taking the bait.

So how is it that we can expect a higher level of sophistication from other users? Why do we continue to pin accountability for high-profile attacks on the user, when the security community hasn’t shifted its focus to where the risks are?

Responsibility must lie on the security community to understand the risks this ever-evolving landscape imposes on users, and to mitigate those risks by building more intelligent systems. We have to realize the promise of identity and access management (IAM), and become as comfortable protecting identities as we are protecting the network.

These days the app is the new perimeter, and identity is the key to that perimeter. But real IAM goes well beyond identity. CISOs need to be thinking about directory stores and policy engines that correlate to each user and the information they’re accessing.

We’re seeing this kind of approach with some cloud access security brokers who are escalating authentication protocols based on the sensitivity of fields in an app. A user may log on with 98 percent access, but as soon as they touch a field with sensitive data behind it, the solution invokes multifactor authentication.

This allows the organization to get much more granular about who can access what. It’s a good example of implementing controls to compensate for the fact that, with cloud computing, users can access high-impact business data from anywhere in the world.

Another example is the type of malware protection being offered by modern endpoint protection platforms. The industry has long understood that much of the malware being thrown at users requires root/admin access, and today we know that root access gives malware authors more control over an infected device. By blocking root access to apps that lack preauthorization from the IT department, these types of solutions significantly reduce the risks involved with user mistakes.

And ultimately that’s what this shift is all about — mitigating that risk. The community has been focused on securing data, but the root cause of data breaches is often the risk associated with IAM.

None of this is to say that user awareness isn’t important. Everyone in the organization is still on the hook for their annual security training, and training should also be offered any time a new technology or access point is introduced.

But if we accept that even the most sophisticated users make mistakes, then the focus becomes mitigating the risk involved with those mistakes, and implementing appropriate controls based on the value of the data and the application.

Here the onus isn’t on users. It’s on the IT security organization. Each time new tech functionality is introduced, IT is responsible to understand whether that functionality will introduce new risk. We need to stop the cycle of continuing to give users new functionality and new forms of access and then just blaming them whenever something goes wrong.

Given the increasing complexity of today’s technology landscape, security is unmanageable without this shift in approach. Taking a deeper look at IAM is becoming the critical piece to protecting those keys to the network perimeter, so if and when a user does lose one, the gateway stays locked. 

Related: Researchers Devise Hopeful Defense Against Credential Spear Phishing Attacks

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.