Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Is Your Identity and Access Management Out of Control? (Part 2)

Today’s attackers are far more sophisticated than they were a decade ago. While some continue to use brute-force methods, many have shifted to hijacking insider credentials as a preferred method of breach.

Today’s attackers are far more sophisticated than they were a decade ago. While some continue to use brute-force methods, many have shifted to hijacking insider credentials as a preferred method of breach. Security controls must include identity and access management (IAM) disciplines, as IT perimeters today are shifting towards access controls rather than relying solely on the perimeter technologies of the past.

In part one of this two-part series, we looked at the classification of IAM controls as either preventive, detective or corrective and provided specific self-evaluation questions for each. Here in part two, we will look more closely at the role of process automation for corrective IAM controls, as this is the least-mature component.

Process automation

How process automation can help

Automation is best defined by a process when there are repeatable steps, allowing faster response and efficiency. There is a cost to building automation, and the return on that cost must first be considered.

Process automation needs at least three components; a trigger, a diagnosis, and an action or actions, each of which could each be automated if there is sufficient repeatability.

The process trigger can come from the access recertification process or user activity monitoring, in the case of corrective IAM controls. For example, if a user is demonstrating abnormal behavior by suddenly downloading large sensitive data files, most organizations would want that to be a trigger for an automated response that restricts that user’s access or, at least, alerts a security team. Complicating things, false alarms will trigger processes, though, and need to be considered. Including a manual step at the end of the diagnosis component can help with this.

Not every part of a process can, or should, be automated. For this reason, it is often advantageous to have a “man in the loop” to make decisions and keep automation from running amuck. Automating a bad process just makes things bad faster. But the machine-repeatable parts of a process can take on the heavy lifting of gathering supporting data so that a better-informed diagnosis can be made of the situation.

Done correctly, process automation can be used for triggering and diagnosing, with corrective actions presented as a menu of options for overworked security teams. Once a manual selection is made, the actions can then be automatically implemented. Full automation that skips manual diagnosis and goes right to temporary corrective actions should also be considered for the highest risk scenarios involving the most sensitive data. A rollback option can be used in this case if the situation is determined to be a false alarm.

Corrective actions in the context of IAM usually means revoking access, but not the identity in question. You will want to maintain a record of the identity for forensic work, which can also be automated, once the immediate risk has been addressed. This forensics work includes researching other activities of the identity through log reviews to determine if there is any additional damage.

The technology challenges

The technology to accomplish this is partially available in today’s IAM platforms that are capable of automated workflow execution, and have sufficient integration with enterprise systems and applications to revoke access when necessary. This can serve both the preventive and corrective roles. The detective role is provided by Access Governance and User Activity Monitoring technologies.

Once these foundational technologies are in place, then the next challenge is to define the process triggers, diagnosis and actions. Automation of these processes may require an IT Process Automation (ITPA) platform that integrates with and can command the other tools, and has the granularity to define steps that can be either manual or automated.

The ITPA platform must also be robust enough to handle the volume of events for potential triggers. If User Activity Monitoring is SIEM-based, then the ITPA platform must be capable of making trigger decisions faster than the event per second (EPS) throughput of the SIEM tool.

Completing the full circle of IAM controls

As I’ve written previously, today’s biggest security gap is identity. Security controls need to include IAM controls as a part of the program. Preventive IAM controls are the most mature component today, while organizations are just beginning to add detective IAM controls with Access Governance and User Activity Monitoring. Corrective controls in IAM complete the circle, as the corrective action of revoking access becomes the new preventive control. This closed-loop system is worth a funding investigation, as it has the potential to significantly reduce the risks presented by today’s threats.

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...