Cybersecurity’s Identity Crisis: How Successful Organizations Are Shoring Up Access Management
There’s no cybersecurity silver bullet. It takes a complete set of interrelated capabilities and concepts, starting with “identity first” and supported by behavioral analytics, biometrics, least privilege and asset management. Lacking any of these vital measures leaves a gap to be exploited by increasingly sophisticated cybercriminals. Acquiring these measures is a long-term commitment.
Let’s face it: There are many ways for cybercriminals to access sensitive information. Because of this, IT needs to have many security measures in place, which makes Digital Identity and Asset Management (DIAM) not only challenging, but essential. It used to be easier to verify a user’s identity, back when people mainly worked on premise with desktop computers. But now, we live in a world of ballooning virtual infrastructure with increasing opportunities for bad actors to impersonate legitimate users with potentially disastrous consequences. Every organization’s DIAM setup needs to guard against cybercriminals.
According to Gartner, 64% of employees could work from home in 2021, and at least 30-40% will continue to do so post-COVID. As the remote work trend expands companies’ attack surfaces, cybercriminals are trying varied strategies, and they are getting better at finding their way in. Simply put, in our virtual, remote-access world, imposters have an advantage, and the results can be ruinous. Global losses from cybercrime now total more than a trillion dollars – and rising. That’s already a 50% increase over 2018 losses. And the average cost of a breach is a staggering $4.24 million, not even counting the potentially irreparable brand damage and customer mistrust breached organizations suffer.
Just one factor led to one-fifth of those trillions of dollars of losses: identity mismanagement.
Moving Beyond Identity-First Protocols
As the Gartner research emphasizes, cybersecurity depends first and foremost on “identity first” protocols – a proven and tested approach to you-are-who-you-say-you-are identity-verification capability. You need to know who is logging into your network, what they want and whether they are entitled to access. Referring to the SolarWinds breach in which hackers inserted malicious code into trusted third-party software, Peter Firstbrook, Gartner research vice president, pointed out that just a small proportion of security measures monitor the authentication software to spot attacks against the identity infrastructure itself.
“Identity first” requires multi-factor authentication. Suppose someone logs in to an enterprise’s network using a pre-approved username and password on an approved device associated with that employee’s identity. In that case, it is easy to believe that the individual is indeed the employee. But the user could be someone who stole the device and the credentials, or even the employee’s family member accessing the open account.
To increase their confidence that the individual is actually the employee, IT staff could add another authentication factor, perhaps a token or question that only the employee will be able to answer. But even this does not guarantee the employee’s true identity. And any amount of uncertainty is still too risky when we are talking about critical infrastructure, confidential data and financial resources. So, in addition to credentials (something they have) and a token or question (something they know), you need something more to guarantee secure access.
Using Behavioral Analytics to Validate and Reveal
Your DIAM can be significantly enhanced with software that uses machine learning algorithms to detect patterns of network usage that are outside typical usage. When this software detects anomalous patterns, it issues alerts for security professionals to step in and eliminate the threat, usually by shutting down a user’s or device’s access to the network. Besides preventing intrusions, behavioral analytics offers the added benefit of reducing false alarms. It provides deep insights into the users’ behavior patterns, offering a reliable system for detecting suspicious activity that is more likely to become an actual threat.
Building behavioral analytics capabilities takes time and is a rigorous process. Your DIAM needs to build a “signature” set of behaviors for each of your employees – typically when they log on and off, what database they go to, how fast they type, how much work they generate, keyboard mistakes they make, when they are idle, etc. Then, when an employee exhibits an atypical or anomalous behavior (logs in at an unusual time, seeks to access different systems than normal), your DIAM issues an alert, perhaps isolates that employee’s system and takes steps to determine whether a security problem exists or not.
Proving Unique Identifiers Through Biometrics
Biometrics, the automated authentication of identity through recognition of unique physical characteristics, offers the most reliable authentication. Most iPhone and Android users are familiar with using facial recognition or fingerprints for single sign-on. There is also vein pattern recognition, which uses light to map the unique vein structures in a person’s palm, finger or retina to confirm identity.
Biometrics includes voice recognition, developed by recording a user’s speech, analyzing it on various aspects (tone, pitch, etc.) and storing it as a digital voiceprint for future authentication. Optical recognition is finding utility in cybersecurity, especially iris recognition, given the fact that an iris holds more than 200 reference points compared to 60 to 70 for fingerprints. Biometrics also includes handwriting recognition, not the traditional comparison of written words but the behavior involved in producing the writing – speed, pressure and other aspects captured during the process.
But the ultimate in biometrics is facial recognition. It’s all but impossible to fake a live face. To that end, your DIAM could turn on employees’ webcams at regular intervals and affirm the identity of the user. Even in the masked-up COVID era, devices can be trained to recognize masked faces. You can assure those leery of being photographed and employers concerned about privacy compliance that this is a mathematical exercise. The camera isn’t “taking pictures.” It’s merely snapping plot points to verify the user’s unique, immutable identity.
Enforcing “Least Privilege” to Limit Exposure Potential
The principle of “least privilege” is a core aspect of your DIAM. Access to your resources must be limited – not just for people but for applications, processes and devices – strictly to that necessary for the task at hand. Moreover, organizations must regularly audit this approach to revoke access where it is no longer needed.
Auditing work is a significant challenge for many large organizations prone to “privilege creep.” Users may have been granted local administrator rights to certain systems, intended to be temporary but never revoked. Appropriate privilege revocations may not follow reorganizations. Network administrators may try to reduce friction with users by over-granting access. Similarly, administrators might let employees use their own devices, especially as the pandemic caused many organizations to loosen their bring your own device (BYOD) policies. And users granted application administrator rights on personal devices may be less cautious about security measures than network administrators would be.
The danger with excessive access privilege is that every additional server, workstation, user account and application granted access expands an organization’s attack surface. It creates another opportunity for unauthorized intrusion at a time when infrastructure and remote access are ballooning faster than many organizations can keep up. An employee might download software that not only corrupts their device but spreads the corruption across the network, which can lead to a bigger problem if you don’t have asset management under control.
Keeping Devices in Check Through Asset Management
You can’t control who can do what on which systems unless you can identify all your assets and understand what they do, who has access to them and why. And it’s important to ensure that each asset has a specific, individual owner rather than a department or team as a whole. This way, when an alert arises about an anomalous situation, you will better be able to determine if it’s false or positive. It will give you the information you need to know whether to shut off that person’s or device’s access and keep them microsegmented until you can investigate.
Building out your asset management database and keeping it up to date can sound onerous, and for many large organizations built via acquisitions or fast-growing enterprises, it is. But it is absolutely necessary if you hope to protect your organization. And fortunately, there are data service providers with asset management expertise who can assist with this effort.
Every time someone attempts to access your network, you have two equal and opposite pressures: 1) to make it a frictionless experience for legitimate users and 2) to ensure that they are indeed legitimate and are entitled to access what they seek. Successful organizations are seeking the input of cybersecurity experts to help assess vulnerabilities and adopt processes to strike the right balance between admittance and denial.