Brad Puckett, Global Product Director – Cybersecurity, Global Knowledge
Identity and access management (IAM) and credentialing are not only fundamentals of cybersecurity design, but also long-held necessities of networks and services. For decades, our digital lives have been inundated by user names, passwords, domain accounts, synchronized RSA tokens, and other forms of verification and access control. As cyber criminals have become more adept and cyber attacks have grown in sophistication, the complexity and challenges of proper IAM has increased exponentially. Indeed, proper credentialing and verification is more imperative now than ever before.
The involvedness of appropriate IAM measures is compounded by the shift of network resources from on-premises control to cloud-based architectures. With a migration to cloud, several new challenges have emerged regarding IAM and credentialing that require additional and immediate attention.
Certain cloud deployments, such as those not equipped with single sign-on (SSO), require users to manually maintain multiple account credentials and verifications. Combined with local and peripheral accounts necessary to perform their job tasks, this type of deployment can cause frustrated legitimate users to reuse and abuse passwords across multiple accounts in multiple locations. Even with strong password enforcement guidelines for complexity and length, the reuse of identifying credentials can cause a wider-spread vulnerability of a single, isolated breach to become a gateway point for any bad actor holding the information.
Legitimate users are faced with a tremendous amount of “password fatigue” across all aspects of their digital life, having to navigate social media, banking and physician portals, and a host of other platforms that require passwords (and seemingly endless password resets). Nearly all of your online presence enjoyed today requires identity vetting, and each presence instance comes with its own requirements for password length, complexity, control characters, and expiration cycle. Factoring in the amount of work-related required use of privileged accounts, the potential complexity of a segmented cloud deployment can easily lead to laziness among users. This type of apathy is exactly what cyber attackers are looking to exploit. In proper cloud deployment, there are steps and provisions that can be made to mitigate this risk and help alleviate the password and credential strain on legitimate users. This begins with proper IAM architecture and includes the integration of specialized tools designed to mitigate IAM headaches in the cloud transition.
Credentialed User Ease of Use
Security measures lock down potential points of vulnerability and decrease exposure to risk. While these are good things, and in fact, the essence of cybersecurity, each step in the security journey is also a potential step away from ease-of-use for the legitimate user.
Employees working from the corporate office in a recognized location on a recognized device might have little issue with the litany of overlayer security measures implemented. But things like SSO, two-factor authentication (2FA), device and location recognition, and encryption can cause undue stress and frustration in the workforce, potentially causing productivity issues. With the vast proliferation of remote working locations, IoT devices, bring your own device (BYOD) deployments, and partner and third-party access needs, issues in a cloud IAM deployment seem increasingly likely.
SSO and Active Directory (AD) are baseline solutions to credentialing and privilege access, but each comes with inherent challenges. A mix of different OS devices in your workforce can cause problems with SSO and AD, due to how the SSO can be set up for certain applications. For example, an employee group using a mix of Mac and Windows operating systems could be logged into the AD locally, but SSO might fail at the cloud level due to specific provisioning. With IoT and employees taking advantage of BYOD privileges, the list of possible endpoints and locations requesting access to applications and services grows exponentially, and users aren’t immune to the inconsistency in experience.
Provisioning and Deprovisioning
Credentials must be created and disabled, and privileges granted and denied, as the workforce and its needs evolve. Proper IAM deployment and architecture must account for a secure and complete mechanism to ensure proper handling with a limited amount of complications and manual intervention. However, layers of secure identification management and privilege accounting in multiple locations across multiple applications can be tedious to manage, and in the case of deprovisioning, can leave your data potentially unprotected.
Complex and multi-point deployments can create scenarios where the de-privileging of an employee, such as one who has left the organization or has been terminated, becomes tedious, unreliable and frustrating. The process of not knowing the appropriate credentials involved, systems affected, applications accessed, or where the accounts are located, can be a dangerous vulnerability. Proper IAM architecture and design in the cloud becomes paramount to the mitigation of risks in the provisioning and deprovisioning of user access.
How to Mitigate Your IAM Risks
There are several emerging technologies that can assist in alleviating the challenges presented by identity management in the cloud. A Cloud Access Security Broker (CASB) is a midpoint security policy enforcement solution placed between cloud service providers and cloud service consumers. CASBs have become a significant product category. In fact, Gartner has a magic quadrant for CASB. A CASB can enforce complex policy, like geographic location, time of day, and specific files. It also provides logs for forensics. Ultimately, it is up to the enterprise to work CASBs into their solutions, as it is the cloud service consumer that has the most at risk.
Additionally, there is an increased emphasis on privileged account management. As many companies realize that a handful of IT people possess the keys to the kingdom, privileged account security product providers like CyberArk are rapidly gaining in popularity. Privileged account security providers solve complexity in handling of privileged users by managing their access and logging their actions. Recently, a mobile provider had some employees indicted for taking bribes to unlock phones and introduce malware into corporate networks based on advanced privilege solution results.
Ongoing Cyber Training is Your Secret Weapon
To understand the intricacies of identity, authorization and permissions across all systems in an organization, initial and ongoing training is necessary for an IAM team. According to the 2019 Global Knowledge IT Skills and Salary Report, the largest worldwide study of IT professionals, IT decision-makers are having the hardest time finding qualified cybersecurity talent. To make matters worse, only 58% of IT departments around the world have been given a training budget, so even keeping your existing workforce up-to-date is a challenge. Successful organizations prioritize skills development and develop a talent pipeline. Continuous skills development in cybersecurity is not a cost, it’s an investment.
Global Knowledge offers cybersecurity skills training to help you keep pace with emerging technologies and evolving cyber-attacks. Technology isn’t stopping, so neither can you. IAM and cyber specialists must have a plan for continual professional development to ensure networks, systems and individuals are protected. Cybersecurity technology is only as powerful and effective as the people trained to use it.