Old-School IAM for New-School Security Risks: Attestation, Separation of Duties, Account Audits

“The thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access.” This attestation is found in The Insider Threat, a publication by the FBI’s Counter-Intelligence unit.

Consistent with everything I know about law enforcement’s perspective of criminals, the FBI’s publication provides an interesting and useful list of motivations, opportunities, and behaviors:

• Motivations — factors that might drive a trusted insider to violate that trust

• Opportunities — conditions or characteristics of the organization’s infrastructure that make it easier to commit insider abuse

• Behaviors — observable actions that indicate that an insider may be “breaking bad”

Each one of these three categories could easily be the topic of its own blog series. Dealing with motivations proactively may include using best practices in screening, hiring, onboarding, career development, incentive systems, and so on. Monitoring behaviors is increasingly made possible by the opportunity to marry the “big data” about our IT infrastructure and employee activities with powerful analytics, to more quickly detect and respond to potential indicators of compromise, as I wrote about in the blog Would You Rather: Authenticate the User, or Monitor the Transaction?

But let’s focus on the FBI’s observations about opportunities. The first observation relates to the category of Identity and Access Management (IAM): Access to classified, proprietary, or other sensitive information is available to end-users who do not need it.

We don’t have to accept this observation on faith in the FBI alone—there is plenty of additional evidence to support it. For example, Verizon Business and its global collaborators analyzed the top 10 cases of insider misuse and found that abuse of access privileges represented 88 percent of all incidents.

What can enterprises do to minimize this particular opportunity for insider abuse? In this case, the answer involves old-school security and governance—things like regular account reviews (“attestation”), and separation of duties:

• Attestation — the periodic validation that enterprise end-users have appropriate access rights, to the right resources at the right time

• Separation of duties — dividing tasks and associated privileges for certain business processes among more than one individual, to help prevent potential fraud, abuse, or error

In industry research on best practices in IAM, these capabilities are strongly correlated with leading performance:

Rapid suspension, revocation, or de-provisioning of end-user access (for example, after an employee changes roles or terminates employment) is also an important practice, because it minimizes the potential for downstream misuse and reduces the window of vulnerability from orphaned accounts. The leading performers do this faster than the laggards, but perhaps the more important finding was that they are significantly more likely to do it at all:

• Leaders were four times more likely than laggards to find no dormant or orphaned accounts as the result of an audit
• Leaders found fewer than half as many dormant/orphaned accounts, as a percentage of the total number of accounts, as the result of an audit

For the last several years—as economic conditions have driven significant changes in the composition, roles, and responsibilities of the typical enterprise workforce—inattention to these matters can leave the organization at significantly higher risk for insider abuse.

The conclusion is simple and straightforward: Traditional best practices in identity and access management provide organizations with important capabilities for protecting against today’s top-of-mind security risks.

Photo Source: Flickr

The post Old-School IAM for New-School Security Risks: Attestation, Separation of Duties, Account Audits appeared first on Speaking of Security - The RSA Blog and Podcast.