Identity in the modern Enterprise

By George Irungu, Former CISO, Summa Health

Identity has become the currency of trade in the digital world. It is what the bad actors are after, and the cause of major spending and investment for organizations as they try to protect it. Valid identity in the wrong hands defeats every Security control or technology put in place. Appropriately managing identities through their digital lifecycle is one of the major steps an organization can take in its maturity journey.

Identity and Access management relate to the processes and workflows in place to ensure users access data and information they are authorized to, and with the right level of permissions. Identity Governance, on the other hand, is a bit broader and relates to how an organization centrally manages its user and service accounts, including segregation of duties, role management, access reviews, provisioning and certification.

One of the common organizational scars is the proliferation of unmanaged identities. Typically, users are over-provisioned with access and permissions, or in the worst-case scenario, leavers maintain access (at times privileged) to organizations they are no longer part of. Overprovisioned users are not only a security threat; in some regulated industries, this could lead to being out of compliance, threatening accreditation and license to operate for the organization. In the same token, under-provisioning causes friction to end users, and lowers productivity as they cannot get to the necessary resources in a timely manner.

User awareness and training that leads to adaptive change is certainly the most effective tool against cyber-attacks. Having good processes and technology is essential, but people with the right training and awareness can be the strongest and most effective line of defense.

As such, effective management of identities requires close collaboration between cross-functional groups, mainly Human Resources (HR), Business units, specific departments within the Business units, provisioning team and Information Security. HR definition of the job title and role should be the same as that of the Business unit departments. This way, it becomes easy for the provisioning team to understand what access is required, which systems they need to access, and with what permissions, which can then be provisioned accordingly. If all the job roles and titles are clearly defined, the movers (transfers) process is seamless as old access/permissions are discarded and new ones are added based on the new job or title.

Automation can then be used effectively once job titles and roles are defined. Identity governance platforms can pull data from HR systems. Based on job and title, provision users with the right access, process transfers if needed, and terminate users without human intervention. They also provide additional functionalities such as analytics, automated access reviews and certifications. Most importantly, they can inventory active accounts and privileges in the organization. They log activity and enable tracking and auditing of account creation, editing and deletion. Integrating these platforms with a SIEM provides useful insight and can help identify and take action, especially regarding insider threats.

Privileged accounts should be managed in a Privileged Access Management (PAM) system. The thought behind this is to strip privileged pervasive access within the organization. This also extends to the often-overlooked service and machine accounts (where possible). If privileged service and machine accounts are to be pervasive, verifying whether they can run in a lower / deprecated mode (and not admin) is key, and if this is not an option, then limiting them to just those systems that need the account is a recommended best practice. Password rotations (where possible) should also be done. If privileged access is managed correctly, it becomes a powerful tool in limiting an attacker’s lateral movement, and by extension, some common types of attacks E.G Ransomware.

Default local passwords should be changed and vaulted in case off-line access is required. Similarly, password rotation is encouraged. Other considerations regarding identity management also include implementing Single Sign On. This allows a user to authenticate into multiple sessions with a single credential, improving the user experience due to ease and quick access to resources, and improving Security as there are less passwords to remember and manage. Multi-Factor Authentication (MFA), which requires something the user has, something they know, and something they are, is an effective means of identity protection if deployed and configured correctly. Otherwise, if not implemented the right way, it can easily be phished (Text messages and e-mail).

In Summary, inventorying digital identities in the organization, assigning the right privilege, centrally and automatically managing, tracking and periodically auditing activity, coupled with Single sign-on, and implementing an effective MFA design is key in mitigating and fending off attacks.

In closing, user awareness and training that leads to adaptive change is certainly the most effective tool against cyber-attacks. Having good processes and technology is essential, but people with the right training and awareness can be the strongest and most effective line of defense. As Cyber practitioners, we must explain the ‘why’ and be empathetic as we design and put processes in place to understand how this affects their workflows. At all times, where possible, they should be part of the planning and design discussions, and their input should be carefully considered as we develop and mature the Security program.