Endpoint

5/24/2016
11:50 AM
Sean Martin
Sean Martin
Slideshows
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

How To Manage And Control End User Access

A look at the perils of manual user-access provisioning and ways to streamline and better manage the process via automation.
Previous
1 of 9
Next

Image Source: imsmartin

Image Source: imsmartin

The information security team is often seen as the department of “No.” At best, it's viewed as the department that impacts productivity and drives down employee satisfaction. Take the simple task of an employee getting access to business resources to do his or her job.

One of a few scenarios takes place:

  • A request for access or a password change is made and takes ages to complete: A new employee joins the company and requests access to a business system. Three days later, complaints roll in: “I still don’t have the access I need to get my work done.”
  • A request for access or a password change is made without any formal process in place and the request gets lost in a black hole: 60 days have passed and the employee is required to change their passwords, for every system and application to which they’ve been granted access. (Keep in mind not all systems and applications were granted on the same day, 60 days ago).
  • A request for access or a password change is made directly and informally, and too much access is given to the user: A member of IT asks the SysAdmin of the routers to request an admin-level login to a router to change something so they can run a quick test on a new application. Rather than creating a new time-based credential, the busy SysAdmin sends an email that reads, “Here’s the admin username and password for router XYZ—please don’t share it or abuse it!”
  • No request for access is made. The user instead finds a different service or means to get their work done—thank you, Shadow IT: An employee needs to share large files with their new external business partner and therefore need access to the company’s cloud storage service. It took IT more than a couple hours to grant them access, so they signed up for their own personal cloud storage service and share the company’s financial data that way.

IT, the help desk, and InfoSec teams are overwhelmed with these types of requests and they have no easy way to collaborate with each other to make the process better. The challenge comes down to connecting IT, InfoSec, and HR operations together such that integrated, streamlined workflows can exist.

Organizations are hunting for such operational timesavers, many times starting with help desk systems (like ServiceNow) and HR employee management systems (like WorkDay). In fact, many organizations have already invested heavily in these types of systems. To this point, at the recent CentrifyConnect conference in New York, about a quarter (25%) of the audience said they use ServiceNow, and about 15% use Workday.

Just because things are manual and cumbersome doesn’t mean you can take credential management lightly, especially given that most of today’s attacks compromise the identity as the primary means for attack. According to the Verizon Data Breach Investigations Report, 63% of the confirmed data breaches involved weak, default or stolen passwords.

Conversely, you can’t focus solely on controlling access. 

Take a look at the options for end user provisioning, and how to maintain a proper level of access control while minimizing the operational impact on IT, InfoSec, and HR -- as well as improving the experience for end users:

 

 

Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as ... View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
SteveMorris
50%
50%
SteveMorris,
User Rank: Apprentice
9/26/2016 | 7:59:54 AM
password managers and acces
Best solution - password managers with an encryption feature like Lastpass and Passwork (https://passwork.me).Both are designed for a for companies and collaboration, and you can also track passwords access as administrator when using Passwork.
dieselnerd
50%
50%
dieselnerd,
User Rank: Strategist
5/26/2016 | 5:39:27 PM
Re: Printing Multi-Page Articles...
No dice, at least with Firefox 46.x (cookies, scripts, filters, etc. that matter permitted) under Win7 Pro. I'm thinking I probably won't have much better luck at home with FF and Linux.

For the record, this was the current piece I was trying to get out in one run:

<http://www.darkreading.com/endpoint/how-to-manage-and-control-end-user-access/d/d-id/1325635>

Seriously, no big deal. Thank you for giving it more than the attention it deserved.

Anon,

DN

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 4:06:27 PM
One more thing
Out experience shows that the services mentioned in this article and may others are effective if and only if they cut the cost and provider a stable solution. Many promises it but never delivers, that is why due-diligence period of these system are critical for the companies point of views
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 4:03:08 PM
Old IT vs. New IT
I understand the point the article makes but there is also an old vs. new IT we need to consider. In today's world, IT is actually in a best position to impact business in a positive way. May more than any other departments. Today business is the IT for most organizations.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 4:00:03 PM
Re: Printing Multi-Page Articles...
"... you only have to hit 'Print' once .."

I think this helps a lot. Obviously your IT team is not the one described in this article. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 3:58:22 PM
Re: Printing Multi-Page Articles...
In addition to printing it may be a better way of showing this information. I normally do nor print but page loads slowly.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 3:55:51 PM
ServiceNow?
I have not used it but it seems it tries to simply complex workflows and easy down the problems that business users face. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/26/2016 | 2:25:31 PM
Re: Printing Multi-Page Articles...
Our dev team kindly just tweaked the Print function so that you only have to hit 'Print' once, and it will do the full print job for a slide show. Give it a try and let us know what you think!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/26/2016 | 12:58:31 PM
Re: Printing Multi-Page Articles...
I totally get your frustration here. Until we switch CMSes (which is on the books), I'm not sure if there is any way to make slide show printouts more elegant and headache-free. But let me check and see if there's some trick or option I am not aware of. 
dieselnerd
50%
50%
dieselnerd,
User Rank: Strategist
5/26/2016 | 12:53:50 PM
Re: Printing Multi-Page Articles...
Thanks for the quick reply, Kelly, to what was a rather bottom-of-the-triage, whiny user matter <g>.

I'm not so much interested in getting pretty enough for sharing (and non-free) reprints, just quick-and-dirty printouts for the DR personal reading pile - Friday afternoon, feet-on-the-desk while waiting for data download/import type stuff.

As you know, the print option works fine for the regular, continuous pieces, but all one can print of those that contain any "Back" and "Next" buttons is the first page. (Turns out, it takes additional hoop jumping to print even individual pages beyond page 1.)

Not the end of the world; I'll reset the rant and whine again in about six months.

Cheers,

DN
Page 1 / 2   >   >>
One in Three SOC Analysts Now Job-Hunting
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/12/2018
Encrypted Attacks Continue to Dog Perimeter Defenses
Ericka Chickowski, Contributing Writer, Dark Reading,  2/14/2018
Can Android for Work Redefine Enterprise Mobile Security?
Satish Shetty, CEO, Codeproof Technologies,  2/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: One agent too many was installed on Bob's desktop.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.