Endpoint

5/24/2016
11:50 AM
Sean Martin
Sean Martin
Slideshows
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

How To Manage And Control End User Access

A look at the perils of manual user-access provisioning and ways to streamline and better manage the process via automation.
Previous
1 of 9
Next

Image Source: imsmartin

Image Source: imsmartin

The information security team is often seen as the department of “No.” At best, it's viewed as the department that impacts productivity and drives down employee satisfaction. Take the simple task of an employee getting access to business resources to do his or her job.

One of a few scenarios takes place:

  • A request for access or a password change is made and takes ages to complete: A new employee joins the company and requests access to a business system. Three days later, complaints roll in: “I still don’t have the access I need to get my work done.”
  • A request for access or a password change is made without any formal process in place and the request gets lost in a black hole: 60 days have passed and the employee is required to change their passwords, for every system and application to which they’ve been granted access. (Keep in mind not all systems and applications were granted on the same day, 60 days ago).
  • A request for access or a password change is made directly and informally, and too much access is given to the user: A member of IT asks the SysAdmin of the routers to request an admin-level login to a router to change something so they can run a quick test on a new application. Rather than creating a new time-based credential, the busy SysAdmin sends an email that reads, “Here’s the admin username and password for router XYZ—please don’t share it or abuse it!”
  • No request for access is made. The user instead finds a different service or means to get their work done—thank you, Shadow IT: An employee needs to share large files with their new external business partner and therefore need access to the company’s cloud storage service. It took IT more than a couple hours to grant them access, so they signed up for their own personal cloud storage service and share the company’s financial data that way.

IT, the help desk, and InfoSec teams are overwhelmed with these types of requests and they have no easy way to collaborate with each other to make the process better. The challenge comes down to connecting IT, InfoSec, and HR operations together such that integrated, streamlined workflows can exist.

Organizations are hunting for such operational timesavers, many times starting with help desk systems (like ServiceNow) and HR employee management systems (like WorkDay). In fact, many organizations have already invested heavily in these types of systems. To this point, at the recent CentrifyConnect conference in New York, about a quarter (25%) of the audience said they use ServiceNow, and about 15% use Workday.

Just because things are manual and cumbersome doesn’t mean you can take credential management lightly, especially given that most of today’s attacks compromise the identity as the primary means for attack. According to the Verizon Data Breach Investigations Report, 63% of the confirmed data breaches involved weak, default or stolen passwords.

Conversely, you can’t focus solely on controlling access. 

Take a look at the options for end user provisioning, and how to maintain a proper level of access control while minimizing the operational impact on IT, InfoSec, and HR -- as well as improving the experience for end users:

 

 

Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as ... View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
SteveMorris
50%
50%
SteveMorris,
User Rank: Apprentice
9/26/2016 | 7:59:54 AM
password managers and acces
Best solution - password managers with an encryption feature like Lastpass and Passwork (https://passwork.me).Both are designed for a for companies and collaboration, and you can also track passwords access as administrator when using Passwork.
dieselnerd
50%
50%
dieselnerd,
User Rank: Strategist
5/26/2016 | 5:39:27 PM
Re: Printing Multi-Page Articles...
No dice, at least with Firefox 46.x (cookies, scripts, filters, etc. that matter permitted) under Win7 Pro. I'm thinking I probably won't have much better luck at home with FF and Linux.

For the record, this was the current piece I was trying to get out in one run:

<http://www.darkreading.com/endpoint/how-to-manage-and-control-end-user-access/d/d-id/1325635>

Seriously, no big deal. Thank you for giving it more than the attention it deserved.

Anon,

DN

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 4:06:27 PM
One more thing
Out experience shows that the services mentioned in this article and may others are effective if and only if they cut the cost and provider a stable solution. Many promises it but never delivers, that is why due-diligence period of these system are critical for the companies point of views
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 4:03:08 PM
Old IT vs. New IT
I understand the point the article makes but there is also an old vs. new IT we need to consider. In today's world, IT is actually in a best position to impact business in a positive way. May more than any other departments. Today business is the IT for most organizations.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 4:00:03 PM
Re: Printing Multi-Page Articles...
"... you only have to hit 'Print' once .."

I think this helps a lot. Obviously your IT team is not the one described in this article. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 3:58:22 PM
Re: Printing Multi-Page Articles...
In addition to printing it may be a better way of showing this information. I normally do nor print but page loads slowly.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2016 | 3:55:51 PM
ServiceNow?
I have not used it but it seems it tries to simply complex workflows and easy down the problems that business users face. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/26/2016 | 2:25:31 PM
Re: Printing Multi-Page Articles...
Our dev team kindly just tweaked the Print function so that you only have to hit 'Print' once, and it will do the full print job for a slide show. Give it a try and let us know what you think!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/26/2016 | 12:58:31 PM
Re: Printing Multi-Page Articles...
I totally get your frustration here. Until we switch CMSes (which is on the books), I'm not sure if there is any way to make slide show printouts more elegant and headache-free. But let me check and see if there's some trick or option I am not aware of. 
dieselnerd
50%
50%
dieselnerd,
User Rank: Strategist
5/26/2016 | 12:53:50 PM
Re: Printing Multi-Page Articles...
Thanks for the quick reply, Kelly, to what was a rather bottom-of-the-triage, whiny user matter <g>.

I'm not so much interested in getting pretty enough for sharing (and non-free) reprints, just quick-and-dirty printouts for the DR personal reading pile - Friday afternoon, feet-on-the-desk while waiting for data download/import type stuff.

As you know, the print option works fine for the regular, continuous pieces, but all one can print of those that contain any "Back" and "Next" buttons is the first page. (Turns out, it takes additional hoop jumping to print even individual pages beyond page 1.)

Not the end of the world; I'll reset the rant and whine again in about six months.

Cheers,

DN
Page 1 / 2   >   >>
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Ohio Man Sentenced To 15 Months For BEC Scam
Dark Reading Staff 8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15667
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The &quot;send&quot; command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can...
CVE-2018-15668
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. The &quot;send&quot; command in the airmail:// URL scheme allows an external application to send arbitrary emails from an active account. URL parameters for the &quot;send&quot; command with the &quot;attachment_&quot; prefix designate atta...
CVE-2018-15669
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements &quot;webView:decidePolicyForNavigationAction:request:frame:decisionListener:&quot; such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are...
CVE-2018-15670
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements &quot;webView:decidePolicyForNavigationAction:request:frame:decisionListener:&quot; such that OpenURL is the default URL handler. A navigation request is processed by the default URL handler only if t...
CVE-2018-15671
PUBLISHED: 2018-08-21
An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stack consumption has been detected in the function H5P__get_cb() in H5Pint.c during an attempted parse of a crafted HDF file. This results in denial of service.