Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/23/2018
10:30 AM
Jackson Shaw
Jackson Shaw
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Leveraging Security to Enable Your Business

When done right, security doesn't have to be the barrier to employee productivity that many have come to expect. Here's how.

Wouldn't it be great if everyone were trustworthy? No bad guys trying to break in and steal your cyber assets, and everyone is able to do their jobs unobstructed and without fear of negative consequences? That's when businesses succeed, costs go down, productivity skyrockets, and everyone is happy.

Unfortunately, this is not the world we live in. With both external cyberattacks and insider threats on the rise, companies must protect themselves from threats in their own backyard and the far-reaching corners of the cyber world. Because the risks are so high, many businesses have employed security processes and systems that encroach further and further into the business, hindering daily productivity and causing mass frustration among employees. In the most extreme cases, security has become employee enemy No. 1.

But security doesn't have to be the barrier many have come to expect and can actually help enable a business — when done right. Let's explore a few common instances of security getting in the way of productivity and possible solutions to turn security into an ally of business objectives.

Scenario 1: Access Control
Too often, organizations' knee-jerk reaction to bolstering security is to strengthen user authentication requirements. Often, this approach results in multiple passwords to remember (and forget), obstacles that get in the way of required access, and obstructive — but well-intentioned — technologies.

For example, I'm aware of a large company that required users to log in to two separate VPNs, both fronted by separate multifactor authentication solutions (MFAs), in order to remotely access basic systems. Understandably, most users end up avoiding the 10-minute login time and the unreliability of the VPN connections, and default to calling IT when they absolutely require access.

So, how can we turn that obstacle into a business enabler?

The first step is to look into more modern technologies, such as a reverse proxy, which can overcome the cumbersome nature of multiple VPNs and ensure quick, seamless, and secure access from anywhere, on any device. With this approach, there is no need to repeatedly require MFA once a user has "passed the test" of proving who they are.

Businesses can also leverage adaptive authentication technology, which automatically adjusts authentication requirements relative to the risk of the request. For example, an initial login may require MFA, but subsequent logins by the same user, from the same device, in the same day would not. If, however, the request suddenly comes from an unknown device, there could be something fishy going on. With adaptive authentication, the rules for an MFA requirement for specific risky login instances can be preset and automatically enforced.

The result: the default stance of obstruction and denial is replaced with enablement and efficiency. The business is the beneficiary.

Scenario 2: Privileged Accounts
The prime targets for many bad actors are the privileged accounts that provide the "keys to the kingdom." With this super-user access, bad guys can get to virtually any data, files, and systems they want, cover their tracks, and act with anonymity. Businesses typically address this threat in one of two ways: they simply pretend there is no risk and continue sharing credentials, or they can lock away all privileged credentials and issue them under the strictest controls. One is incredibly risky; the other is equally inefficient. Both prevent businesses from truly realizing their objectives.

A multifaceted approach to privileged access management (PAM) can provide proper security measures while also ensuring that permissions are available when needed, thus facilitating business agility. What this means is that privileged account rights are issued on a "least privilege" model, whereby each user is issued only the permissions necessary to do their job. "Full" administrative permissions are locked away in a digital vault complete with automated issuance workflows and approvals, audits of tasks performed, and automatic password change requirements. This practice eliminates the cumbersome manual processes often associated with PAM and assigns the individual accountability.

It is also important to find and remediate instances of users with permissions that exceed their role, their peer group, or industry norms. By ensuring that each user has the correct rights, everyone can do their jobs, and the chances of abuse and misuse are greatly reduced.

Scenario 3: Provisioning and Deprovisioning
How long does it take for your average new user to be fully provisioned? Research conducted by the Aberdeen Group in 2013 and still valid found that it takes at least a day and half. Many organizations lag far behind that, reporting days or weeks before full access is granted. Nothing stands in the way of achieving business objectives like provisioning delays. And, on the flip side, nothing causes more security concerns than delays in deprovisioning.

The same research indicated that it takes half a day on average to fully deprovision a user. But again, many organizations fall significantly behind the curve on that matter — and that doesn't even take into account instances of faulty provisioning in which rights are inappropriate due to IT copying ungoverned sets of permissions.

Delays and errors tend to be the result of a lack of communication between IT and line-of-business employees. IT knows how to provision and deprovision but lacks the context behind access requirements and what a user actually needs to perform his or her role. In addition, with the diversity of the modern enterprise, provisioning actions often require multiple IT teams, many disparate tools, and an abundance of manual processes that result only in inactive users.

The solution to this problem from both an efficiency and security standpoint is to unify provisioning across the entire enterprise, basing access on business roles that can be enforced enterprise-wide, and placing the power in the hands of the line-of-business rather than IT. For organizations that have taken this approach, full provisioning is close to instantaneous and incidents of misprovisioning are nearly nonexistent.

Business Roadblock or Business Driver?
We've hit a tipping point. We can either continue to obstruct business for the sake of security, or we can change the way we do things and shift security from business roadblock to business driver. The low-hanging fruit of business-enabling security include adaptive approaches to access control, a holistic strategy for privileged access management, and a unified and business-driven program of provisioning and deprovisioning.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jackson Shaw is vice president of product management for One Identity, the identity & access management (IAM) business of Quest Software. Prior to Quest, Jackson was an integral member of Microsoft's IAM product management team within the Windows server marketing group at ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.