Vulnerabilities / Threats

10:30 AM
Jackson Shaw
Jackson Shaw
Connect Directly
E-Mail vvv

Leveraging Security to Enable Your Business

When done right, security doesn't have to be the barrier to employee productivity that many have come to expect. Here's how.

Wouldn't it be great if everyone were trustworthy? No bad guys trying to break in and steal your cyber assets, and everyone is able to do their jobs unobstructed and without fear of negative consequences? That's when businesses succeed, costs go down, productivity skyrockets, and everyone is happy.

Unfortunately, this is not the world we live in. With both external cyberattacks and insider threats on the rise, companies must protect themselves from threats in their own backyard and the far-reaching corners of the cyber world. Because the risks are so high, many businesses have employed security processes and systems that encroach further and further into the business, hindering daily productivity and causing mass frustration among employees. In the most extreme cases, security has become employee enemy No. 1.

But security doesn't have to be the barrier many have come to expect and can actually help enable a business — when done right. Let's explore a few common instances of security getting in the way of productivity and possible solutions to turn security into an ally of business objectives.

Scenario 1: Access Control
Too often, organizations' knee-jerk reaction to bolstering security is to strengthen user authentication requirements. Often, this approach results in multiple passwords to remember (and forget), obstacles that get in the way of required access, and obstructive — but well-intentioned — technologies.

For example, I'm aware of a large company that required users to log in to two separate VPNs, both fronted by separate multifactor authentication solutions (MFAs), in order to remotely access basic systems. Understandably, most users end up avoiding the 10-minute login time and the unreliability of the VPN connections, and default to calling IT when they absolutely require access.

So, how can we turn that obstacle into a business enabler?

The first step is to look into more modern technologies, such as a reverse proxy, which can overcome the cumbersome nature of multiple VPNs and ensure quick, seamless, and secure access from anywhere, on any device. With this approach, there is no need to repeatedly require MFA once a user has "passed the test" of proving who they are.

Businesses can also leverage adaptive authentication technology, which automatically adjusts authentication requirements relative to the risk of the request. For example, an initial login may require MFA, but subsequent logins by the same user, from the same device, in the same day would not. If, however, the request suddenly comes from an unknown device, there could be something fishy going on. With adaptive authentication, the rules for an MFA requirement for specific risky login instances can be preset and automatically enforced.

The result: the default stance of obstruction and denial is replaced with enablement and efficiency. The business is the beneficiary.

Scenario 2: Privileged Accounts
The prime targets for many bad actors are the privileged accounts that provide the "keys to the kingdom." With this super-user access, bad guys can get to virtually any data, files, and systems they want, cover their tracks, and act with anonymity. Businesses typically address this threat in one of two ways: they simply pretend there is no risk and continue sharing credentials, or they can lock away all privileged credentials and issue them under the strictest controls. One is incredibly risky; the other is equally inefficient. Both prevent businesses from truly realizing their objectives.

A multifaceted approach to privileged access management (PAM) can provide proper security measures while also ensuring that permissions are available when needed, thus facilitating business agility. What this means is that privileged account rights are issued on a "least privilege" model, whereby each user is issued only the permissions necessary to do their job. "Full" administrative permissions are locked away in a digital vault complete with automated issuance workflows and approvals, audits of tasks performed, and automatic password change requirements. This practice eliminates the cumbersome manual processes often associated with PAM and assigns the individual accountability.

It is also important to find and remediate instances of users with permissions that exceed their role, their peer group, or industry norms. By ensuring that each user has the correct rights, everyone can do their jobs, and the chances of abuse and misuse are greatly reduced.

Scenario 3: Provisioning and Deprovisioning
How long does it take for your average new user to be fully provisioned? Research conducted by the Aberdeen Group in 2013 and still valid found that it takes at least a day and half. Many organizations lag far behind that, reporting days or weeks before full access is granted. Nothing stands in the way of achieving business objectives like provisioning delays. And, on the flip side, nothing causes more security concerns than delays in deprovisioning.

The same research indicated that it takes half a day on average to fully deprovision a user. But again, many organizations fall significantly behind the curve on that matter — and that doesn't even take into account instances of faulty provisioning in which rights are inappropriate due to IT copying ungoverned sets of permissions.

Delays and errors tend to be the result of a lack of communication between IT and line-of-business employees. IT knows how to provision and deprovision but lacks the context behind access requirements and what a user actually needs to perform his or her role. In addition, with the diversity of the modern enterprise, provisioning actions often require multiple IT teams, many disparate tools, and an abundance of manual processes that result only in inactive users.

The solution to this problem from both an efficiency and security standpoint is to unify provisioning across the entire enterprise, basing access on business roles that can be enforced enterprise-wide, and placing the power in the hands of the line-of-business rather than IT. For organizations that have taken this approach, full provisioning is close to instantaneous and incidents of misprovisioning are nearly nonexistent.

Business Roadblock or Business Driver?
We've hit a tipping point. We can either continue to obstruct business for the sake of security, or we can change the way we do things and shift security from business roadblock to business driver. The low-hanging fruit of business-enabling security include adaptive approaches to access control, a holistic strategy for privileged access management, and a unified and business-driven program of provisioning and deprovisioning.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jackson Shaw is vice president of product management for One Identity, the identity & access management (IAM) business of Quest Software. Prior to Quest, Jackson was an integral member of Microsoft's IAM product management team within the Windows server marketing group at ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack
Menny Barzilay, Co-founder & CEO, FortyTwo Global,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.