Wouldn't it be great if everyone were trustworthy? No bad guys trying to break in and steal your cyber assets, and everyone is able to do their jobs unobstructed and without fear of negative consequences? That's when businesses succeed, costs go down, productivity skyrockets, and everyone is happy.
Unfortunately, this is not the world we live in. With both external cyberattacks and insider threats on the rise, companies must protect themselves from threats in their own backyard and the far-reaching corners of the cyber world. Because the risks are so high, many businesses have employed security processes and systems that encroach further and further into the business, hindering daily productivity and causing mass frustration among employees. In the most extreme cases, security has become employee enemy No. 1.
But security doesn't have to be the barrier many have come to expect and can actually help enable a business — when done right. Let's explore a few common instances of security getting in the way of productivity and possible solutions to turn security into an ally of business objectives.
Scenario 1: Access Control
Too often, organizations' knee-jerk reaction to bolstering security is to strengthen user authentication requirements. Often, this approach results in multiple passwords to remember (and forget), obstacles that get in the way of required access, and obstructive — but well-intentioned — technologies.
For example, I'm aware of a large company that required users to log in to two separate VPNs, both fronted by separate multifactor authentication solutions (MFAs), in order to remotely access basic systems. Understandably, most users end up avoiding the 10-minute login time and the unreliability of the VPN connections, and default to calling IT when they absolutely require access.
So, how can we turn that obstacle into a business enabler?
The first step is to look into more modern technologies, such as a reverse proxy, which can overcome the cumbersome nature of multiple VPNs and ensure quick, seamless, and secure access from anywhere, on any device. With this approach, there is no need to repeatedly require MFA once a user has "passed the test" of proving who they are.
Businesses can also leverage adaptive authentication technology, which automatically adjusts authentication requirements relative to the risk of the request. For example, an initial login may require MFA, but subsequent logins by the same user, from the same device, in the same day would not. If, however, the request suddenly comes from an unknown device, there could be something fishy going on. With adaptive authentication, the rules for an MFA requirement for specific risky login instances can be preset and automatically enforced.
The result: the default stance of obstruction and denial is replaced with enablement and efficiency. The business is the beneficiary.
Scenario 2: Privileged Accounts
The prime targets for many bad actors are the privileged accounts that provide the "keys to the kingdom." With this super-user access, bad guys can get to virtually any data, files, and systems they want, cover their tracks, and act with anonymity. Businesses typically address this threat in one of two ways: they simply pretend there is no risk and continue sharing credentials, or they can lock away all privileged credentials and issue them under the strictest controls. One is incredibly risky; the other is equally inefficient. Both prevent businesses from truly realizing their objectives.
A multifaceted approach to privileged access management (PAM) can provide proper security measures while also ensuring that permissions are available when needed, thus facilitating business agility. What this means is that privileged account rights are issued on a "least privilege" model, whereby each user is issued only the permissions necessary to do their job. "Full" administrative permissions are locked away in a digital vault complete with automated issuance workflows and approvals, audits of tasks performed, and automatic password change requirements. This practice eliminates the cumbersome manual processes often associated with PAM and assigns the individual accountability.
It is also important to find and remediate instances of users with permissions that exceed their role, their peer group, or industry norms. By ensuring that each user has the correct rights, everyone can do their jobs, and the chances of abuse and misuse are greatly reduced.
Scenario 3: Provisioning and Deprovisioning
How long does it take for your average new user to be fully provisioned? Research conducted by the Aberdeen Group in 2013 and still valid found that it takes at least a day and half. Many organizations lag far behind that, reporting days or weeks before full access is granted. Nothing stands in the way of achieving business objectives like provisioning delays. And, on the flip side, nothing causes more security concerns than delays in deprovisioning.
The same research indicated that it takes half a day on average to fully deprovision a user. But again, many organizations fall significantly behind the curve on that matter — and that doesn't even take into account instances of faulty provisioning in which rights are inappropriate due to IT copying ungoverned sets of permissions.
Delays and errors tend to be the result of a lack of communication between IT and line-of-business employees. IT knows how to provision and deprovision but lacks the context behind access requirements and what a user actually needs to perform his or her role. In addition, with the diversity of the modern enterprise, provisioning actions often require multiple IT teams, many disparate tools, and an abundance of manual processes that result only in inactive users.
The solution to this problem from both an efficiency and security standpoint is to unify provisioning across the entire enterprise, basing access on business roles that can be enforced enterprise-wide, and placing the power in the hands of the line-of-business rather than IT. For organizations that have taken this approach, full provisioning is close to instantaneous and incidents of misprovisioning are nearly nonexistent.
Business Roadblock or Business Driver?
We've hit a tipping point. We can either continue to obstruct business for the sake of security, or we can change the way we do things and shift security from business roadblock to business driver. The low-hanging fruit of business-enabling security include adaptive approaches to access control, a holistic strategy for privileged access management, and a unified and business-driven program of provisioning and deprovisioning.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.Jackson Shaw is vice president of product management for One Identity, the identity & access management (IAM) business of Quest Software. Prior to Quest, Jackson was an integral member of Microsoft's IAM product management team within the Windows server marketing group at ... View Full Bio