So, to recap on last week's blog, we talked about how we as individuals have judiciously spread our identity information all over the internet in our private lives, which gives away how we manage passwords in our business lives and potentially threatens our employer's or organisation's security. The platforms we use, at home and at work, are designed to be friendly and frictionless, so out of the box they are not generally secured beyond requiring the simplest of credentials to authenticate and gain access to data.
You know how judiciously you spread your identity information around by looking at how many third-party apps you have on your phone, checking the application approvals in Facebook or Google, if you use them, (Facebook can be a neat identity manager for individuals, as it uses modern authentication methods for access rather than sharing your username or password with the target platform, the "cost" is you might be sharing your friends details to save your own credentials).
Your junk email folder and the volume of marketing emails that you have subscribed to are also both great indicators of how far your email address has spread across cyberspace.
The ghosts of identities past
The implementation of the new fine structure for GDPR in May 2018 had unintended, but actually very valuable, effects for all of us.
In addition to the 30-40 applications that I actively use in my private and business life, I got a number of reminder emails from providers of apps or websites that I used maybe years ago and then moved on from, or perhaps tried once, didn’t like and then deleted, where I obviously hadn’t made my “intent to be forgotten” clear to the provider.
A lot of these providers wrote to me in early 2018 to ask for explicit permission to keep my data. In most cases I asked them to delete me and cleaned house. I honestly can’t remember what I used for any of those in terms of passwords (they aren’t in my new password structure, so it’s probably safe) but it got me thinking: what else is out there?
Tackling cyber crime is one of the key drivers for GDPR legislation. The EU knows that we as citizens have been launched into the world of online apps very quickly, without having time to comprehend the potential consequences of our actions. They understand the limitations that we have as human beings, and that leaving an unmanaged trail of personal and log in credential data behind us presents a significant risk to society at large.
It's probably worth explaining why...
The Black Market
Research conducted earlier this year by Keeper, a leading password management provider, highlighted that there is a thriving marketplace on the dark web for a range of classes of personal data and published the going rates in 2017. Top of the list is a full medical record which was worth £800 per person. This apparently can be sold onto insurance underwriters, or used to blackmail executives. If you sell active credit card details, that’s worth £17.60 per card. Driving licence details, to support identity theft, are worth £16.00 each. Credentials to access subscription streaming services are worth a few pounds per account. Email addresses are also paid out at £1.80 per email address.
Legitimate marketing teams buy email addresses from legitimate mailing lists for a few pence each. The premium paid on the Black Market is purely to capture one of the two likely factors needed to breach accounts that have a higher value. Once they have an email address, they can use this to marry up against any passwords they may have obtained that look like they belong to the same user, and can then easily start looking at the common platforms the vast majority of us use to see if we used those details there. If they are successful, they get a small payday for each user account they unlock.
This all helps to highlight the true economies of scale of the Black Market for personal data; no one is going to get rich focussing on stealing yours, or my, personal details. If you want a good pay day, you are far better off compromising an institutions platform.
Think about the details you have in your work systems, on your employees and your customers. How many email addresses are in your CRM system? What information do you hold in your HR and payroll systems? If you provide company cars to your staff, you probably hold a copy of each driver’s license for your fleet insurance. Many companies used to insist on significant hires having a medical, and a lot of insurance companies hold extensive medical histories on their policy holders. If you run any online retail businesses you probably hold the email address and credit card details of thousands of people, along with an example of their password type.
We as individuals are being targeted, but mainly because the data that cyber criminals can capture from us is the gateway to a much larger payday: the information, such as that highlighted above, which they might be able to access from your employer. Whatever they can get from you or I personally can be multiplied by a factor of 100, 1,000 or more depending on where we work and what we have access to in our business day. If they can gain access to a user’s device, or your corporate network through the use of these credentials, they can sit quietly observing internal communications to target more complex phishing attacks or wait for an Administrator to enter their credentials onto a compromised device, steal these and elevate their access.
While this is definitely not the ONLY reason to have an enterprise grade Identity and Access Management solution, it is the main reason why EVERY organisation should have one.
Goin' phishin'
There has been a significant uptick in the complexity and volume of phishing attacks, particularly on Enterprises.
In addition to all of the ways that your access credentials could be compromised through your digital footprint, there is a significant industry built around phishing attacks. There is a huge volume of research on these types of attacks and their effectiveness. The general consensus is that 50 per cent of your staff would fall for one of the main types of phishing attack and provide corporate log in details (username and password), to someone over the phone in a couple of clever but heavily used scenarios. It would be slightly irresponsible to go into details here, but if you think about your business, there are areas of your organisation that individuals may not know very well but which would command the authority to obtain this information.
An employee, in the heat of their daily work, thinking about all of the things they need to accomplish in the business day, contemplating what to have for tea and what they want to do at the weekend, while also thinking about all of the other things they need to manage in their lives, are never 100 per cent focussed on what they are doing. A strange request coming out of left field, with a fairly convincing story, may not get the scrutiny we can apply objectively and this is how these types of attacks find success.
Securing your corporate identity
By recognising all of the points above, hopefully you will accept that the relative security provided by simply using a username and a password of any description is just not enough to deliver a secure perimeter for your businesses data.
Many people have written over the last few years about how passwords are insufficient in terms of security, but they often fail to explain the minutia of the detail that we have covered over the last 2 weeks. Based on the information they provide, it’s easy to dismiss them as conspiracy theorists or crackpots, but the truth is they are right, and hopefully this two-part blog explains some of the reasons why.
A good Identity and Access Management (IDAM) solution can help you to significantly improve your security stance through the implementation of the following measures:
Make IDAM the gateway to everything – As part of your implementation, we recommend that the IDAM platform is the gateway to every platform and that users trying to access any platform directly are diverted back through the IDAM platform. There are a number of reasons for this, but they all centre around making sure that the right policies and controls are applied to all access attempts. As an example, we wouldn’t want an employee that was leaving your organisation to try to log in to your CRM system directly on a private device that you aren’t monitoring or managing, and download client data for their use in a future employment.
Conditional access – Set policies for the minimum criteria for users to access corporate services. This could be logging in using specific approved devices, within specific time periods, and/or from specific locations or IP addresses. This can expand out into ensuring that devices are patched to a certain level or add risk-based actions, such as requiring 2FA for logins from unusual locations, devices or in specific time periods. Integrating IDAM with your Mobile Device Management (MDM) platform can be a powerful way of making sure that a device that may be compromised due to a lack of security updates, or because a suspect application is present, are barred from access to critical platforms until they are compliant.
Leverage Biometrics – Many current devices enable users to sign onto the devices using biometric information, such as a fingerprint or a 3D facial scan. Very often, these will be used to trigger an existing password, but they do provide one very important security feature: they stop the user having to key in the password.
Why is this important? Well, one of the ways a password can be compromised is by someone watching, or videoing, a person entering their password. Most smartphones now have 4K video with slow motion capability, if you were videoing someone entering a password in the office, or in a coffee shop, the quality would be good enough to map the key presses. That same principle can be applied to a password list that the user opens in a notebook, on a smartphone, or in a web browser.
Biometrics can also be triggered as part of the authentication process for a specific application, which again can save the user having to enter their credentials again.
Not only are you protecting the user’s credentials, but from a productivity standpoint, your user will be spending less time logging in. Let’s say this saves five seconds for every log in for every employee in your business; how much time does that save you across your organisation each day, week, month and year?
Single Sign On – Closely linked to the above is using Single Sign On for all corporate apps. Once the user has successfully authenticated on the IDAM platform, it then uses modern authentication, or a platform level script, to onward authenticate onto each of your users’ line of business applications.
Making corporate-approved apps quick and frictionless to access improves productivity but also removes some of the reasons why your employees may be using shadow IT solutions, (i.e. Dropbox instead of OneDrive for Business), making sure that your users are not continuing to judiciously spread their identity across cyberspace, but also ensuring your corporate data remains inside the platforms you manage.
Harden your identity vault and platforms – Your IDAM platform should contain or control your Gold Identity Vault. Best practice would be to only grant Administrative access to this vault to the IDAM platform itself. This way, you are ensuring that no infiltration to your line of business systems enables access to the central identity database. In our deployments, we also recommend that for platforms such as Office 365, Azure or Dynamics CRM we grant the only Global Administrator account to the IDAM platform itself for the same reasons. No user has the credentials; they will instead access them via your chosen authentication policy through the IDAM platform itself.
Provisioning and deprovisioning – we covered this in an earlier blog, but getting provisioning and deprovisioning right is critical to your cyber security, and a good IDAM platform will make this easy for you;
- Automation – Linking your HR system to the IDAM platform enables user accounts to be created consistently and automatically for each new hire, changes made in line with role changes, and restrictions and suspension of access when an employee enters a leaver’s process. If HR integration is not possible, building a workflow to do this with minimal IT staff input will improve productivity and ensure that policy is followed, and no one accidentally gives Global Admin access to the cleaner.
- Role based access – Use policies to make sure only the specific services required for the job role are made available to the user’s credentials. A Customer Service representative should never need access to HR, payroll or accounting systems.
- Least privilege- Where any access is granted to a user or administrator, use policies to ensure that only the specific level of privilege is granted to meet the user’s needs.
- Deprovisioning – As soon as a user doesn’t need access to a system or platform, best practice is to terminate their access immediately. Every user is a gateway into a system: the more gateways there are, the higher the risk of a breach. As soon as it’s not needed, that gateway should be closed.
- License management– A good IDAM system will also provision and deprovision the user licenses for you as part of the automated process. This is great from a cost-management perspective, but also enforces the lock down of accounts that are no longer required. Any subscription-based platforms will deny access to a user, even if they have the right credentials, if the license has been terminated.
Administrator password vault – Rather than giving static administrative credentials to your key IT Admins, use the IDAM platform to cycle passwords for each Admin log in for a set period or single session access. If a device is compromised and a hacker is attempting to capture Administrator credentials to elevate their access, this is one way of protecting against this risk.
Enforce MFA for Administrator access – Your IDAM platform should enable you to require 2FA for either all Administrator Access attempts, or for specific types of Administrator Access requests to provide an additional level of protection to key systems and platforms.
Audit and reporting - A good IDAM platform will keep an audit trail of all main activities, specifically when users are provisioned, changed and deprovisioned, admin and user activities including last access details. This information will be critical in the event of a breach to understand how it occurred and what impact it has had. In the world of GDPR this is a must-have feature. Reporting is also a good mechanism for making sure that any users that might have been missed in deprovisioning activities are highlighted and removed.
Automate user password resets - We mentioned in part 1 that people have a tendency to panic if they realise they may have compromised their credentials before reporting it to anyone. It’s also possible someone may realise they have had their credentials compromised outside of your Service Desk operating hours (if you aren’t running 24x7x365). Having a simple, always-on password reset portal for users ensures that they can quickly and effortlessly change their passwords, with no embarrassment factor. You can encourage staff to take a “change it if you aren’t sure” policy, with no operational impact or additional cost. This also helps to combat the productivity loss that can happen when a password list is lost.
Some of the platforms that you use will already enable some of these features within them, but a good IDAM solution will allow you to enable these features across your entire estate, consistently and without compromise. More importantly, for those systems that DON’T enable these services, a good IDAM solution can add this functionality for you by acting as the gateway to all corporate platforms.
Aurora, from Core, is our enterprise-grade Identity and Access Management platform. It is built using a range of best-of-breed technologies to deliver all of the key features we have highlighted above, as well as solving a number of other Enterprise challenges which we will cover over the next few weeks. Aurora is available in a range of configurations to allow customers to choose the right balance of features to meet their organisational requirements. It’s a cloud-based solution which means that there are no specialist requirements for onsite hardware or support, and it will move and grow with your organisation regardless of physical locations, number of employees or platform landscape.
If you would like to speak to our specialists in your vertical market about how Core can help you with your Identity and Access Management requirements, please get in touch with us.
Next week we will look at how IDAM can help organisations that have complicated AD structures and how it can solve the challenges this can cause in a number of scenarios.
Read 'How to stop your users taking you to the data apocalypse: part 1', here