2020-08-11T07:24:00Z
Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees
  • 5
  • 29

What are some tips for effective identity and access management to prevent insider data breaches?

Insider data breaches can be a real problem in businesses. One way to address this issue is by implementing an identity and access management solution. 

What tips do you have for ensuring that one's identity and access management solution is effective?

6
PeerSpot user
6 Answers
CB
Deputy General Director at IS Decisions
Vendor
2020-09-08T07:37:10Z
Sep 8, 2020

The simplest and most common activity for every insider threat action is the logon. Nearly all threat actions require a logon using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.


Remember also that almost every external attack eventually looks like an insider. The use of compromised internal credentials is the most common threat action in data breaches.


To ensure the best out of any access management solution, think around five primary functions – all working in concert to maintain a secure environment. 




  • Two Factor Authentication – Regulating user access involves authentication to verify the identity of a user. But authentication using only a strong user name and password doesn’t cut it anymore. Two-factor authentication combines something you know (your password) with something you have (a token or authenticator application).


  • Access Restrictions – Policies can be added on who can logon when, from where, for how long, how often, and how frequent. It can also limit specific combinations of logon types (such as console- and RDP-based logons).


  • Access Monitoring – Awareness of every single logon as it occurs serves as the basis for the enforcing policy, alerting, reporting, and more.


  • Access Alerting – Notifying IT - and users themselves - of inappropriate logon activity and failed attempts helps alert on suspicious events involving credentials.


  • Access Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.


The potential insider threat scenarios that are now thwarted include:



  • It protects exploited users (from phishing attacks or malicious colleagues) with controls that make genuine but compromised employee logins useless to attackers.

  • It out-rightly restricts certain careless user behavior such as password sharing, shared workstations left unlocked, or logging into multiple computers.

  • Access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously, ensures a quick response to suspicious activity, offers evidence to address violations that do occur, and makes all users more careful with their actions.

Search for a product comparison in Identity Management (IM)
EL
Director, Cloud Services at American Sugar Refining Inc
Real User
2020-10-16T13:52:42Z
Oct 16, 2020

With experience in both IT and Audit, I can say the answer most often leads to a tried and true combination of preventative and detective mechanisms/controls. These two methods though very different help with achieving the goal of minimizing breaches and detecting them so the right action is triggered when a breach does occur. Since every business has to place on a scale cost vs risk, unless the business has endless monies, there will be some risks too expensive to prevent so you must have the means to detect and then react with the goal of minimizing the exposure and learning from it.


A ridiculous example but proves my point: Every employee has a second or third employee watching and validating every action carried out by the first employee to ensure no data breaches. So the risk is minimized and maybe even eliminated but the cost is more than most companies will ever contemplate. I will leave alone the topic of collusion since that is more than we can explain in this short answer. Now remove the 3rd watcher person and reduce the 2nd by 50% to save money but scope the first person's actions. If the first employee's actions are limited by the roles assigned (in a system or manual), the activity carried out by the employee is controlled and scoped which in turn limits risk. The remainder is added to detective mechanisms such as DLP in a system or even a human reviewing (maybe sampling) the first person's activities.


It is a roundabout way to say, you need a combination of both types of controls where access is scoped and monitored. Where the availability of the data is limited to the degree cost-effective and then the less costly but less reliable detective means are used.

Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees
Community Manager
Oct 18, 2020

@Enrique Leon, CISA Thanks for weighing in!

PeerSpot user
JV
Senior IT Risk Management and Compliance Assurance Specialist at a energy/utilities company with 10,001+ employees
Real User
2020-08-11T13:55:02Z
Aug 11, 2020

The premise of any effective Identity and Access Management solution is that 100% "Trust" exists.  Unfortunately, trusting someone to the "keys of the kingdom" is best left to Hollywood, while ensuring the business stays afloat in the real world requires that a robust zero trust mechanism be implemented.  New employees, whether experienced or fresh out of school,  do not have the luxury of developing the level of trust that can be deemed "100%".  

Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees
Community Manager
Aug 12, 2020

Thanks for your input @JoeValero. So bearing in mind that 100% "trust" is impossible, do you have some suggestions for how to increase protection against insider breaches?

PeerSpot user
EL
Director, Cloud Services at American Sugar Refining Inc
Real User
2020-10-25T00:16:19Z
Oct 25, 2020

There are easily a dozen low hanging fruit and I would start with the none tech vector: data owners and stewards. Then comes the education and policy dissemination of the company’s stand on data loss. After a move to the tech implementation to detect common signs such as DLP identifying when large and frequent data transfers via email, copy to external drives which include cloud and thumb. 

Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees
Community Manager
Oct 26, 2020
PeerSpot user
MA
Senior Manager, IT Security and Compliance / CISO at Superior Energy Services, Inc.
Real User
2020-08-12T13:44:02Z
Aug 12, 2020

Once you've selected the right solution for your business, you need to make the implementation a formal project and involve all key stakeholders, including those from the business, not just IT folks. Identify all of your information assets, classify them based on sensitivity and criticality (e.g. Public, Internal Use Only, Confidential, and Restricted), then create rules for the granting, revocation and modification of access to those assets. Once that is done and everyone is aware of the policies and procedures governing access, you can implement the solution accordingly. Post-implementation you will want to have a process in place for periodic review of access based on applicable regulatory, audit and security requirements. You may have to create custom reports if the canned reports are not sufficient. Data owners should be involved in the review since they are usually in a better position to determine if individual's access is still legitimate. 

Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees
Community Manager
Aug 13, 2020

@Mark Adams ​this is really great advice - Thanks for sharing!

PeerSpot user
JV
Senior IT Risk Management and Compliance Assurance Specialist at a energy/utilities company with 10,001+ employees
Real User
2020-08-12T12:29:44Z
Aug 12, 2020

Bearing in mind that 100% trust is impossible, it is best to get to zero trust as soon as possible within the confines of your company's risk appetite and with the best tools your company can afford.  There are many Identity and Access Management products and services out there - choose wisely and carefully. 

Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees
Community Manager
Aug 13, 2020

@JoeValero ​Thanks! Any tips for making the selection process easier?

PeerSpot user
Learn what your peers think about Azure Active Directory (Azure AD). Get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
688,618 professionals have used our research since 2012.
Related Questions
EB
Director of Community at PeerSpot (formerly IT Central Station)
Aug 10, 2022
Hi infosec professionals, Based on this article, a few days ago "Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials". What could be done better to prevent this from happening in the future? Which tools, techniques and solutions could help to a...
See 1 answer
LN
IDM Engineer at a tech services company with 51-200 employees
Aug 10, 2022
In case of sophisticated social engineering attack designed to steal employee credentials there is a need to pay attention regarding education of employee first and if not already in place apply Zero Trust approach by implementing OTP and using it as mandatory for all employees. Any technical solution is not good enough to avoid willing leak of employee credentials by themself.
EB
Director of Community at PeerSpot (formerly IT Central Station)
Jul 13, 2022
Hi security professionals, Can you please clarify the definition of the Zero Trust vs Least Privileged model? How are they different? In which cases you'd use each of them? Please share an example. Thanks for sharing your knowledge!
2 out of 3 answers
OK
Consultant at a tech services company with 1,001-5,000 employees
Jul 12, 2022
Least Privilege is about giving the least privilege (role and privilege) as required by the user, while Zero Trust completely eliminates trust at a whole level, whether internal or external.  Zero Trust sample is MFA, where you would need to validate your access credentials (e.g., through biometrics).
AO
Technical Lead at Freelance Consultant
Jul 12, 2022
Least privilege access is used to provide access needed to perform a role or action, which is good, while Zero trust completely assumes every attempt as a possible compromise and treats it as such.  If something with the least privilege access tries to access any resource in an environment where Zero Trust is implemented, Zero trust will still take precedence.
Related Articles
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Dec 16, 2021
Does access control terminology puzzle you? Many people often mistake PIM, PAM, and IAM – privileged identity management, privileged access management, and identity and access management. Oftentimes, they also believe that privileged access management (PAM) and privileged account management (also PAM) are interchangeable terms – which is not entirely true. To shed some light on this topic, in...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Dec 11, 2021
                                What is Privileged Account Management (PAM)? Privileged account management can be defined as managing and auditing account and data access by privileged users. A privileged user is someone who has administrative access to critical systems. For instance, anyone who can set up and delete user accounts and roles on your Oracle database is a privileged user. Lik...
AS
Director, Middle East, East India & SAARC at DMX Technologies
Mar 13, 2023
Zero Trust is a set of techniques to secure end-to-end IT network infrastructure. Given the complexity of today’s networks, Zero Trust security principles continue to evolve and adapt to current demands. As indicated by the history of Zero Trust, an evolving IT security landscape was what had eventually led to this concept. And right from the start, the end goal was to ensure a strong and resi...
See 1 comment
Remy Ma - PeerSpot reviewer
Network Security Services at ACE Managed Securty Services
Mar 13, 2023
Zero Trust Security is all the rage these days and for good reason. It’s a powerful security framework that organizations can use to protect themselves against cyber threats. While it sounds complicated, at its core there are five simple principles that makeup Zero Trust Security: 1. Never trust, always verify: With managed email security services,  organizations can employ various layers of authentication and authorization to verify user identities before allowing access. 2. Least privilege: Organizations should only grant users the minimal amount of access necessary for their role in order to reduce the risk of a data breach or other malicious activity. 3. Zero trust boundaries: By using managed email security services, organizations can ensure that data and systems are segmented into secure boundaries to prevent the lateral movement of malicious actors. 4. Continuous monitoring: Organizations should employ managed email security services to continuously monitor and log user activity, allowing administrators to spot suspicious behavior quickly and take appropriate action. 5. Comprehensive security solutions: By employing managed email security services, organizations can ensure comprehensive protection from cyber threats. These five principles are the foundation of Zero Trust Security and managed email security services are necessary for implementing them in a secure and effective way. Take advantage of managed email security services today to ensure that your organization is protected against all types of cyber threats.
Related Articles
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Dec 16, 2021
Defining PIM, PAM and IAM
Does access control terminology puzzle you? Many people often mistake PIM, PAM, and IAM – privi...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Dec 11, 2021
What is Privileged Account Management (PAM) and How Does It Work?
                                What is Privileged Account Management (PAM)? Privileged accoun...
Download Free Report
Download our free Azure Active Directory (Azure AD) Report and get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
DOWNLOAD NOW
688,618 professionals have used our research since 2012.