The Breach Prevention
Simple ways to get IAM right and protect your organization
It seems like every day we hear of a new, high-profile breach. No longer are we shocked when some major brand is exposed as having lost data to outside bad actors or internal enemies. The question has switched from ‘will I be breached?’ to ’when will I be breached?’ This eBook provides tactics and easily implemented technologies that can bolster your chances of not only surviving the inevitable breach but enabling your organization to emerge with minimal damage.
In American football, there’s an adage that the best offense is a good defense – and its sister catchphrase – defense wins championships. In the battle against cyber-attacks, it’s all about choosing the right defense to combat the ever-changing tactics used by bad actors both outside and inside your organization. In order for an offense to succeed, it must find and exploit weakness in the opposition’s defense.
For those readers not familiar with American football: in its simplest form, a defense is primarily made up of two parts - a front line and the secondary. The front line’s job is to limit penetration by the other team’s players across the line of scrimmage. The secondary’s role is to track and guard the other team’s players that sprint and crisscross down the field and to prevent these sneaky and speedy players from successfully invading and gaining ground for their team.
Now if a defensive team has both a stout front line and superior secondary, that’s the type of team that can lock down an offense and win championships.
Cyber-security is no different. Eliminating weaknesses, closing holes and preparing for and anticipating how attackers might try to access your data is the surest path to victory. However, just as it is required for all eleven defensive players to do their job for the team to win, a comprehensive approach to security is the best hope for success in the battle against breaches. The broad topic of identity and access management (IAM) is key to installing an effective, lock-down defense.
A practical foundation
This eBook focuses on the IAM practices and technologies that provide the best path to cyber-security. However, there are a number of fundamental tactics that must be employed before the value of IAM can be fully achieved. These tactics will not be discussed in detail here, but to provide you an overview, the following elements are essential:
• An effective and modern firewall
• Antivirus protection • Data encryption
• Email protection and filtering
• A program of ongoing patching and updating of systems
• Continuing education of users and employees
A brief detour into human nature
If security measures are viewed by end users as a barrier, even the best intentions and most secure technology are not enough. If users cannot do their jobs, they will look for and find ways around your well-intentioned measures.
As an example, a large worldwide company that is very security conscious required all employees to use a virtual private network (VPN) to remotely access company systems. This particular VPN required a password that was different from the user’s normal network password and performance was sluggish at best (typically requiring a wait of several minutes to connect before a user could actually access what they needed). When this company acquired another company with its own VPN, the parent company required all newly acquired employees to access resources by logging onto their legacy VPN first and then to the parent company’s VPN. That’s two passwords and sometimes as much as 10 minutes before access was granted. To further complicate this log-in process, the company implemented multifactor authentication on top of the two VPNs.
At this company, users quickly found that the many hoops they were required to jump through for security’s sake were simply not worth it. They would avoid logging in, which resulted in a number of less secure practices that opened up the company risks that were much worse than they were originally addressing. With more passwords to remember, many users wrote them down. Lacking trust in the dual VPN performance, users copied critical data to their hard drive or removable storage to work on remotely. There was a high incidence of shadow IT. To make their work lives easier, users (and whole departments) resorted to unapproved technologies, which means there was no corporate oversight to ensure these technologies were secure.
Human nature says that everyone wants to do the right thing – in this case, employees attempting to their job done. But when one right thing is obstructed by another right thing – two VPNs and a heavy-handed security approach – the winner will always be the easier one.
Read on to see how the right thing and the easier thing can be the same thing.
Getting IAM Right for Cyber-security
Identity and access management (IAM) – which exists to ensure that the right people can get to the right resources and that you can prove they are doing it right – is the most effective, and proactive, tool in the fight against breaches. Once the basics discussed earlier are satisfied, IAM will provide the biggest security bang for the buck. After all, a breach is nothing more than the wrong person getting their hands on something they shouldn’t, and you don’t find out about it until it’s too late.
From this point on, this eBook will address various facets of IAM, how they play in breach prevention, and some detail on technology solutions from One Identity.
Authentication is the steps performed to prove to a system that the person logging on is actually who they say they are. Most breaches start with a failure in authentication. A bad actor will procure a legitimate login credential (a password) from an unsuspecting user. Often phishing, social engineering, or just plain theft is the tactic. However, the password is obtained, it allows the bad actor to logon to systems as someone they are not. The network doesn’t know that it’s the wrong person and will allow the hacker to access anything that the legitimate user has permissions to access.
Several IAM tactics and technologies can help address the authentication problem.
Password security – simple practices such as requiring frequent password changes, enforcing strict password policy, and making it easy and attractive for end users to do the right thing as far as password are concerned (i.e. they can reset them themselves and don’t have to write them down) can close many of the gaps that are so easily exploited.
Single sign-on – the big problem with passwords isn’t that they are hard to remember, it’s that there are often too many to remember. Single sign-on (SSO) technologies eliminate the problem of too many passwords. SSO enables a user to utilize a single, strong password across the entire range of systems they need to access. Another advantage of SSO is that it can apply stronger authentication methods to systems that don’t natively support them. For example, natively many UNIX and Linux systems transmit passwords in clear-text – an obvious risk; but an SSO solution that enables an Active Directory (AD) logon to work for Unix/Linux will automatically extend AD’s password encryption and stronger authorization to those non-Windows systems.
Multifactor authentication – another effective tool in the fight against stolen passwords in multifactor authentication (MFA). A password is a single factor (something you know) adding a second factor (something you have, such as a smart card or OTP token) gives an added and almost impenetrable level of Assurance of the accessing party’s identity. If a user’s password falls into the wrong hands, it is useless if multifactor authentication is also in play. Some systems are not built to support multifactor authentication; however most SSO solutions are. Therefore, placing an SSO solution between the target system and the MFA solution easily MFA-enables the target system.
Adaptive authentication – in our earlier example of the dual VPNs and heavy-handed MFA implementation, user avoided both because they got in the way of productivity. Implementing adaptive authentication (often available as part of an SSO solution) can overcome this challenge. With adaptive authentication, the relative risk of the access request is scored and MFA is only required when the risk deems it necessary. For example, if a user logs on to a typical system, during typical hours, from a known device, the risk is low and the simple username/password (single factor) authentication should suffice. However, if the risk rises because the user is attempting to log in from a previously unknown remote location, or from an unknown device, and at an atypical hour, you would require MFA. The user is only inconvenienced when the risk warrants it.
Secure remote access – in our digitally transformed world, users are accessing systems and data from everywhere and on a variety of devices. Often those devices are outside of the control of IT and therefore cannot (or will not) accept a VPN client. More modern secure remote access solutions eliminate the cumbersome and inconsistent nature of VPNs in favor of a reverse proxy access scenario that provides all the security of VPN access without any of the disadvantages.
One Identity offers the industry’s most complete set of IAM solution, including the full range of authentication options to combat breaches.
• Password Manager provides granular password policy, selfservice password resets, and innate integration to multifactor authentication and SSO solutions.
• Cloud Access Manager is a web-access management solution that includes SSO to any web-based application, adaptive authentication and secure remote access via a reverse proxy. In addition, it natively supports MFA.
• Privileged Access Suite for Unix provides AD-based SSO for UNIX/Linux/Mac systems and eliminates the password shortcomings of those platforms.
• Starling Two-factor Authentication is a cloudbased, software-as-a-service MFA solution, using the onetime password (OTP) tactic that is tightly integrated with the entire range of One Identity solutions.
Authorization is the concept controlling what a user is allowed (or not allowed) to do once they are authenticated. In IAM terms, authentication + authorization = access. Correct authorization is the key to breach prevention. Access to a typical user account (i.e. the passwords that are easier to pilfer) may not grant the access desired by the bad actor. Consequently, they will go through a series of lateral moves and rights-escalation activities to procure the access they want. Errors in authorization – often inadvertent – can open the gates to these bad actors.
Key IAM concepts can help effectively manage authorization.
Provisioning is the process of setting up user accounts and assigning the rights to individuals that allow them to do their job. As enterprises get more complex, the number of users increases and the amount of target systems grows, provisioning becomes unruly if not properly managed. Often, provisioning is a series of unrelated tasks performed by automatous IT teams. For example, the AD team will set up a user’s account and permissions in AD but an entirely different team will set up SAP permissions for the same user. It is not uncommon for full provisioning – across all systems, enterprise wide – to take days or weeks and involve significant IT intervention and tedious manual processes.
Additionally, provisioning is often performed without the insight necessary to ensure that there are no excessive authorizations. A typical provisioning action will request that Joe be given the same rights as Jane, since they have the same job. However, without significant the lineof-business (LOB) oversight there is no guarantee that Jane’s rights are actually appropriate. To do provisioning right, there should be LOB oversight and no guesswork.
But by operating with a single source of the truth (user profile data), unifying provisioning tasks for all systems and empowering the LOB to make decisions - rather than IT – you can dramatically improve the speed and accuracy of user provisioning.
De-provisioning is the process of turning off access once it is no longer needed. It is perhaps more critical to get de-provisioning right. As users change jobs internally, it is important to ensure that new rights they require set up appropriately but that old rights they no longer need are eliminated. Even more critical is removing the ability to access systems for terminated employees, contractors that have finished their tenure and any other instance of temporary access. A good portion of high-profile breaches are the direct result of bad actors finding orphaned accounts that retain the access rights they covet. And another portion of these breaches are disgruntled ex-employees who maintained access long after they should have been blocked.
You can ensure that your provisioning and de-provisioning is done right. It is possible to immediately remove or change access, or instantly initiate access upon a change in status when you manage it via an authoritative data source, such as an HR system.
Governance is the concept of periodically attesting to the appropriateness (or correctness) of user authorizations. Most regulations require periodic attestation/recertification (every six months is typical) of these rights. It is typical for provisioning and de-provisioning to be the fulcrum for true governance. If provisioning is manual, disjointed and inconsistent, it is extremely difficult to properly execute governance activities. However, if provisioning is done right, with LOB oversight and involvement, and based on the authoritative single source of the truth, effective governance is easily achievable.
Identity analytics is an emerging discipline of IAM that evaluates the permissions, rights and entitlements of individuals – and detects anomalies. Identity analytics is an effective way to uncover errors in provisioning (we’ll call it over-provisioning) and to discover purposeful rights escalation activities. It can prevent the activities of external bad actors and detect internal risks before they can become a threat.
One Identity solutions can help you get authorization right and thus, remove much of the danger of breaches.
• Identity Manager is a comprehensive provisioning and governance platform that enables the LOB to request, perform and attest to authorization in the form of provisioning and de-provisioning. Identity Manager unifies provisioning processes, streamlines operations and addresses the complexities of the modern enterprise. It also provides a business-driven approach to governance that overcomes the disjointed and incomplete nature of manual or IT-driven attestations.
• Identity Manager Data Governance Edition extends the provisioning and governance capabilities of Identity Manager to unstructured data (such as PDFs, files, videos, images and Word docs) housed in servers, NAS devices, cloud storage sites, SharePoint and others.
• Connect for Cloud is a connector framework for Identity Manager that allows organizations to quickly, easily, and completely extend their provisioning and governance to cloud-based systems.
• Active Roles delivers provisioning and de-provisioning performance that is optimized for the hybrid Active Directory environments including AD/AAD, Exchange/Exchange Online, Skype for Business and SharePoint/SharePoint Online, etc.
• Starling Identity Analytics & Risk Intelligence provides the insight into permissions, entitlements and rights required to find risk within authorizations – such as over-provisioned users or bad actors undergoing rights escalation. It compares permissions across peer groups to detect rights that are out of line with users in a similar role and will even compare entitlements across organizations to establish industry norms.
Privileged accounts and administrator access
While authentication and authorization cover the gamut of areas where IAM can effectively help protect against breaches, there is a special class of authentication and authorization that should receive special attention – privileged accounts. Every server, operating system, application and database has a system account that enables IT to perform necessary actions within that system. In UNIX and Linux systems, it is called root. In Active Directory, it is called the Active Directory Admin. And we’re all familiar with the database administrator (DBA).
Since these particular accounts are tied to the system and not an individual user, credentials are often (too often) shared among all those in IT that need to access these systems to perform their jobs. In addition, in order to perform those tasks (think of installing an update to an operating system or provisioning a user into a specific role), the credential has basically unlimited power. That is why these credentials are the ‘crown jewels’ that bad actors are after. If they can escalate to admin status, or get their hands on the admin password…they can wreak serious havoc.
In the most egregious cases (for example the Fannie Mae breach from a few years back), a disgruntled former IT employee is not deprovisioned quickly enough and uses his stillopen privileged access to inflict significant damage, including altering logs to cover his tracks. For this reason, effective privileged access management (PAM) is the highest priority in breach prevention.
A well-rounded PAM program will include a number of critical IAM tactics and associated technologies.
Password vaulting eliminates the sharing of administrative credentials, as well as leverages workflows and approval processes to ensure that when a credential is issued, it is necessary, deserved, logged and approved. A password vault stores all admin, root, system, service and other passwords, and automatically issues them when the conditions of the workflow and approval scheme have been met. It assigns individual accountability, which is key for tracking activities and for compliance audits. When the user is finished with the login, the vault automatically changes the password and stores it for the next need. Password vaults are a critical component of most secure companies’ “firecall” strategies.
A2A and A2DB are the password hard-coded into applications as they talk to other applications (A2A) and data sources (A2DB). These are a form of privileged credential that are often ignored and which may remain unchanged and widely known for a very long time. Some password vaulting technologies – like One Identity’s – are equipped to include these passwords in the PAM strategy.
Session audit is a companion to password vaulting that provides visibility into the activities actually performed with the checkedout credentials. A session-audit solution also includes command control features, such as time limitations and the ability to terminate a session if an unapproved action is detected.
Least-privilege access is the concept of granting a user (in this case an administrator) only enough permissions (authorization) to do their day-to-day job – nothing more, nothing less. For example, an Active Directory administrator that is on the help desk would only be delegated enough permission to reset passwords, unlock accounts and provision users but not enough to install an update, edit the logs or manipulate a domain controller. If more permissions are required for a one-off (or firecall) situation, the full AD Admin credential could be checked out from the password vault.
The popular UNIX/Linux open source tool sudo (it stands for “superuser do”) is an example of a least-privileged access solution. Through sudo, a Linux admin can perform certain tasks but not others as defined in a policy file.
Analytics is a critical piece of an effective approach to PAM. The previously mentioned identity analytics is particularly relevant for privileged accounts as they are the most dangerous and prime targets for rights escalation. In addition, privileged analytics enables organizations to discover unknown internal and external threats and risky activities by detecting unusual behavior and anomalies.
Multifactor authentication is not exclusively a PAM principle, but due to the sensitivity and power of privileged access, it’s the most likely and most efficacious target for privileged account MFA.
Governance is critical for privileged accounts and privileged access as well. Most governance solutions address end user access to applications, but attestation of privileged access is just as important. The best PAM programs will extend traditional governance to cover privileged users and the technologies in place to grant them appropriate access.
Comprehensive PAM offering
One Identity offers the industry’s most complete and mature collection of PAM solutions. When combined with One Identity’s authentication and authorization offerings, the combined approach is the best defense against breaches.
• Safeguard is a modular and integrated PAM solution that include modules for password vaulting (including A2A and A2DB passwords), session audit and privileged analytics. Safeguard is delivered as an ultra-secure, hardened appliance that provide enhanced protection, rapid deployment and easy operations. It is also pre-integrated with Identity Manager for privileged access governance.
• Privileged Access Suite for Unix is an AD bridge (enabling UNIX/Linux authentication via AD) with leastprivilege access control for the root account either as an augment to sudo or replacement of sudo. It gives granular control over what admins can and cannot do with the allpowerful root credential.
• Active Roles augments its powerful hybrid AD provisioning capabilities with least-privilege access delegation for the AD and AAD Admin accounts. It enables organizations to control what actions AD admins can perform through the tool.
• Starling Identity Analytics & Risk Intelligence is particularly relevant in PAM programs. It provides the insight into privileged permissions, entitlements and rights, and finds risk within those authorizations, including detecting rights escalation activities.
• Identity Manager integrates tightly with Safeguard to provide a governance framework that extends to privileged accounts and administrator activities.
• Starling Two-factor Authentication is a cloud-based, software-as-a-service MFA solution, using the one-time password (OTP) tactic that is tightly integrated with the entire range of One Identity PAM solutions.
Winning the game
When all players on the field are on the same page; when each player performs his job with precision; and when the combined efforts of a team unified in purpose and tactics dominate the opposition winning is easy. Preventing breaches is not a game, but the concepts of unity, purpose, and effort translate to success here as well.
Only with a comprehensive approach emphasizing the IAM concepts of strong authentication, proper and controlled authorization, and powerful privileged access management can we hold the bad guys at bay.