The answer depends on which era did you ask this question. From the 90s to the noughties the answer was “Network” since every critical asset–servers, applications, users and devices–were safely ensconced within your perimeter defense. With the advent of mobility and BYOD in the past decade, endpoints started moving outside the perimeter, and therefore couldn’t avail of the traditional security umbrella offered by network security, thereby becoming the new perimeter by themselves.
By Pankit Desai, Co-founder and CEO, Sequretek
There are two trends in the 2020s that will throw up a new security challenge:
- First is on account of the all too powerful movement to cloud spearheaded by the new AMIGOS aka Amazon, Microsoft, IBM, Google, Oracle, and SAP, resulting in an astounding CAGR of over 150% in cloud consumption. Whilst there are obvious benefits of moving to the cloud, the onus on security the last mile, in this case, an “Identity” is pretty much left outside the purview of the core services offered by cloud service providers.
- The second is the diversity of technology privileges and commensurate access rights that end-users in enterprises have access to these days. Traditionally, enterprises used to worry about user privileges linked to applications since the majority of the users and the data that was generated by applications were governed through them. In the recent past, this has moved to include a diverse set of privileges to include shared services, endpoint related elements, and infrastructure and network-related privileges.
In the past, organizations would have looked at traditional identity and access management solutions to address these challenges, but they have mostly flattered to deceive. The complexity of the architecture primarily arising out of a centralized identity profile with tight integration to the target systems, primarily on-premise applications has meant inordinately long and expensive implementation cycles.
The impact of the trends mentioned above and the inability of the traditional approach to address identity-related challenges has exposed an underbelly that needs a complete rethink on this new perimeter–which is “Identity.”
The industry is abuzz with the next set of terms such as Zero trust, User Behavior Analytics, and multi-factor authentication systems, as a way to address the challenges of the “Identity” perimeter. While identifying and authenticating the right user to the right system is absolutely important, there is an area that goes relatively unaddressed, and that is linked to Access Governance. With the heterogeneity of access privileges as well as user types, and add to it the complexity brought together by constant churn in user roles, one really needs to get their arms around what these identities are supposed to do in the first place.
There are a few aspects related to Access Governance for the Identity that needs to be understood well enough to be defended.
- Stale Access: First, at an organizational level a complete understanding of privileges granted to all user types: employees & contractors. Stale and inappropriate access rights contribute to a large chunk of insider related threats. Ensuring disabling of user access for users who are on extended leave (sabbatical/parental leave/vacation) is also a good practice to limit potential risks with access.
- Beyond Application Access: Whilst application privileges are important to control there is an equally important underbelly of privileges that needs to be controlled. For example, endpoint control (access to removable devices/USB blocking/admin rights), network (Internet/Wi-Fi/VPN), shared services (folder/file/printers), and cloud services.
- Privilege harvesting: Oftentimes, access rights end up being equated to the power one enjoys within the company, resulting in an uncontrolled access footprint at the highest echelons of the company. These are the same folks who are most likely targets for social engineering attacks. Understanding usage patterns and harvesting of access rights based on usage is one way to limit potential risks that could emanate, should the credentials be compromised.
- Financial Impact: Most applications (on-premise/cloud) have user-based licenses. Privilege harvesting ensures that you end up paying not only for what you use but more importantly for what you need.
Access governance is a reasonably well-understood concept in regulated industries. Periodic access compliance audits carried out by regulators at least ensures that any irregularity linked to role vs. access rights gets trued-up over time–though in most cases this ends-up being done manually.
Industries that don’t have any compliance-related requirements; Access Governance becomes a nice capability to have. This is a thinking that needs to change if one just looks at the security risk that one is exposed to. If you are not convinced just look at the recent reports:
- Some Deutsche Bank Employees Kept Email Access After Being Fired (Bloomberg, 2019).
- An average of 22 percent of a company’s folders are accessible to every employee (Varonis, 2019).
- 71% of organizations have over 1,000 inactive users, and that means an additional 29% could have nearly that many (Lepide, 2020).
It is time now, for enterprises regulated and otherwise to move beyond paying lip service and seriously look at the potential risks that an ungoverned identity can pose to the organization.
About the author
Pankit Desai is Co-founder & CEO of Sequretek, a Mumbai based cybersecurity company. Sequretek is focused on the Cybersecurity space and was launched in 2013 with an aim to provide enterprise clients with an end-to-end cybersecurity platform. Pankit, a veteran in the IT industry, brings 20+ years of hardcore technology and leadership experience from the information technology industry to lead Sequretek. Prior to Sequretek, he was with Rolta as the President of Business Operations. He has also served in a senior leadership capacity with NTT Data Inc, Intelligroup, Wipro and IBM India. His vast experience has given him the ability to manage and scale global business units and service lines rapidly and efficiently. Pankit has diversified business operations and created an organization that has a multidimensional growth, understanding of business support functions, Financial Planning and Analysis, Recruitment and Operations, Internal IT, Quality, Marketing and Alliance.
Disclaimer: CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.