Recent headline Cyber Crimes at major retailers, health insurers, and even US Government agencies suggest that those involved were not necessarily performed by criminal masterminds, but rather by individuals that at one time had been properly credentialed to access systems or by individuals that were simply exploring open doors to identify vulnerabilities,. As information technology moves further toward the cloud to provide services, we will start to see more security breaches on a greater scale than ever before.
The hack at Ashley Madison has captured the attention of the media on several continents. And it is of no surprise that the former CEO suggested that the hacking incident may have started with someone who at least at one time had legitimate, inside access to the company’s networks — such as a former employee or contractor. In another instance of data theft from a health insurer, it was determined that critical data and records were not properly encrypted leading to the theft of millions of records of personally identifiable information.
As per “The Federal Trade Commission”, Identity theft was once again the number one complaint from Americans this year.
Oracle’s Defense-in-Depth strategy and solutions offered as part of the Oracle Identity Management suite of products can prevent the cyber breaches that we are becoming so accustomed to see on the nightly news.
Today’s blog will focus on a few specific capabilities of Oracle Identity Governance (OIG) and show how they can be used to protect against certain types of common exploits.
1. Privileged/Shared Accounts – Keys to the Kingdom.
Privileged and shared accounts unfortunately exist within every organization – designed at a time when security was an afterthought if even thought of at all. How does one prevent or limit privileged accounts like DB Admins from performing malicious actions when compromised? OIG provides session management and auditing capabilities which become the single point to control and monitor activities within privileged sessions. OIG will provide notification alerts on account checkout. You can also define the life of a session and limit the usage of commands.
2. User life cycle management – Role Appropriate Access and Removal of Orphaned Accounts
OIG allows for attribute based role management for application and administrator roles. One can define custom, fine-grained Admin roles. For new user on-boarding, privileges are based on roles, business rules and requests. We can also define sunrise and sunset of application and entitlements which limits the access of users such as contractors or temporary employees for defined time periods. Normal termination based on end date and immediate termination helps to remove privileges and accesses across all target systems. Simply, an individual should only have access and entitlements within and across applications to be effective at their job, and should lose access when they no longer have a business need.
3. Enforceable Password Policies – Start with the basics
Hard-coded passwords, weak/common passwords, and infrequently rotated passwords are at the center of some of the most commonly exploited attacks on organizations. OIG protects privileged/shared accounts with passwords that are mathematically infeasible to ever guess or break and can rotate them on a regular basis. Likewise, password policies can be set for all protected resources requiring individuals to use complex passwords and require regular password changing – making it impossible for an attacker to simply guess the right key to get them through the front door.
4. Protect and Audit
OIG provides the tools to protect privileged accounts. Checking credentials in and out, also allows us to keep track of who has been using these shared accounts. OIG goes one step further, and allows us to monitor specific session activities – capturing and recording user activities as an MPEG video.
Beyond privileged and shared accounts, OIG has powerful certification capabilities – whereby users, managers, and respective application owners can validate and check the accesses of individuals and their specific entitlements. Segregation of Duties (SOD) analysis is efficient and preventative, warning users about potential violations before even the submission of a request.
5. Encrypt the Data – If it cannot be read, it is useless.
There are many rules and regulations mandating encryption and it makes for sound advice regardless. For example, if you have to comply with the PCI-DSS standard, then credit card numbers need to be stored encrypted. OIG allows for encryption of critical attributes of applications – whether that might be credit card information, social security numbers, or other HR data. Additionally, while outside the core scope of this blog series, tools such as Oracle Advanced Security carries out strong encryption of databases to fully protect sensitive information whether at rest or in transit.
Cyber crime has a devastating economic impact on society and at the individual company level can cause reputation and punitive damage from which an organization might never recover. OIG is a vital information safeguard. It exists to protect sensitive data and information from the ever-evolving landscape of security threats. Regardless of the position that a company takes on the extent or viability of such threats, a strong OIG implementation helps to mitigate the risks of cyber crimes.
What’s coming next?
Future blogs in this series will discuss in greater depth how the Oracle Identity Management solutions can prevent your organization from being the next front-page exploit.
Abhinav Raina, Amit Kumar and Shashank Kulshreshtha