In my previous post, I discussed the third of four steps for limiting Vendor Risk. In this, the last of my five-part series, we’ll dive deeper into the fourth and final step: Ensure Access to Your IT Environment is Protected Using All Means Necessary.
We all know that organizations are being attacked on a daily basis. Because of this persistent threat, precautions must be taken to protect the perimeter using all tools available in order to create multiple layers of protection. The number of layers can vary, but several of them are “must have”:
- Intrusion Prevention Systems
- Firewalls and Virtual Private Network
- Web & Email Filtering
- Antivirus Protection
- Event Management
- Vulnerability Scanning
These six layers of protection allow organizations to stop most outside attacks at the network perimeter. But you can’t stop there. No matter how well you’ve implemented these layers or how robust they are, there are still two threats that you must consider: a sophisticated hacker who exploits a zero-day vulnerability or who obtains someone’s legitimate credentials to penetrate the perimeter, and the “internal threat” — often a disgruntled or malicious employee, vendor or business partner who has been given access inside the perimeter.
What additional measures are you taking to prevent these sophisticated external hackers and/or malicious internal users from stealing or destroying your core infrastructure and critical data?
This is where a mature Identity and Access Management (IAM) program will assist you in reducing your risk of a breach. A mature IAM program adds four additional layers of protection:
- Multi-Factor Authentication — a method of controlling access to critical assets in which a user is granted access only after successfully presenting multiple, separate pieces of evidence to an authentication mechanism, typically from at least two of the following categories: something they know (e.g. a password); something they have (e.g. an RSA token), and something they are (such as a fingerprint).
- Privileged Account Management System — a system for managing and controlling Privileged Account credentials, which are those used by system administrators to access and manage your infrastructure, including your most sensitive assets. These systems typically employ methods such as one-time-use credentials that are issued only when approved by a second administrator.
- Access Governance System — a system designed to detect users who have improper access to applications. These systems typically allow you to review all accounts from a single vantage point, to help you easily identify instances where someone has access beyond what they minimally need to do their job.
- Identity and Access Management System — a system that allows for user lifecycle management and simplification of access request processes. This helps to ensure against provisioning or deprovisioning errors — for example, forgetting to disable access for an employee who has resigned.
If you are taking these extra precautions, you can significantly reduce your risk of being breached and protect your core infrastructure and critical data.
Simeio Solutions is passionate about building mature Identity and Access Management programs. We can assist you with any questions you may have and we can recommend and build solutions that can take you security model beyond the basic layers of protection.
Thank you so much for taking the time to read and follow my blog over the past few months — I have enjoyed sharing my ideas. Please feel free to reach out to me directly with any questions; I can be reached at email@example.com.
Robert Streets, CBCP, CISA
Senior Advisor / Program Manager