This is our third in a series of commentaries on minimizing the risk of becoming the next front page news story on data breaches.
Identity lifecycle management is one of the most critical parts of a security and identity and access management program. Identifying the assets and setting a baseline for acceptable risk needs to be considered before starting any security lifecycle project and must involve the proper stakeholders. Let’s refer back to our original blog post where we discussed the Ashley Madison breach. When the company began, they had advertised their service with a commitment to delete customer info upon their request, but as the headline breach revealed, that was not the case. The hackers were able to expose data related to tens of millions of accounts which suggests some part of the identity lifecycle management process was not properly followed. The fact that so much data was compromised from the Database could imply that the attack originated there. Soon after the attack, it was reported that a former contractor for the company may have been one of the responsible parties.
To some degree, we had a perfect storm brewing. We had a company that was offering a service that some felt was morally unethical. We had large amounts of sensitive data stored un-encrypted in a Database. And we appear to have privileged account access given to a contractor, which may not have been revoked upon separation from the organization. There have also been some additional discoveries made on the end-user accounts as well – such as the fact that many of the customer accounts utilized very basic passwords – one password cracking group has claimed that they were able to crack 11 million users’ passwords. This latter topic is beyond the scope of this blog, but suffice it to say that it is important for organizations to enforce strong password policies.
It is easy to look at the Ashley Madison situation through the tinted lenses of morality and assume nobody should care, doesn’t apply to me or they had it coming. The reality is, the scenarios at Ashley Madison should keep every security officer awake at night. Regardless if the attack/theft and ransom is around the morally questionable content of users, or the confidential financial records of customers, the same steps must be made to prevent the same outcome.
In our last blog we talked about privileged account access and how OPAM protects the keys to the kingdom. But what about the everyday lifecycle of an employee or a contractor? How do they request and receive access to the assets they need to do their job and nothing more? How do we take away access rights as their relationship with the company changes (promotions, re-assignments, terminations)?
The Oracle Identity Governance Suite (OIG) enables us to manage entities across different targets/applications in a centralized manner. The solution can address the most complex business and security requirements without changing existing policies, procedures or target sources.
Self-service enables users to raise requests for themselves for access to particular resources or entitlements. It allows for fine-grained configuration such as restricting a user’s self-service capabilities by defining policies and rules based on user attributes. For example, taking a scenario where the user is a contractor, certain fields can be denied attributes for such user types. Thus reducing the time of UI customization and preventing users from modifying user data which is not expected.
OIG has built in Admin roles which can be used for carrying out Admin specific tasks. New customized Admin roles can be defined by adding capabilities to a particular organization scope. It allows the creation of attribute based assignment of Admin roles, thus we can define our own membership rules.
Request based approvals enable the respective stakeholders, like role owner or entitlement owner to be involved in the approval process. This is an important capability for scenarios where a user needs access to a particular account or entitlement. In the latest OIG PS3 release, workflows were introduced as a replacement for approval policies and can provide more logical responses for end user requests.
Role lifecycle management provides an efficient mechanism to automate and scale the provisioning and logical grouping of accesses and controls as well as helping to detect violations which we will cover in more detail in our next blog.
OIG ensures that on-boarding and off-boarding actions are followed based on the start and end dates respectively. It provides a set of access policies which are role based (which in turn can be attribute based) which ensures that uniformity is maintained across various target systems. Role to Access policies mapping is done during role configuration. If this association is done with lifecycle management enabled, it goes through a role owner approval process, thus ensuring role owners are aware of provisioning actions. The provisioning process based on tasks ensures that the proper workflow is followed. Immediate access termination can be done by administrators from the Identity console for users which are found to violate policies whether accidental or malicious.
Proper sunrise and sunset of account access and entitlements is critical for contractors or in scenarios where access to privileged accounts and entitlements needs to be granted to users – in such cases we can define start and end dates of a particular entitlement and thus control access for a particular period providing another layer of protection against misused access rights. OIG can automate the process of immediately revoking user access rights upon termination or suspension. This eliminates a commonly exploited security gap and opportunity for policy violations that can occur after the dismissal of an employee or contractor – which is the exact scenario that was assumed exploited at Ashley Madison.
The Oracle Identity Governance Suite can be used to establish a lifecycle management process that allows organization to have comprehensive governance of identities. It allows organizations to identify risks and make sure they address the organization’s defined policies. In the next blog in this series we will discuss more on certifications, audit, compliance and reporting and how it ties together with lifecycle management as part of a holistic security solution to enhance compliance.
Abhinav Raina, Amit Kumar and Shashank Kulshreshtha