The recent public dispute between Apple and the U.S. Department of Justice (DOJ) over the encrypted “San Bernardino“ iPhone has served as a powerful reminder of the challenges every enterprise faces when it comes to identity and data security.
No matter what side of the issue you come down on, it’s clear that there’s a real tension between keeping data secure and providing access to that data to those who need it.
The DOJ and its allies have envisioned a very broad solution to their problem in which all encryption technologies would be required to have “back doors” that would allow law enforcement to legitimately access information when necessary. The counter argument put forth by Apple and its allies is that any such back door would inevitably be discovered by rogue individuals or organizations, and then exploited for nefarious purposes.
Indeed, it seems that Apple was proven right since it was a “gray hat” hacker who discovered how to circumvent Apple’s protections – in essence, discovering an inadvertent back door that even Apple was unaware of, which ultimately gave the DOJ the access it wanted.
The frightening reality is that in today’s enterprise, such inadvertent back doors not only exist, they are more common than you might think. Even without the “official” backdoors envisioned by the DOJ, it’s remarkably difficult to keep malicious actors out.
In today’s interconnected world, no business can simply firewall off its sensitive data to keep it safe – too many people need access in order to do business. The challenge is that you have to allow certain people in (your employees, business partners, suppliers and customers) while at the same time keeping others out – the very same tension at the heart of the Apple-DOJ case.
This, of course, is the job of Identity and Access Management (IAM). The very premise of IAM is to allow you to specify who should be able to access what, and provide a way to identify an individual and ensure that they are who they say they are (and not an imposter) in order to grant them the appropriate access. In theory, it’s a sound solution; in practice, however, companies all-too-often fail to properly manage and monitor their IAM infrastructures or to follow the necessary best practices. As a result, they create what are essentially inadvertent back doors into their networks, or fail to detect when such backdoors are being used.
Today almost all data breaches involve stolen or otherwise misused credentials. Rogue actors obtain or guess at the usernames and passwords of legitimate users, and suddenly they’re inside your network. There are a number of ways to obtain such credentials, including “phishing” or social engineering (fooling people into giving you their credentials), obtaining shared credentials (where an individual uses the same credentials they use to access your network for other less secure services), using default accounts (accounts that come pre-built into software systems that administrators fail to disable), or even accounts of terminated employees or partners that you’ve failed to properly de-provision.
Privileged accounts — the ones that grant administrators unfettered access to your systems — represent the greatest vulnerability. Although Privileged Access Management (PAM) solutions exist to help mitigate this risk, many of them fail to provide proactive controls for detecting and blocking privileged access misuse. Often, organizations lack sufficient notice to respond fast enough to prevent damage from happening. Many learn only after the fact that privileged accounts have been used inappropriately.
We’ve covered many of these issues in recent blogs and newsletters, including “How to Avoid IAM Risks and Pitfalls”, “Ensuring you don’t become the Next Data Breach Story”, “Limiting Vendor Risk”, and “Of Sticky Notes, Shared Credentials and Hard Coded Passwords” — so I won’t go into greater depth again here.
The key takeaway from all of this is that security tied to identity is both absolutely essential and remarkably difficult to get right.
Because security tied to identity is our entire business, I can tell you that it’s more than a full-time job just keeping up with the constantly evolving threats and best-practices for responding to them – let alone implementing such practices.
Consider our industry-leading Identity as a Service (IDaaS) platform, which enables us to deliver a comprehensive suite of managed identity and security services. Because we’re vendor and technology agnostic, we’re free to select the most advanced and up-to-date identity and security software from leading vendors, and combine them as necessary to form complete solutions. But this also means that there are lots of moving parts required to deliver a complete solution – a level of complexity that can easily overwhelm organizations for which identity and security isn’t their primary business.
We have teams of experts dedicated to regularly conducting vulnerability/security testing, and patching vendor software when potential vulnerabilities are discovered. Simeio itself is also monitored – we have SOC certification demonstrating security and control principles that we follow for our clients and ourselves.
And while we’re justifiably proud of our IDaaS platform, the real crown jewel in our portfolio is our Simeio Identity Intelligence Center™ (IIC), our center of excellence for identity and security.
Simeio IIC™ brings together our highly skilled professionals with deep expertise in identity management and security, proven processes and methodologies, and proprietary and cutting edge technologies to deliver Identity as a Service (IDaaS) far more efficiently and effectively than any other provider.
So for example – as in the Apple story – repeated attempts to access a system using invalid passwords would trigger a security action in Simeio IIC. It might be a complete shutdown of an account or some other security challenge such as multi factor authentication (MFA) to distinguish a legitimate access attempt from an attack. Monitoring goes further than this as well. If someone successfully authenticates but then accesses data in a way that is atypical of their normal pattern (lots of data at odd hours of the day, data they don’t normally access, etc.), then that access can be shut down, too.
The reality is that this level of sophistication is now no longer just “nice to have” – it’s essential if you are to keep your network and you data safe. As the Apple-DOJ case has shown, inadvertent backdoors can exist even in systems thought be impenetrable. The real measure of success may not be how well you believe you’ve buttoned up your network, but by how well you can detect and respond when someone manages to get through none-the-less.
Executive Vice President,