“I think therefore I am.” – René Descartes
This isn’t just a pompous philosophical proposition of autonomy, instead it is a timely piece of advice for ensuring corporate cybersecurity. Descartes really was ahead of his time! Identity and access management (IAM) plays an important part in securing your IT infrastructure by mitigating risk from both external cyberattack, and internal threat. Any company that thinks seriously about protecting sensitive information about their employees or customers should implement adequate IAM.
That’s Privileged Information:
The basics of IAM can be defined simply through the word: privilege. Users should only have access to one account with a predetermined set of privileges. You wouldn’t give your dog walker access to your phonebook, so why give the sales team access to HR data? By providing specific privileges to individuals based on what they need to do their job, companies could significantly reduce the potential risk of data falling into the wrong hands.
Todd Peterson, IAM evangelist at One Identity, has outlined what he calls a “golden rule” of privileged IAM. IT security teams should provide the “least access and privileges” possible. “Even without embracing a full ‘zero-trust’ approach, you should restrict access only to a need to have basis. If you can, keep the data on your local network only. If possible, provide third-party access only through a secure connection such as a VPN.” By ensuring that users don’t have free reign to access sensitive data, you take the first steps to provide a secure environment for data protection.
“Your Password is too Weak”:
Once privileged access has been established, the next phase is to make sure that these accounts are secure. The first step to do this is to address password security. Weak passwords are surprisingly common, particularly as individuals have an increasing Internet presence. It can be annoying or inconvenient to use multiple, complex passwords across a range of social networking sites, online banking accounts and corporate portals. This leads to apathy in the workplace as employees aim to increase convenience by using simple passwords. However, while being easy to remember, short passwords are easy to crack. It doesn’t matter how few people have access to sensitive data, if they use weak passwords like pet names, favourite sports teams or birthdays then these accounts are easily breached.
“As most enterprises have an administrative account with nigh unlimited power, it is wise to keep account of who has access to this. It would be wise to introduce a companywide policy to prevent the practice of password sharing, especially when it comes to administrative accounts that have high levels of access,” explains Peterson. “Companies should look to change passwords regularly and only share them with the privileged few that regularly require access.”
In general passwords should be longer than 10 characters including a combination of capitals, numbers and special characters that don’t spell commonly used words. For companies, the best security practices should be to make sure that passwords are secured with cryptographic protection, and not scrawled out on a post-it note.
Multifactor Authentication is Key
An additional step to ensure security is through multifactor authentication (MFA). This means that even if a password and username is compromised, then sensitive data remains protected. There are several layers of MFA available, each offering varying ranges of security possibilities. One of the simplest options is used daily on our computers. By pressing alt, control and delete before logging onto our work PCs, we prove that we are in the physical location, and not a bot or external hacker. Alternatively, enterprises can link work phones or tablets to accounts, ensuring that the person attempting to access information in is in possession of a specific device, with the ability to log in.
Although it may seem like something from a Sci-Fi film, the introduction of biometric identifies such as a fingerprint, typing pattern and voice recognition are becoming increasingly affordable and applicable methods of MFA. Indeed, most of us have biometric identifiers in our pockets as mobile phones are beginning to utilise IT forensics. Using geolocation is another helpful MFA as it can raise immediate red flags if there is an attempted login from another country our location.
In conclusion, implementing IAM is simple. All corporations should take an active, holistic approach to protecting data. It is important to ponder policy, especially when it comes to protecting PII. If in doubt remember, what would Descartes do? Think: IAM.