IAM expert Mark Gleeson spoke to FourthLine about the challenges businesses face when looking to implement a strong IAM strategy.
Identity and Access management is near the forefront of many industry leaders’ minds within the security space; a recent study has found that by 2024 the market is expected to soar to a value of £12 billion. Whilst the growth in the area is not surprising, the magnitude of the growth just shows its growing importance to the cyber community.
Good identity and access management means seamless control of privileged, access and rights for every user in an organisation; all for the purpose of ensuring that user’s data is kept secure and protected. However, the continued growth has highlighted universal areas of difficulty that face businesses wanting to achieve good identity and access management.
That’s why we’ve spoken to Mark Gleeson, an industry expert with vast experience, to see what he believes to be the biggest difficulties when it comes to IAM and how he has overcome these problems.
1. A strategy for protecting your privileged accounts
Problem - Setting up basic controls such as classification of accounts is fundamental. However, could your organisation supply a comprehensive list of all privileged accounts if required to do so?
Solution – Active Directory always comes to mind; however privileged accounts exist in literally every infrastructure platform/database technology in any organisation. In a previous engagement the number of privileged accounts quoted by the business at the start of the project was less than 30% of the volume we eventually uncovered. Identifying the privileged accounts evolved into a voyage of discovery. Everywhere we looked, we found more, particularly local admin accounts on servers, often unused but still enabled. However, if an organisation can identify their privileged accounts they are in a good position, and ready to put the right controls in place.
My first recommendation to any organisation is to identify the privileged accounts in the environment and ensure the process of creating privileged user or system accounts is controlled. Secondly, protect the emergency/built-in accounts which typically have the highest level of access and for this reason, is highly valuable to the attacker. Additionally, a firm needs to define a risk-based approach towards protecting the remaining privileged accounts. This could be AD admin support accounts, database support accounts, application accounts with access to highly sensitive data etc. Work with the organisation to understand their priorities around the residual risk and build a pragmatic, risk-based strategy to address these remaining attack vectors.
2. Choosing the correct toolset for your company, and justifying it to stakeholders
Problem - Often a stumbling block for businesses; there are many toolsets available on the market, and as always you get what you pay for. How do you decide on which to pick?
Solution - The solution is to select a vendor that meets the requirements. If you are simply looking for an electronic vault to store privileged user credentials, there are basic tools available. If you’re wishing to protect credentials and make life difficult to the attacker such as automatic password rotation/policy management, there’s solutions for that also. If you want full protection around the complete removal of personal privileged access, auto password/policy management, session recording/monitoring, threat alerting/SIEM integration etc, there are market leading solutions available, albeit at higher cost.
Let’s also address the elephant in the board room. The cost of implementing the right tooling, processes, change team to protect privileged accounts for a large global organisation can often run into the millions. However, the cost of data breach is often far greater in terms of GDPR fines and reputational damage, than the project costs ever were.
Large organisations must always be mindful of the significant risk posed by doing nothing. Privileged accounts are a common path used by attackers. The vast majority of data breaches involve the elevation of rights and abuse of privileged accounts. When a breach occurs, one of the first actions to take is to shut down and control all privileged accounts. Proactively addressing this in advance reduces the risk to the organisation and provides a defensible position should a breach occur.
3. Creating a better cyber-secure culture
Problem - Depending on the organisation, putting in a privileged account management solution can be complex, costly, and time consuming. Putting the technical complexities to one side, in my experience if you fail to consider the change management aspects of the programme, be well prepared for the project to shift to a radiant shade of Red.
Solution – Put great emphasis on the change management aspects of the project and be sure to engage with the privileged users (and of course their management) at least 6 months in advance to make them aware of the plans. Why? Because depending on the solution and functionality implemented, you are often directly impacting users in their day to day activities. Not in a negative way, but there is change, and the immediate reaction to change is often resistance.
When deploying a market leading privileged access security solution into one of the largest insurance companies in the world, change management was often the main focus of the board, and rightly so. Spending millions deploying a solution that people refuse to use, or simply find every trick in the book not to is not a good look at the end of a project. Ensure that users understand why this change has to take place, how this will affect them in the future, and ultimately work in partnership to ensure the operational impact to their daily activities is minimal.
4. End to end JML process – the operational space
Problem - Moving more towards the operational activities of IAM, namely JML, the actual creation, modification, and deletion of accounts plays only a small part of the overall process. The strength of controls only come once the end to end process is defined and followed for every request. Accepting account requests via email, cloning accounts, access management administrators spending most of their time seeking approvals rather than executing requests, all of which for various often justifiable reasons internally are still a reality. Inaccurate or unstructured leavers data; sound familiar? We’ve all seen and continue to see these challenges in the operational space.
Solution - The introduction of a standardised request system for users/IAM team, with approvals built into the workflow engine makes a huge difference to the operational efficiency of the process. Introducing role-based access control (RBAC) is of course a huge leap forward in terms of reducing excessive access rights. If RBAC tools are not available, or funding for the work stream is not a priority, creating role template accounts (non-personal, permanently disabled, very strong password etc) can often be an interim measure. However, with the sheer amount of IAM tooling now available on the market, the majority of these problems are solved out of the box. Most vendors are happy to provide free demonstrations of their solution on-site and assist with the business case if required. Some free pre-sales work is often to the benefit of both parties, you only have to ask (nicely!).
If you’re looking to review your IAM processes, implement a new IAM system or remediate problems within your current framework, then FourthLine can help through our consulting, talent or learning solutions. Please get in touch here.
Mark is an IAM programme/project manager and has worked in a leadership role within the identity and access management space for the past 15 years within financial services. He has held the position of ‘Global Head of Systems Access Management’ at a global industry leading bank, and was most recently global lead for the Privileged Access Management programme for one of the world’s largest insurance companies, responsible for delivering the new PAM Service (CyberArk PAS solution) into the organisation.