Why Identity is the Foundation of Digital Security
With cybercrime on the rise, security is a major concern at Australian organisations. That’s understandable: as bad actors find new ways to attack organisations, the attack surface gets bigger and bigger—and the mitigation strategies that companies need to implement to stay safe evolve every day.
And yet, in many instances, the way companies address their digital security misses a key factor. Proper digital security is about more than secure passwords and up-to-date antivirus protection. Without also addressing identity, organisations risk leaving vulnerabilities in place that could lead to the financial consequences and reputation penalties associated with cybersecurity incidents.
Let’s take a closer look at what identity and access management (IAM) is, why it’s so important, and some of the steps you can take today to ensure you’re protected.
The Critical Importance of Identity and Access Management
At a basic level, IAM encompasses the use of both policies and technology to control who has access to specific resources within a technology environment.
But this definition alone doesn’t capture the critical importance of IAM. In fact, identity is foundational to all the other security pieces that sit on top of it. If you can’t appropriately authenticate someone’s identity—and you let the wrong person into your systems—then the rest of the security you’ve built becomes somewhat useless.
As an example, when Seasons Living—a provider of senior living communities across Queensland—engaged Mangano IT to support their legacy applications and end-of-life infrastructure, our customised Security Assessment process quickly identified a number of IAM concerns.
One, in particular, was the use of shared accounts across staff members. Because multiple team members accessed systems using the same login credentials, access to data and resources couldn’t be controlled on a granular level. This left Seasons Living vulnerable—if one of its shared passwords was stolen or compromised, cybercriminals could have gained access to several people’s accounts, exponentially increasing the size and scope of the breach.
How to Build a Solid Identity Foundation
Although proper identity and access management is a multifaceted, ongoing undertaking for most organisations, the following are a few best practices to help get you started on a solid IAM foundation:
- Codify your IAM processes and procedures in a single document (or set of documents) and update them on a regular basis. Involve any appropriate stakeholders within your organisation to create the policies, and take the appropriate steps to make sure they’re enforced. Having centralised documentation sends a powerful signal to staff regarding your security expectations—but only if team members know they’ll be held accountable to them.
- Make sure your IAM policy addresses the risks associated with remote work. As we expect remote and hybrid work to be the norm for the near future, make sure employees know how to log in securely to home or public networks and properly protect any sensitive data they print out.
- Employ multi-factor authentication (MFA) and single sign-on (SSO). A service like Azure AD makes this easy and prevents user frustration that could otherwise limit adoption.
- Use a ‘zero-trust’ approach when managing device access and usage. This way, you’ll avoid inadvertently granting employees more access to your systems and data than they need to do their jobs.
- Regularly update the security software on your devices. Also ensure employees do the same on any personal devices they use to access company resources.
- Take steps to protect sensitive data in the event of device loss or theft. The ability to wipe devices remotely, for example, can limit access to business information if they fall into the wrong hands (whether accidentally or not).
- Follow a ‘least-privileged’ approach when provisioning accounts for new or existing employees. When it comes to IAM, it’s better to put workers in the position of having to ask for additional access as needed than to grant more than is required.
- Use a ‘Segregation of Duties’ (SoD) approach for sharing control over core systems and processes. This is especially important in the case of critical functions.
- If you use generic accounts for training and testing purposes, limit their access to the lowest level required. Furthermore, make sure you have plans in place to lock down access to the accounts—or to delete them entirely—when the training or testing is complete.
- Develop defined procedures for removing and/or changing over user access and privileges when employees leave the company or change roles within it. Proper termination workflows are especially important in the case of firings or reductions in headcount that could trigger malicious activities by disgruntled outgoing employees.
While implementing the best practices above will put your organisations ahead of others that haven’t invested in IAM, they’re only the tip of the identity iceberg.
To properly secure your devices and data, enlist the support of a partner like Mangano IT. Not only can our customised Security Assessments help reveal identity risks you may not know about, our Connect + Protect solution builds proper IAM into the foundation of your IT infrastructure.
Reach out to our team of security specialists for more information or to get started.