reducing insider threat risk

Reducing Insider Threat Risk Through IAM

In Cyber Security Strategyby Michael Jansen

Insider threats have been around since the dawn of time, and they’ve always been a challenge to prevent and detect. That’s what makes reducing insider threat risk so difficult. The digital age, which has given much of the world’s population fast and easy access to information from practically anywhere, has only compounded the issue. In today’s post, we’ll discuss how you can reduce insider threat risk using identity and access management (IAM).

Regardless of where resources are located or the size of the business, insiders consistently prove to be one of the biggest threats to organizational security. The larger an organization is, the higher the risk, due to the sheer number of entry points there are to networks and their associated accounts and data, as well as the number of people who may potentially have legitimate access.

Even though we know insider threats are a problem, preventing and detecting them remains a large, and often complex, challenge.

Do you need help reducing insider threat risk? Get in touch with Delta Risk to learn more about our solutions.

Defining Insider Threats

The Computer Emergency Response Team (CERT) for the Software Engineering Institute recently redefined an insider threat as the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.

For the purposes of this blog, we’re not going to focus on the motives and behaviors of an insider, but on them having and using their privileges to get access to an organization’s assets.

What is Identity and Access Management?

Now let’s talk a little bit about identity and access management (IAM). IAM is a security framework that controls digital identities and account access. The framework, when paired with your organization’s policies and the right technology, can provide centralized and automated control of user access to information and resources.

With the IAM framework implemented, you can use granular role-based access controls to enforce enhanced privilege and authentication policies.

Why Are Insider Threats Difficult to Detect?

Since insiders are typically employees or business partners who have or have had, trusted access to your network(s) or information resources, it makes them very hard to spot. Consider the following scenarios:

  • Inactive Accounts: What if an employee left the company and because of broken processes and lack of governance, the employee’s account was never deactivated or removed?
  • Privilege Creep: How do you identify and manage accounts of employees who have worked in many different departments of the organization over the years and whose previous privileges were never updated or removed to reflect role changes?
  • Multiple or Parallel Accounts: Although there may be a legitimate need for multiple accounts for an individual or process, how does the governance process enforce periodic reviews to validate sustained access to these accounts so they can do their job?
  • Separation of Duties: Does the governance process also account for internal controls to prevent fraud and error by requiring more than one individual to complete key processes or tasks?
  • Multifactor Authentication: Are you using an additional form of authentication that requires something you have, are, or your location, in addition to the traditional something you know (e.g., password)?
  • Irregular Access: Does the system automatically alert your security team if someone accesses their account during non-routine hours?
  • Privileged Account Access: Do you have additional security measures and audits in place for privileged users who have access to the admin accounts, or as they say, “the keys to the kingdom?”

All of these questions are only scratching the surface of the areas you should be considering.

What are the Fundamentals of IAM?

When we look at IAM concepts, we can boil it down to three fundamental principles:

  1. There needs to be a high-level of confidence that the person logging in to an account is the person they say they are;
  2. Access should only be granted to individuals with a current need to accomplish their assigned job tasks and;
  3. Account access and activity logs need to capture what accounts are or were accessed and by whom and when.

Once you’ve applied these principals, be sure to baseline your normal operational activities. This allows you to sift through the noise to locate what could be abnormal activity to help it stick out like a sore thumb and better your chances of preventing and detecting insider threats.

How Can You Reduce Insider Threat Risks?

Many businesses or organizations use multiple systems and processes to handle various pieces of their network and security capabilities to include access to accounts. When it comes to network security, there are many methodologies and technologies out there to choose from but as we know, piecemealing security together generally isn’t as effective as when it’s designed and viewed from a holistic approach.

Summary

Reducing insider threat risk is the name of the game for security-minded folks and insider threats are a risk all organizations, big and small, must consider. However, the bottom line is that if you architect and implement an IAM security framework and technology that ties in your governance and subsequent policy rules into a centrally managed identity and access system, your ability to prevent and detect insider threats will be greatly enhanced.

There’s not, nor will there ever be, a system or process available that will guarantee 100 percent prevention and detection rates. However, IAM can certainly help you more effectively and efficiently secure and control access to your resources and can ultimately help you reduce the risk of insider threats.

Download our white paper on “10 Steps for Establishing an Insider Threat Program” to learn more.