Understanding, using IAM tools can help keep intruders out of company networks

Educate employees, update technology, and enforce identity and access policies to improve security posture

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Savvy com­pa­nies are fight­ing back against cyber crim­i­nals by improv­ing their iden­ti­ty and access man­age­ment programs.

Tak­ing stock of and insti­tut­ing best prac­tices poli­cies for IAM, as it’s referred to in secu­ri­ty cir­cles, can lead to major improve­ments of net­work security.

So says Cit­rix, the soft­ware giant that pro­vides serv­er, appli­ca­tion and desk­top vir­tu­al­iza­tion sys­tems used wide­ly in commerce.

IAM refers to the poli­cies and tech­nolo­gies that ensure the prop­er peo­ple have access to an organization’s tech­nol­o­gy resources. It “should be viewed as a busi­ness enabler that increas­es both pro­duc­tiv­i­ty and user expe­ri­ence,” says Mike Orosz, Citrix’s direc­tor of Threat & Inves­tiga­tive Services.

Relat­ed sto­ry: More orga­ni­za­tions find secu­ri­ty aware­ness train­ing is becom­ing a vital tool

Mali­cious attack­ers, though, know astute com­pa­nies are improv­ing their IAM pro­grams, “so tar­get­ed phish­ing attacks are becom­ing the norm,” he says. “Joe Schmo in the mail room isn’t being fre­quent­ly targeted—the CFO is.”

CFOs or oth­er top exec­u­tives, Orosz says, may have ele­vat­ed priv­i­leges or access to a company’s most sen­si­tive data.

Mike Orosz, Cit­rix direc­tor of Threat & Inves­tiga­tive Services

Phish­ing attacks are geared at steal­ing cre­den­tials,” he says. “Once cre­den­tials are in hand, the thief acts like a legit­i­mate user. Any orga­ni­za­tion that doesn’t proac­tive­ly imple­ment the lat­est tech­nol­o­gy, poli­cies and pro­ce­dures to lim­it access cre­ates the per­fect oppor­tu­ni­ty for an intruder.”

Research com­pa­ny Gart­ner—which defines IAM as “the secu­ri­ty dis­ci­pline that enables the right indi­vid­u­als to access the right resources at the right times for the right reasons”—says IAM is “a cru­cial under­tak­ing for any enterprise.”

IAM gives com­pa­nies an advantage

Enter­pris­es that devel­op mature IAM capa­bil­i­ties, Gart­ner says, can reduce their iden­ti­ty man­age­ment costs and become “sig­nif­i­cant­ly more agile” sup­port­ing new busi­ness initiatives.

IAM improves secu­ri­ty “by cen­tral­ly man­ag­ing user rights man­age­ment.” This sig­nif­i­cant­ly reduces the risks posed by peo­ple access­ing appli­ca­tions and sen­si­tive data, Orosz says.

Bet­ter IAM and sin­gle sign-on (SSO) lessen the risk of shad­ow IT, he says, because they require all users to go to one team for the pro­vi­sion­ing of accounts and access.

A recent Citrix/Ponemon sur­vey of 4,268 IT and IT secu­ri­ty prac­ti­tion­ers in numer­ous coun­tries found that baby boomers are more sus­cep­ti­ble to phish­ing and social engi­neer­ing scams or tend not to know how to pro­tect sen­si­tive and con­fi­den­tial information.

A very real prob­lem is most baby boomers can’t dis­cern between phish­ing, social engi­neer­ing scams and legit­i­mate email infor­ma­tion requests,” Orosz says. “This is due to a lack of secu­ri­ty awareness.”

Employ­ees must be part of solution

The sur­vey also found that 59 per­cent of employ­ees and third par­ties bypass secu­ri­ty poli­cies and tech­nolo­gies because they are too complex.

A lot of peo­ple also don’t feel a sense of own­er­ship of the secu­ri­ty prob­lem,” Orosz says. “Unless they’re informed and required, many peo­ple have bad habits and don’t adhere to secu­ri­ty policies.”

Few­er than half of sur­vey respon­dents say their orga­ni­za­tion has secu­ri­ty poli­cies to ensure employ­ees and third par­ties only have the appro­pri­ate access to sen­si­tive busi­ness information.

Secu­ri­ty is a team effort

In most cas­es, the root cause of poor secu­ri­ty prac­tices can be attrib­uted to weak secu­ri­ty poli­cies, employ­ee bad habits and out-of-date tech­nol­o­gy,” Orosz says. “Orga­ni­za­tions should work fever­ish­ly to assess their risk, fix out­dat­ed poli­cies, and come up with a blend­ed solu­tion. Since secu­ri­ty is a team effort, effec­tive com­mu­ni­ca­tion to explain why every­one is respon­si­ble and how they can help should be a No. 1 priority.”

The sur­vey showed that many busi­ness­es believe their secu­ri­ty is out­dat­ed, inad­e­quate or too com­plex, Orosz says.

Any one of those fac­tors can have a sig­nif­i­cant neg­a­tive impact on how secure an organization’s apps and data are,” he says. “If you think about how peo­ple work today, they’re on dif­fer­ent devices, net­works and clouds and need to be able to access their work from any­where, any­time. But it has to be secure­ly deliv­ered. All these themes direct­ly cor­re­late to IAM and orga­ni­za­tion­al maturity.”

More sto­ries relat­ed to access management:
It’s time to close the secu­ri­ty loop­hole on unstruc­tured data
Despite record breach­es, secure third-par­ty access still not an IT priority
More com­pa­nies look to struc­ture safe­ty of unstruc­tured data


Posted in Featured Story