enterprisesecuritymag

Cloud IAM Challenges that Demand Your Immediate Attention

By Brad Puckett, Global ProductDirector - Cybersecurity, Global Knowledge

Brad Puckett, Global ProductDirector - Cybersecurity, Global Knowledge

Identity and access management (IAM) and credentialing are not onlyfundamentals of cybersecurity design, but also long-held necessitiesof networks and services. For decades,our digital lives have been inundatedby usernames, passwords, domain accounts, synchronized RSA tokens, and other forms of verification and access control. As cyber criminals have become more adept and cyber attacks have grown in sophistication, the complexity and challenges of proper IAM has increased exponentially. Indeed, proper credentialing and verification is more imperative now than ever before.

"IAM and cyber specialists must have a plan for continual professional development to ensure networks, systems and individuals are protected. Cybersecurity technology is only as powerful and effective as the people trained to use it"

The involvedness of appropriate IAM measures is compounded by the shift of network resources from on-premises control to cloud-based architectures. With a migration to cloud, several new challenges have emerged regarding IAM and credentialing that require additional and immediate attention.

Multi-Application Credentials

Certain cloud deployments, such as those not equipped with single sign-on (SSO), require users to manually maintain multiple account credentials and verifications. Combined with local and peripheral accounts necessary to perform their job tasks, this type of deployment can cause frustrated legitimate users to reuse and abuse passwords across multiple accounts in multiple locations. Even with strong password enforcement guidelines for complexity and length, the reuse of identifying credentials can cause a wider-spread vulnerability of a single, isolated breach to become a gateway point for any bad actor holding the information.

Legitimate users are faced with a tremendous amount of “password fatigue” across all aspects of their digital life, having to navigate social media, banking and physician portals, and a host of other platforms that require passwords (and seemingly endless password resets). Nearly all of your online presence enjoyed today requires identity vetting, and each presence instance comes with its own requirements for password length, complexity, control characters, and expiration cycle. Factoring in the amount of work-related required use of privilegedaccounts, the potential complexity of a segmented cloud deployment can easily lead to laziness among users. This type of apathy is exactly what cyber attackers are looking to exploit.

In proper cloud deployment, there are steps and provisions that can be made to mitigate this risk and help alleviate the password and credential strain on legitimate users.This begins with proper IAM architecture andincludes the integration of specialized tools designed to mitigate IAM headaches in the cloud transition.

Credentialed User Ease of Use

Security measures lock down potential points of vulnerability and decrease exposure to risk. While these are good things, andin fact, the essence of cybersecurity, each step in the security journey is also a potential step away from ease-of-use for the legitimate user. Employees working from the corporate office in a recognized location on a recognized device might have little issue with the litany of overlayer security measures implemented. But things like SSO, two-factor authentication (2FA), device and location recognition, and encryption can cause undue stress and frustration in the workforce, potentially causing productivity issues. With the vast proliferation of remote working locations, IoT devices, bring your own device (BYOD) deployments, and partner and third-party access needs, issues in a cloud IAM deployment seem increasingly likely.

SSO and Active Directory (AD) are baseline solutions to credentialing and privilege access, but each comes with inherent challenges. A mix of different OS devices in your workforce can cause problems with SSO and AD, due to how the SSO can be setup for certain applications. For example, an employee group using a mix of Mac and Windows operating systems could be logged into the AD locally, but SSO might fail at the cloud level due to specific provisioning. With IoT and employees taking advantage of BYOD privileges, the list of possible endpoints and locations requesting access to applications and services grows exponentially, and users aren’t immune to the inconsistency in experience.

Provisioning and Deprovisioning

Credentials must be created and disabled, and privileges granted and denied, as the workforce and its needs evolve. Proper IAM deployment and architecture must account for a secure and complete mechanism to ensure proper handling with a limited amount of complications and manual intervention. However, layers of secure identification management and privilege accounting in multiple locations across multiple applications can be tedious to manage, and in the case of deprovisioning,can leave your data potentially unprotected.

Complex and multi-point deployments can create scenarios where the de-privileging of an employee, such as one who has left the organization or has been terminated, becomes tedious, unreliable and frustrating. The process of not knowing the appropriate credentials involved, systems affected, applications accessed, orwhere the accounts are located, can be a dangerous vulnerability. Proper IAM architecture and design in the cloud becomes paramount to the mitigation of risks in the provisioning and deprovisioning of user access.

How to Mitigate Your IAM Risks

There are several emerging technologies that can assist in alleviating the challenges presented by identity management in the cloud. A Cloud Access Security Broker (CASB) is a midpoint security policy enforcement solution placed between cloud service providers and cloud service consumers. CASBs have become a significant product category. In fact, Gartner has a magic quadrant forCASB. A CASB can enforce complex policy, like geographic location, time of day, and specific files. It also provides logs for forensics. Ultimately, it is up to the enterprise to work CASBs into their solutions, as it is the cloud service consumer that has the most at risk.

Additionally, there is an increased emphasis on privileged account management. As many companies realize that a handful of IT people possess the keys to the kingdom, privileged account securityproduct providers like CyberArk are rapidly gaining in popularity. Privileged account security providers solve complexity in handling of privileged users by managing their access and logging their actions. Recently, a mobile provider had some employeesindicted for taking bribes to unlock phones and introduce malware into corporate networks based on advanced privilege solution results.

Ongoing Cyber Training is Your Secret Weapon

To understand the intricacies of identity, authorization and permissions across all systems in an organization, initial and ongoing training is necessary for an IAM team.According to the 2019 Global Knowledge IT Skills and Salary Report, the largest worldwide study of IT professionals, IT decision-makers are having the hardest time finding qualified cybersecurity talent. To make matters worse, only 58% of IT departments around the world have been given a training budget, so even keeping your existing workforce up-to-date is a challenge. Successful organizations prioritize skills development and develop a talent pipeline. Continuous skills development in cybersecurity is not a cost, it’s an investment.

Global Knowledge offers cybersecurity skills training to help you keep pace with emerging technologies and evolving cyber-attacks. Technology isn’t stopping, so neither can you. IAM and cyber specialists must have a plan for continual professional development to ensure networks, systems and individuals are protected. Cybersecurity technology is only as powerful and effective as the people trained to use it.

Check out: Top Web Security Solution Companies

Weekly Brief

Read Also

Identity is Crucial to Staying a Step Ahead

Identity is Crucial to Staying a Step Ahead

Kathleen Peters, Experian’s Senior Vice President and Head of Fraud & Identity, Experian, North America
Building a Comprehensive Vulnerability Management Program

Building a Comprehensive Vulnerability Management Program

Benjamin Schoenecker, Director of Information Security, Hendrick Automotive Group
Managing Threats and Vulnerabilities in your Enterprise: Structuring for Modern Day Challenges

Managing Threats and Vulnerabilities in your Enterprise:...

John Gunter Jr., Head of Threat and Vulnerability Management, Electronic Arts
It's a Gnu Year - Keep moving

It's a Gnu Year - Keep moving

Sean Leonard, Director of Threat and Vulnerability Management, Universal Music Group
Vulnerability Management- Thinking Beyond Patching and Software Vulnerabilities

Vulnerability Management- Thinking Beyond Patching and Software...

Brad Waisanen, Vice President, Information Security at TTI
The Ever-evolving Information Security and Business IT Landscape

The Ever-evolving Information Security and Business IT Landscape

Steve Hendrie, Sr. Director & CISO, The Hershey Company