The state of security in 2014 can be summed up in four words: We are falling behind. External breaches are occurring more frequently and becoming more complex, and internal threats have extended beyond malicious employees (past and present) and current employee mistakes to include vendors, who were at the heart of the Target attack.
According to Verizon’s most recent Data Breach Investigations Report, from 2004 to 2013, “insider misuse” ranked second (tied with “crime-ware”) as the most significant of all the attacks your industry is likely to face—making up close to 20 percent of all security problems. One of the most noticeable shifts in 2013 was an increase in insider espionage targeting internal data and trade secrets, or intellectual property. Not unexpectedly, privilege abuse—taking advantage of the system-access privileges granted by an employer—led all other forms of insider threats (an astonishing 88%). Insider threats encompass a very broad range of activities, most of which are perpetrated for personal or financial gain, but the overall themes and lessons are the same: most insider misuse occurs within the boundaries of trust necessary to perform normal duties.
That’s what makes it so difficult to prevent. Fortunately, this problem is right in my wheelhouse. Here are five trends and developments I see on the identity access management (IAM) industry’s horizon:
Highly-public security breaches in 2014 will put the focus on privileged users. Edward Snowden brought attention to insider threats, reminding us of the vulnerability of privileged, administrative accounts. In the near future, we’ll see external attackers target privileged users and their accounts to gain unlimited access to critical systems, cause significant damage, and steal information. More sophisticated malware, coupled with social engineering to exploit the growing desire to share more via social media, will lead to these accounts being compromised. Identity managers should ensure users are automatically assigned roles containing appropriate entitlements as part of the onboarding process. This will provide an auditable record and enable the enforcement of access management policies across the enterprise. An effective user provisioning/deprovisioning solution can also automatically guarantee a user’s access is removed in a timely manner (e.g., immediately upon termination)
IGA software will provide aggregated risk scoring. Risk scores will be based on assigning automated risk values to systems, access privileges, and user accounts, providing a holistic view of an enterprise user’s risk. Built into IAM processes, aggregated risk scores will show an individual user’s overall risk relative to the organization’s environment, and advanced warning will support decisions made during the approval process for access and service requests.
Companies will continue to experience lower-than-anticipated information security from outsourced IT operations. Outsourcing relationships will continue to be focused on IT operations, and as a result, there will be more opportunities to negatively impact security, as outsourcers must make decisions based on cost savings versus security. Target is now looking at the very real possibility that their attackers hacked their way in using access credentials stolen from an environmental systems contractor. Theoretically, those access credentials allowed attackers to gain a beachhead inside Target’s network, allowing them to infect other Target systems, such as payment processing and point-of-sale checkout systems.
Today, multiple vendors often have access to corporate credentials, and it’s possible for just one of those firms to have hundreds of technicians who require access on a revolving basis. In other words, login credentials issued to an administrator on Monday may be used by someone else on Friday. No one can manage privileges in this manner and secure access to their systems.
In today’s world of enterprise applications, cloud subscriptions, and federated access, more automated IAM systems will be put in place to provide the thorough detection capabilities required to prevent similar IT security breaches.
Passwords will be simplified. The problem with passwords in a large enterprise is that people generally require many different accounts and corresponding passwords to access the expansive list of both cloud and on-premises systems and applications—so many that sometimes it feels impossible to remember them all. And then, just about the time you feel you’ve got them all memorized, they need to be changed! So what’s the natural reaction of a worker who needs to efficiently accomplish all their tasks across a number of different systems? They develop a host of insecure behaviors around password management, and these behaviors creep into the workplace.
Solutions to password management will incorporate three critical components: an easy self-service password reset capability that allows users to reset their passwords from any device; a synchronization solution that changes passwords across all of a user’s systems; and a single sign-on solution across on-premises and cloud applications to limit the number of sign-ons required.
Single Sign-On (SSO) products will be built around directory-driven authentication. These products will control cloud application sign-on without replicating enterprise identities. As a result, they’ll eliminate dual administration, redundant processes, and new costs. Using directory authentication will mean that existing enterprise directories will control cloud application access. No additional synchronization will be required; instead, they’ll leverage existing enterprise user passwords, which will eliminate the need to sync enterprise accounts with a cloud solution. A significant side benefit will be a reduction in corporate SaaS licensing costs and security exposure, since application licenses often remain active even after employees have left the corporation.
When looking at the security landscape from both inside and outside organizations, one thing is clear: we will never be completely safe. As new methods of bypassing security measures proliferate, the security industry will need to make innovation a priority. If we’re to keep up, IAM solutions must be revolutionary, not just evolutionary.
Nelson Cicchitto is chairman and CEO of Avatier Corporation, a company he founded in 1997. Today, Avatier is one of the leading identity access management companies in the world. Prior to founding Avatier, Nelson founded Master Design & Development, Inc., and held senior and lead architect positions at Chevron and Pacific Bell. He’s active in a number of groups and associations, he holds four patents, and he’s a Certified Novell Instructor and a Certified Novell Engineer. Nelson received his BA in computer science from the University of North Texas.