By Michael Byrnes, Director – Solutions Engineering, iMEA, BeyondTrust
Identity security has become a key focus for a variety of stakeholders in the United Arab Emirates (UAE). From the government on down, we have received alerts of rising numbers of incidents. Key organizations in the national ICT infrastructure, such as incumbent telecoms operator Etisalat, have warned consumers of the dangers and advised them on how to protect their environments.
The one-to-one relationship between people and their digital identities used to be little cause for concern. But then consumption of online services mushroomed, and people started to have multiple accounts, credentials, and permissions across their professional and private digital lives.
In the corporate world, things become more complicated. Best practice demands, for example, that well-known accounts such as “administrator” be scrapped in favor of group privileges that map to individual named accounts. Best practice also calls for these accounts to have non-obvious labels, rather than first initial and family name. But just how widespread are these tactics? Here, we explore the six most important challenges of identity management that CISOs must overcome to deliver safe, productive work environments.
Since most corporate email addresses still favor the “first name, last name”, labelling convention, organizations will eventually encounter duplicates for employees with common names. This will become more likely as the workforce grows. The standard solution is the addition of a middle initial or numerical suffix, but this can complicate global address lists and make it difficult to find someone. This becomes a security issue when a communication containing sensitive information is received by the wrong person. To get around this problem, IT teams can use full names for corporate accounts, and security teams can leverage identity-obfuscation techniques to make users invisible and their data unusable.
Many organizations employ people in multiple roles. But since business units tend to define a permission set, classification problems can arise. Best practice calls for a floating worker’s permissions set to be changed every time they move to another department, but this is often not observed, leaving employees with broad entitlements and unnecessary access to resources, some of which may be sensitive. This is one form of over-provisioning (covered below) and can be avoided by attaching the individual to a predefined set of group permissions, which can be handled through diligent manual amendment of privileges as needed, or by automation.
One of the main best practices in identity management is the principle of least privilege, where people are granted only those permissions needed to do their job, and no more. Over-provisioning breaks this rule and one of the prime examples of this is the admin account. Sometimes named “root”, sometimes “administrator”, these superuser privilege sets present too high a risk, and are often unnecessary. Making these accounts into identities provides any threat actor in control of them with sweeping access to a range of digital assets.
Careful consideration must be given to each user’s requirements. Any user that is in possession of administrator credentials but is not part of an administrator’s group must have their privileges amended. Superuser credentials should never be shared. Putting individuals who require admin access into privilege groups is also better for reporting purposes and allows for easier integration of privileged access management (PAM) solutions.
Mergers and acquisitions routinely lead to an amalgamation of domains, identities, applications, and policies. To accelerate transitions, best practices can be suspended, but this leads to identity issues such as over-provisioning and non-standardized accounts. Best practice here is to merge standard operating procedures and technology baselines before trying to handle identity management. Security, identity policies, and provisioning standards should also be established prior to Day One of the new enterprise’s operations, so the identity-management project has a clear roadmap.
The rise of the Internet of Things has led to an explosion in machine accounts. And the Arab Gulf’s pioneering adoption of 5G suggests that IoT use cases will soon increase in number. This leads regional organizations into a new hornet’s nest of identity problems. The accounts for things like services and application pools are not identities, as they are only used to authenticate applications or transactions. By contrast, non-human identities have real-world agency, and so security teams must allow for their functions and how they interact with humans. Best practice in non-human identity is to ensure identities for any machinery or automated process that falls into the category of non-human is formally recorded as such and managed with the requisite diligence.
Vendors, consultants, auditors, and even temporary employees can constitute a risk if their access is not properly managed. Controls are needed that will monitor and rein in such third-party identities above and beyond traditional directory services. Again, the common-names trap (“Supplier1”, for example) should be avoided. All users should ideally authenticate with their individual full name, and their access should reflect the least-privilege principle and follow just-in-time (JIT) provisioning — where a user is granted access when they need it for as long as they need it, but not longer.
As we can see, not all identity issues have easy fixes. Organizations must determine a middle ground between living with a vulnerability and upending operational practices for the sake of security. With this guide, it is hoped that regional CISOs can approach today’s identity issues with open eyes and blend what is possible with what is necessary to deliver safer environments.