Every day we hear of a “major” security breach at another big company. Inevitably, the victim organization goes on a spin campaign to shift blame away from itself, never simply saying, “We could have prevented this if we had had our act together.”
Security breaches can’t happen unless someone gets access they shouldn’t have. Access is totally within the organization’s control (or should be), and while there’s no list you can follow to guarantee you’ll never be the victim of a breach, there are some simple best practices you should observe that will make you a harder target and, in the worst case, minimize the damage if someone does get in.
1. It starts with authentication and authorization. Identity and access management 101 explains that access is the combination of authentication (proving you are who you claim you are) and authorization (limiting what you can do based on who you are). Too often access is executed haphazardly, taking a path-of-least-resistance approach that secures things appropriately as long as it’s not too difficult. It’s well worth the investment, however, to establish rights correctly, ensuring that every user has access to everything they need to do their job and nothing else.
2. Treat data security as a single issue, not several separate issues. The knee-jerk reaction to regulations and security is to search for the most likely target and find a way to secure it. The result is a siloed approach that’s neither efficient nor consistently secure. A better approach is to unify the things that control access (policy, identity, authentication, provisioning, role, etc.) and get it right once. If a single role definition includes all the appropriate access rights for a group of employees, the risk of someone going rogue or someone doing something bad with stolen credentials goes way down. If they can’t get it, how can they abuse it?
3. Put the right people in control. The vast majority of access controls are set up by people who know how to manage the system rather than those with the most at stake. IT usually is at the front line of implementing access controls because they have the rights, tools, and knowledge necessary to set up access for individuals and groups. But IT typically lacks the context to know what access individuals should have. That’s the property of line-of-business personnel. Find a way to put the line-of-business in control of access rights and as much of the management process as possible.
4. Don’t forget about your administrators. Finally, the “superuser” credentials associated with every system are the crown jewels of access. Someone logging in with these shared, anonymous, and all-powerful sets of rights can do anything and everything they want, from planting malware to stealing data. Technologies exist that remove the shared nature and anonymity of administrative credentials and audit all activities performed with them. This one practice alone could prevent the majority of high-profile breaches permeating the news.
Ultimately, just because you trust your employees doesn’t mean you shouldn’t implement access control on them – all of them.
By Todd Peterson, Product Marketing Manager, Dell Software
About Dell Software
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.