Here’s one of the most challenging question any CISO, CIO, and enterprise decision-maker will have to face: what’s the top priority for your enterprise’s cybersecurity team?
After all, your IT security team is most likely spread thin already. They need to handle secure onboarding, provisioning, and offboarding, monitor the IT perimeter, correlate possible threat events, threat hunt, handle access requests and permissions changes…
To put it simply, they are swamped.
Ping Identity CEO Andre Durand said at Identiverse 2018 identity is undergoing its own Cambrian moment—soon it will absorb and subsume the entirety of cybersecurity. Yet with everything else your IT security team has to handle, it may be difficult for them to focus on identity security. Further, without the support of the rest of your employees, identity security might prove an unreachable goal.
Your enterprise needs to enforce policies to protect identities in your digital workplaces. Only by doing so can you relieve the burden on your IT security team and more reliably enforce your perimeter. It’s essential to getting your employees to work with your identity and access management solution rather than against it. But how?
Here are our recommendations for the top policies to protect identities in your digital workplaces:
Ban Password Reuse and Initiate Single Sign-On
Here are two policies to protect identities in your digital workplaces for the price of one. You’ll find that the two are actually interrelated.
We’ve written at length about the inherent weaknesses of passwords despite their ubiquity in single factor and multifactor authentication. Indeed, because of their prevalence and the recognizability, enterprises and IAM solutions may never be able to fully escape the shadow of passwords. Yet employees may be exacerbating the problem by reusing passwords.
Employees frequently have to memorize dozens if not hundreds of individual passwords for dozens if not hundreds of different digital accounts. It’s more than understandable that employees would reuse passwords to avoid the tedium and the frustration of forgetting and resetting their passwords. However, in your enterprise, this is more than a small annoyance.
Every reused password makes that employee’s credential more and more of a liability. If one account connected with that credential falls prey to a data breach—or is stolen outright—then every other account that uses it is at risk.
Rather than let this happen, your enterprise must enforce policies to protect identities in your digital workplaces. Specifically, you can ban employees from reusing passwords; using a centralized password vault as a point of comparison, you can identify when users are using passwords too similar to each other and mandate changes. However, this can be a tedious process to set up, may leave you vulnerable to insider threats, and can cause privacy violations.
The simpler policy is to mandate single sign-on in your enterprise’s network. In this scheme, employees log in once through a single authentication portal to access their role-related assets. Extra logins would only be necessary if employees need to log into assets normally outside their purview or to work with sensitive data. In the set-up for this scheme, your IT security team could mandate distinctly individual passwords from employees, ensuring no repeated passwords. Effectively, you can kill two birds with one stone.
Clarify When Credentials Can Be Given Out
In order to fight against phishing attacks, you need to set up policies to protect identities in your digital workplaces relating to when identity credential information can be given out.
Something about the internet makes users inherently trust what they are told. Phishing attacks and social engineering take advantage of this trust. They pose as your banks, partners, vendors, or even as other departments trying to obtain precious login information. Phishing attacks are popular for a reason—they are overwhelmingly successful and employees are largely ignorant of cybersecurity best practices to recognize them.
Therefore, make the policies to protect identities in your digital workplaces clear from the start. Write out and communicate when employees can give out their credentials, to whom, in what circumstances, and by what means. Teach them how to recognize suspicious credential requests via email, who to communicate a possible phishing attack to, and what to do if they believe their credentials might be in danger.
Update Your Network Components
Updating your applications, devices, and identity and access management solutions must be among your regular policies to protect identities in your digital workplaces. Allowing security updates to stagnate will create security holes through hackers can enter your network and steal credentials easily.
If you allow your systems and tools to become legacies, you allow your enterprise to become vulnerable.
Therefore, for all of your work-related applications and devices (including BYOD devices that connect to your network) mandate regular updates. Have your IT security team make a calendar of upcoming updates so it can schedule exclusive update days (or nights). These short-term and controlled delays in productivity can be vital to preventing identities from slipping through the cracks…and preventing unintentional downtime.
Mandate Access Evaluations
The most technical of our recommended policies to protect identities in your digital workplaces, but perhaps the most vital!
Via onboarding, employees are given their own set of entitlements to perform their role. As they move through special projects, role changes and promotions, those permissions might grow or change. However, without adequate identity governance and administration, employees will experience access creep—their digital permissions will grow disproportionately to their role. This absence of proper provisioning will make your employees’ credentials highly-lucrative targets that could cause massive damage in the wrong hands.
Your IT security team needs to regularly conduct access evaluations on each of your employees to make sure they only have as many permissions and entitlements as they need to conduct their business (following the principle of least privilege). Furthermore, it should be a set internal policy that employees have their permissions changed permanently upon a role change or promotion. Additionally, permissions given for special projects are removed within a few hours of the assigning.
Identity governance and administration has to be among your policies to protect identities in your digital workplaces. The alternative is quite bleak.