Web
Analytics Made Easy - StatCounter

By Corien Vermaak – Cyber Security Specialist, Cisco

Recent research shows that some of the traditional threats and concerns such as denial of service and Cloud Service Providers data loss have over the last few years been addressed by industry and were now rated so low they have been excluded from the top ten threats to your Cloud dream. In the 22nd Annual Global CEO Survey published by PWC, released early 2019, cyber threats were identified as the fifth largest threat to global growth.

When we look at the threats on Cloud more specifically the Cloud Security Alliance has played a crucial role in researching this topic. Based on their research one of the top 5 security issues that I would like to discuss in this article is that of Insufficient Identity, Credential, Access and Key Management. This certainly is a wider topic than just identity and access management however for my purpose I would like to focus on that portion of this problem statement.

If we look at Identity Access Management (IAM) we could start as early as 1960s, when Fernando Corbato invented the first computer password. However, in the modern era of identity and access management that we know was a creation by Lightweight Directory Access Protocol (LDAP) in the early 1990 thus this is not nearly a new concept in IT. However it seems that this is the heat within your control causing evaporation of the Cloud dream. This insufficient IAM is listed as the 4th largest threat to Cloud and the only threat in the top 5 that is within the customers (your) control versus the Cloud Service Provider. The Verizon Data Breach report of 2017 found that 81% of breaches leverage weak or stolen passwords thus again this issue is not new if we look at the date of this report.

Based on the above it goes without saying security incidents and data breaches can occur due to inadequate protection of credentials; a lack of scalable and Cloud-friendly identity, credential, and access management systems and/or access brokers; a failure to use multifactor authentication; and failure to use strong passwords. So the above in itself becomes the advice on addressing this evaporation threat.

I would like to focus on the 3 main areas to resolve the issue at hand – but where does one start? I want to address the process and or policy portion of the age-old security triad of people, process and technology. I think it generally is accepted that a password should be in excess of 8 characters including both lower and upper case alphabets, a numerical value and a character. In recent years, there is a growing trend towards more secure password policies which state that there be more characters and be non-sequential. The password conundrum however is that length trumps complexity and passphrases are becoming a recognizable term in the industry.

Most formalised policies also address user behaviour, rotation intervals and consequences of reckless behaviour with regards to passwords. Another important fact to keep in mind when considering passwords is the responsible use of password vaults, as well as the futuristic approach of single use passwords. We are however still bound by our user base and system limitations and mandated to ensure user frustration is kept to a minimum, meaning that there needs to be a balance in place when policing passwords.

The second focus area is one that goes hand in hand with password management, and that being Multi Factor Authentication (MFA/2FA). Multi factor authentication has come a long way since they were first introduced, people today have the ability to use biometric identification from mobile operating interfaces, generate OTP’s in a matter of seconds, etc.

Finally, we look at the principal of logical identity management, this one probably is the most concerning as most IT departments cannot definitively identify all the employees on their network. For more than 10 years the industry has agreed that there are certain critical controls that need to lie within IT security. These controls allowed access based on the processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications.

Yet, over time these controls are now no longer solely in the hands of the IT department, and that practices like Shadow IT and BYOD (Bring your own device) have led to an increasing number of data breaches. The only way around it is that most organisations should now be moving towards a Zero trust architecture where employees have limited of no access to critical systems, applications and information unless they meet the trust requirement.

If an organisation focus on the three mentioned areas, and implements practices that helps them understand their risks and they adopt remediation plans for such risks, most risks become improbable.