Perspectives on Securing Enterprise Identities

February 24, 2016 by Dan Ritari, Principal Cybersecurity Architect

There are many different opinions regarding the right level of credential security for an organization. Depending on someone’s role, they might view security as anywhere from the most important to the least important aspect of their environment. Their perception of the importance of security can also be influenced by whether or not they have experienced a breach.

Securing an organization’s access to data and applications can be compared to home security. Suppose a family had an intruder kick in the front door and steal their belongings. Their solution might be to go out and purchase a bulletproof steel door with locking pins on all four corners. While this will surely prevent the front door from being kicked in again, it doesn’t necessarily secure the house.

The door they purchased is so complex and tedious to lock, that over time, people tend to leave it unlocked. Everyone assumes it is secure, so no one checks to see whether it is still locked. At this point the bad guys can simply walk in without any resistance, and the family is oblivious to the intrusion because the door sustained no damage. Another scenario is that the front door is left securely locked, but the family starts using the back door, with a simple key that they leave hidden in a flowerpot on the porch. Even though this family invested a great deal in protecting their home, it is more vulnerable than ever. This happens in businesses and other organizations as well. Sometimes solutions are implemented to address a specific problem and then never looked at again; and the overall security is not addressed.

Any security spend should be weighed against how it will affect your overall security maturity and risk tolerance. A good security program has to be built on a solid foundation not only of technology, but also of policies and procedures that implemented, monitored, and enforced. Like the bullet-proof front door, if it is not locked, all it does is give the appearance of security.

The elements of a solid security plan are based on what you are trying to protect and the level of acceptable risk. If it is a commodity type item that has a low market value, then the appropriate level of security is low. You might not need a lock on your garden hose or outdoor faucet. If you are protecting the keys to your entire infrastructure, then a much higher level of security should be implemented, just as you would protect your life savings and valuable jewelry.

One of the leading vulnerabilities of high-value targets is credential misuse and/or theft. This is not a new issue; credential misuse has been around since long before computers were invented. Credential theft/misuse is an ongoing problem in most of the world today. In the technology arena we have seen everything from ransomware to data theft attributed to credential theft or misuse. And almost all technology stacks are vulnerable to it in some form or fashion, whether it’s through social navigation, (e.g. blackmail) or through administrator privilege escalation. There is not a single, simple solution to prevent credential theft or misuse in an enterprise today. As in the house example, as soon as you secure one door, an alternative route is found.

However, a lot of these vulnerabilities could be mitigated with strong administrator hygiene, multifactor authentication for anyone above end-user privileges, and dedicated machines for administrators with critical access requirements that are used only for administration and no other duties. Sometimes it is appropriate to implement technology that will automatically lock a door every time someone goes through it, so it is impossible to leave it unlocked. Another possibility is to secure the highest administrator access with one-time-use passwords for critical situations that automatically raise a flag with upper management if they are used. This eliminates the temptation for the administrator to justify use of the highest-level password for non-critical issues, and provides instant visibility if the credentials are stolen or compromised.

There are no one-size-fits-all solutions in the world of technology security today, but a strong basic foundation of policies and procedures that are appropriate in relationship to level of the risk is a good basis for them all. The bottom line is, even the strongest security solutions can be compromised by simple mistakes that will happen if training is lacking or policies and procedures are not firmly and consistently enforced. Management both inside and outside the security unit needs to regularly monitor and enforce the usage of all security practices that have been implemented.

The 2016 RSA Conference is quickly approaching, where most of the current and cutting-edge security tools will be examined and discussed. But no matter how sophisticated or advanced, tools are just tools unless they are implemented in a secure environment along with a repeatable process to monitor and ensure that they are being used as designed. Check back in early March for takeaways from the conference.