A Contributed Article by Jamie Manuel, Identity and Access Management analyst for Quest Software
(now part of Dell)
There are many theories on the origin of
"Halloween" originating from various religions and folklore, centuries
ago. Many evolved into the fun practice
today of putting on a disguise and going from door to door. Unfortunately, in the world of IT, putting on
a disguise in order to gain access to information is no laughing matter. And
because we live in a cloud and virtualized world, this is more important now
than ever - Breaches of sensitive information are no longer limited to
traditional ways, such as social engineering physical tactics - there is
additional concern with the advent of cloud services and managed cloud
applications. Today being Halloween, I
thought I'd have a little fun with the theme of the day to explore the horrors
that may be skulking in the IT shadows and how to trick them, so they don't get
your treats.
For our first analogy of how fright and tech overlap, let's
have a look at Dracula, the blood sucking vampire, for Dracula is often portrayed as the romantic
who can swoon the ladies like no other (as he's had centuries to perfect his
craft). Once their guard is lowered, he
moves in for the kill. IT Security
professionals must always be on the look-out for such behavior. That free pumpkin spiced latte by an end user
might easily be followed by the phrase, "Hey - can you do me a favor?" Before we know it, Dracula is requesting
access to a file share, application or service, which should be done through a
proper access request system instead of off the record. But hey, he was so nice and charming. Sadly in this case, the blood is the life-force
of your organization and can be anything such as private customer info,
intellectual property or inside information.
Lesson here, tell Dracula thanks for the latte, but stick
with the access request portal because his request will go to the appropriate
person and be logged for future audits.
It's also a good and often mandatory practice to perform certification
checks on a regular basis to verify that only those who need the access, have
it, and no one else.
Ghosts are one of the most common ghouls to watch out for on
Halloween, and in the world of IT, they are around all year. They lurk quietly, watching your end users
while patiently waiting for them to slip up and leave an opening for
access. It's often an easy mistake to
make - something as simple as clicking a link in an innocent looking email, or
leaving their passwords written down on a post-it note on the wall next to
their monitor. In the case of your
managed cloud apps that can be accessed outside of your environment, proper
password practice becomes very important.
Once they are in, they are in and can do a lot of damage as they look
just like your end user.
The lesson we can take away from this is first off to ensure
that our end users only have the access they need to do their jobs, and nothing
more, making them less of a target. More
importantly, a two-factor authentication system can help ensure no ghosts are
pretending to be someone they are not.
Zombies are ‘all the rage' these days and I suspect we will
see loads of kids dressed up as Zombies at your front door this evening. ‘The Walking Dead' as they are often called
(intentional props to one of my favorite shows on TV) are just that: dead. In the world of IT, these could just as
easily refer to those employees who have either left the company or possibly
even just the department, yet still have an active identity in the system. This is especially scary when you have teams
leveraging external cloud apps to share files outside of your network. When someone leaves, if they were accessing
files on a cloud collaborative service, even if they are deprovisioned from the
network, that likely won't cover the cloud app if the access is separate from
the network.
You wouldn't let a bunch of Zombies walk around your
workplace, so why let a bunch of terminated employees continue to walk around
behind the scenes of your network? The
lesson here, perform regular attestation checks to ensure that the "dead" are
in fact dead and have been deprovisioned from your network.
So if you are dealing with any of the above ghouls or
perhaps making do with an old Frankenstein framework to address your identity
and access management challenges, you need to research the options out
there. The first step is to identify
which ones you are dealing with, identify your top risks and priorities and
then make a plan from there. So today on
Halloween, have some candy and laughs, but I strongly suggest you start with
something like reviewing your network identities to make certain you don't have
any Zombies lurking around your office!
About Jamie Manuel
As an Identity and Access Management analyst for Quest Software
(now part of Dell), Jamie is responsible for identifying market trends and
research to drive the go-to-market plans in the identity and access management
portfolio. Prior to joining Quest, he
worked on product support and management teams for a leading consumer based
software manufacturer. Jamie has over
eight years of experience in the software industry and is based in Ottawa,
Canada.