Identity and access management is a key security measure businesses simply have to take, particularly in the digital era, where cloud identities create new security risks for the organisation.
The key to successfully securing your organisation lies in the implementation of practical tools and processes that will allow you to keep the business safe and prevent problems occurring, rather than having to deal with difficult situations, such as breaches, after the fact.
According to Patrick Assheton-Smith, CEO at Symbiosys IT, a critical first step in such an approach is securing the identities of employees, contractors and even customers who consume services on your systems. There are, he adds, two aspects to achieving this.
“The first lies with Microsoft Active Directory, a solution that most organisations – even those that are not Microsoft-focused – rely on to one extent or another. After all, most companies utilise at least some Microsoft services, and most of these require Active Directory,” he explains.
He points out, however, that most people are unaware that Active Directory deployed straight from the box is not always as secure as a business might need it to be.
“That is not to say it can’t be made secure, generally through the Enterprise Access Model that Microsoft recommends and that supersedes the Tiered Administration model. This creates zones within Active Directory, making it tougher for criminals to steal corporate credentials and commit other nefarious acts. Additional security around this is vital, as credential theft is becoming increasingly prevalent, often as a first step towards introducing ransomware into the organisation.”
“Following on from this, it bears remembering that the more identity repositories you have, the more authentication challenges may arise. Therefore, federating access via a single username and password, with the correct management and governance around it, can help eliminate the ‘silo effect’ created by multiple repositories.”
A final challenge with Active Directory, he notes, is insecure protocols, since the system and the protocols underpinning it have been around for a long time. If a company fails to switch off the older protocols and implement the newer ones, it can create significant security issues.
The second security aspect Assheton-Smith highlights is that it is critical to have an effective identity and access management (IDAM) solution.
“Your IDAM strategy needs to focus beyond merely the joiner/mover/leaver process, and standard object lifecycle management on-premise within the network and Active Directory. Instead, it needs to take into account how to manage cloud identities – the last thing you want is old identities lying around in a SaaS system in some corner of the Net, which may be logged into remotely by an old employee intent on causing mischief.”
“In the IDAM space, Symbiosys makes use of One Identity, an IDAM provider that has interesting solutions in its portfolio. These include a product that has data governance bundled with it, enabling online attestation as part of the solution.”
Attestation, he continues, was always a manual process in the past, but as part of the digital IDAM solution, tends to be far more accurate and effective than the manual option. The process governing it ensures that the attestation is done properly, as opposed to simply being a document signed off quickly with little oversight, because the business was under pressure to get it back to the auditors. In the past, states Assheton-Smith, the manual approach probably led to many instances where the job was not done as well as it should have been. The One Identity solution eliminates this challenge.
“Another key offering from One Identity is Active Roles, which enables businesses to take out of band management and wrap a layer of governance around this, thereby ensuring that data that does go into the IDAM system is clean and consistent,” he says, adding that there is nothing else quite like it available today.
Assheton-Smith takes as an example a situation where a user or service account must be created. In such an instance, he says, Symbiosys can specify various rules around how this can be done, such as creating a user based on a ticket, or specifying that the telephone number must be 10-digits long and must be filled in.
“With such rules in place, you are able to rest assured that you are implementing good data hygiene.”
“Ultimately, security around IDAM, infrastructure and the network begins with a solid foundational design for the systems you are building and protecting. You can put as much protection around the system as you like, but if there is a fundamental design flaw in the system – from a security point of view – it will be the equivalent of putting a plaster on a wound that won’t heal.
“What you really need is to heal the problem in the heart of the system. This is a process of building out the layers, starting with a solid foundational design, and this is where experts like ourselves come to the fore,” he concludes.
Symbiosys IT is a technology solutions provider with its head office located in the Western Cape in South Africa, and its European office in London in the United Kingdom.
Call +27 (0) 83 262 0819 or visit www.symbiosys.it
Contact information
CEO of Symbiosys IT, Patrick Assheton-Smith