SlideShare une entreprise Scribd logo

Icit analysis-identity-access-management

Mark Gibson
Mark Gibson

ICIT Whitepaper discussing human behavior challenges in cyber hygiene and automating aspects of cybersecurity.

Direction et management
1  sur  6
Télécharger pour lire hors ligne
Identity and Access Management Solutions Automating Cybersecurity While Embedding Pervasive and UbiquitousCyber-Hygiene-by-Design December 2016 Authors JamesScott(SeniorFellow –InstituteforCriticalInfrastructureTechnology) DrewSpaniel(Researcher–InstituteforCriticalInfrastructureTechnology) `
Identity and Access Management Solutions: Automating Cybersecurity While Embedding Pervasive and Ubiquitous Cyber-Hygiene-by-Design December 2016 Authors James Scott, Sr. Fellow, ICIT Drew Spaniel, Research, ICIT Copyright © 2016 Institute for Critical Infrastructure Technology – All Rights Reserved Upcoming Event Learn More about Identity & Access Management at the 2017 ICIT Winter Summit. Registration is Now Open – www.ICITWinterSummit.org
Introduction Cyber-hygiene is the collection of behaviors and best practices that ensure responsible decision-making, accountable actions, and continuous security (in terms of confidentiality, availability, and integrity), throughout the daily routine of personnel and in the daily operation of systems and assets. Unlike Cybersecurity, which is predominantly a cooperative effort between individual personnel, the organization, stakeholders, and associated third-parties, cyber-hygiene is a metric of each distinct individual. Aspects of cyber-hygiene include, but are not limited to; • minimization of online data leakage; • curation of digital profiles; • adherence to policies, procedures and guidelines; • informed and intelligent decision making; • avoidance of social engineering lures; • reliance on complex and secure user credentials; and many other sub-routines and behaviors that supersede any one daily activity. Comprehensive cyber- hygiene requires every stakeholder to consider the implications of their every action and to always act according to the optimization of the cybersecurity posture of the organization and according to the minimization of the risk that an adversary will be able to harm the organization as a result of the stakeholder’s action. Effective cyber-hygiene depends on every employee always acting intelligently and in response to the hyper-evolving threat landscape. In short, comprehensive and effective cyber-hygiene can be daunting, exhausting, and distracting, to personnel and stakeholders whose cybersecurity awareness and training may already be limited and whose responsibilities within the organization may already demand their entire attention. As a result, many organizations either fail to implement cyber- hygiene programs or rely on undertrained and underqualified personnel to bear the burden of cyber- hygiene. In both cases, adversarial compromise and exploitation of the organization's critical assets is an inevitable reality and is as easy as launching a social engineering attack which targets staff email lists. An attacker needs only to compromise a single employee account or system in order to establish a persistent presence on the network. Employees ignore, or fail to adhere to, cyber-hygiene initiatives that impede productivity or that frustrate the user due to over-complication, due to an over-abundance of steps or checks, or due to over-utilization of attention, time, or other resources. Cyberattacks depend on the prevalent negligence derivative offailed cyber-hygiene policies, procedures, and controls that inundate personnel into ignoring or disregarding intelligent and informed actions and behaviors that protect the employee and the organization from compromise.
Responsible organizations recognize the need to train personnel in cybersecurity best practices and in cyber-hygienic behavior; however, not every organization recognizes its responsibility to streamline and optimize cyber-hygiene efforts. Cyber-hygiene and cybersecurity practices best protect the organization and its interests when they are ubiquitous throughout the workforce, when they permeate the organizational culture, and when they seamlessly integrate into systems to alleviate a portion of the burden on the workforce. Identity and Access Management (IAM) solutions are fundamentally ubiquitous, culturally permeable, and integrate into existing systems bynecessity. Identity and Access Management (IAM) solutions are an essential cornerstone of any cyber-hygiene initiative because IAM solutions unburden personnel of a portion of cyber-hygiene responsibility by automating digital identity verification, credential distributions, privilege management, authentication mechanisms, authorization and access controls, cryptographic controls, auditing and reporting mechanisms, and other services. By securely automating these processes with an IAM solution, organizations gain holistic access controls, user accountability, and system auditability and threat detection. By automating these functions with an IAM solution, organizations weaken adversarial attack chains that rely on compromising un-cyber- hygienic personnel. Access Controls An incident occurs when an adversary or malware gains unauthorized access to a system. Adversaries follow the path of least resistance into the system. In order to obfuscate malicious activity, threat actors often employ social engineering and other attack vectors to compromise legitimate employee system credentials, to obtain legitimate remote access credentials, or to leverage unmanaged third-party access. In 2015, 1 in 3 organizations was not cognizant of their current third-party access policies or contracts and 77% of information security professionals did not update third-party agreements or address third-party cyber-hygiene and system access in response to the hyper-evolving cyber-threat landscape [1]. Users, who fail to adhere to cyber-hygiene best practices, are the weak link in enterprise cybersecurity. Password-based security is an antiquated and inadequate defense against modern cyberattacks, data breaches, and fraud. As of 2015, 77% of organizations had a password policy or standard and 59% of organizations had a user/ privilege access policy [1]. Nevertheless, obtaining privileged credentials remains a fundamental and often trivial step in the typical attack cycle. Threat actors can even obtain compromised credentials on Deep Web markets and forums. In a 2016 study, Forrester estimated that 80% of security breaches involved the use of privileged credentials [2]. Identity and Access Management (IAM) solutions mitigate the risk of obsolete password-based access. For instance, multi-factor authentication (MFA), an IAM subcomponent, adds a layer of security and access and privilege based control by requiring users to provide extra information or factors in order to access corporate applications, networks, or servers.
MFA validates the user identity through a combination of something the user knows (such as a username, password, PIN, security question response, etc.); something the user possesses (such as a smartphone, smart card, token, one-time passcode, etc.); and some information characteristic of the user (biometrics, retina scans, voice recognition, gait analysis, etc.). After OPM and other high-profile breaches, MFA adoption is rapidly advancing; however, many organizations fail to realize that decisions to only apply MFA to certain applications, systems, resources, or by certain users, leaves the organization exposed. Consistent and comprehensive authentication policies and applied technologies can eliminate the security gaps that result from asymmetric user privileges and cyber-hygiene levels. Instead, organizations can best mitigate cyberattacks at multiple points in the attack chain by requiring MFA for every end-user, every privileged user, and every tertiary user (such as third-party, contractors, etc.) and for every IT resource (applications, VPNs, endpoints, servers, cloud systems, etc.) [3]. Similarly, IAM solutions from trusted and reliable vendors can be integrated into existing systems to improve employee productivity and to make cyber-hygiene seamless and ubiquitous, through services that consolidate identities across applications and platforms, or that manage user authentication after a single sign-on (SSO). These services mitigate the risk of password reuse and user cyber-hygiene fatigue. Adaptive authentication services enable organizations to adapt their security posture to the hyper- evolving threat landscape through flexible, context-based policies that incorporate location, device details, network characteristics, time of day, user attributes, and other deterministic factors. Scalable IAM solutions from trusted vendors, further protect organizations by securing cloud and on-site applications, as well as mobile, BYOD, and remote-access devices [3]. User Accountability IAM solutions validate a user's identity and thereby, establish an accountability chain that can be used to track suspicious activity and preempt the evolution of incident to breach. If an information security professional is managing or monitoring to detect suspicious activity through analysis tools or through access control rules (i.e. time of day, etc.) then a user account can be monitored and treated as either compromised or malicious. With MFA, it is significantly more difficult, though not impossible, for threat actors to leverage legitimate user accounts and credentials in an attack. In other cases, malicious insider threats can pose a serious threat to organizations by compromising internal defenses, by compromising fellow personnel, by exfiltrating data, by intentionally installing malware, by orchestrating cyber-kinetic lone-wolf attacks, or by providing information to external threat actors, such as nation-state APTs. For instance, in 2015, 72% of Financial sector incidents could be traced to a current or former employee [4]. IAM solutions, such as MFA, provide a mechanism to hold users legally responsible or to detect and monitor active malicious activity.
System Auditability IAM solutions can be used to establish context-based rules, to generate log information, and to enable the organization to forensically trace an incident. Information security professionals can use the information to improve incident response plans, to mitigate system vulnerabilities, to monitor the cyber-hygiene of the personnel base, and to improve cybersecurity awareness and training in response to the hyper-evolving threat landscape. Conclusion Identity and Access Management solutions are a critical component of organizational cyber-hygiene and cybersecurity initiatives because IAM solutions automate cyber-hygiene best practices, reduce user fatigue, provide access controls, establish user accountability, institute system auditability, and enable users to mitigate cyberattacks from unsophisticated actors (script kiddies, hacktivists, etc.) and to disrupt and detect attacks from sophisticated attackers (informed malicious insiders, nation-state APTs, etc.). Through the implementation of robust IAM solutions for all users, systems and networks, organizations can realize virtually immediate improvements to their cybersecurity posture while reinforcing cyber- hygiene best practices among personnel. Sources [1] "Bridging the Data Security Chasm: Assessing the Results of Protiviti’s 2014 IT Security andPrivacy Survey," Protiviti, 2015. [Online]. Available: http://resources.idgenterprise.com/original/AST- 0135695_2014-IT-Security-Privacy-Survey-Protiviti.pdf. Accessed: Nov. 30, 2016. [2] A. Cser, S. Balaouras, L. Koetzle, M. Maxim, S. Schiano, and P. Dostie, "Forrester Wave™: Privileged Identity Management, Q3 2016," Forrester, Jul. 2016. [Online]. Available: https://www.centrify.com/resources/centrify-leader-in-forrester-wave-pim-2016/. Accessed: Dec. 1,2016. [3] C. Corporation, Centrify, 2016. [Online]. Available: https://www.centrify.com/. Accessed: Dec.3, 2016. [4] "Global state of information Security® survey 2015," in PWC, PwC, 2016. [Online]. Available: http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html. Accessed: Dec. 3, 2016.

Recommandé

Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Whitepaper next generation_patient_safety_bertine_mc_kenna.01Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Whitepaper next generation_patient_safety_bertine_mc_kenna.01Ronan Martin
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityA. Shamel
 
Cyber security
Cyber securityCyber security
Cyber securityManjushree Mashal
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Cyber Attack Methodologies
Cyber Attack MethodologiesCyber Attack Methodologies
Cyber Attack MethodologiesGeeks Anonymes
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYharsh arora
 
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An AnalysisSecurity Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysisdadkhah077
 

Recommandé

Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Whitepaper next generation_patient_safety_bertine_mc_kenna.01Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Whitepaper next generation_patient_safety_bertine_mc_kenna.01Ronan Martin
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityA. Shamel
 
Cyber security
Cyber securityCyber security
Cyber securityManjushree Mashal
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Cyber Attack Methodologies
Cyber Attack MethodologiesCyber Attack Methodologies
Cyber Attack MethodologiesGeeks Anonymes
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYharsh arora
 
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An AnalysisSecurity Attacks in Stand-Alone Computer and Cloud Computing: An Analysis
Security Attacks in Stand-Alone Computer and Cloud Computing: An Analysisdadkhah077
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityrahulbhardwaj312501
 
Hot Cyber Security Technologies
Hot Cyber Security TechnologiesHot Cyber Security Technologies
Hot Cyber Security TechnologiesRuchikaSachdeva4
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityPriyanshu Ratnakar
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018joshquarrie
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 
Enterprise Security and Cyber Security Cases
Enterprise Security and Cyber Security CasesEnterprise Security and Cyber Security Cases
Enterprise Security and Cyber Security CasesHakan Yüksel
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Morakinyo Animasaun
 
Securign siem for small business
Securign siem for small businessSecurign siem for small business
Securign siem for small businessRajul Sthapak
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uaeRishalHalid1
 
Cyber security Information security
Cyber security Information securityCyber security Information security
Cyber security Information securityAYESHA JAVED
 
Should i study cyber security
Should i study cyber securityShould i study cyber security
Should i study cyber securityVishal Singh
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityAvantika University
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity TrainingWindstoneHealth
 
Cyber security
Cyber securityCyber security
Cyber securityShaibal Ahmed
 
Cyber Threat Simulation
Cyber Threat SimulationCyber Threat Simulation
Cyber Threat SimulationTonex
 
Protection against cyber threats
Protection against cyber threatsProtection against cyber threats
Protection against cyber threatsTIKAJ
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?RONIKMEHRA
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCAT-NET Services, Inc. - Charleston Division
 
AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTAN
AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTANAWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTAN
AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTANManzoor Parwana
 
SOLEA ORGANIC CLEANING SOLUTIONS
SOLEA ORGANIC CLEANING SOLUTIONSSOLEA ORGANIC CLEANING SOLUTIONS
SOLEA ORGANIC CLEANING SOLUTIONSLaura E. Lomax
 

Contenu connexe

Tendances

Hot Cyber Security Technologies
Hot Cyber Security TechnologiesHot Cyber Security Technologies
Hot Cyber Security TechnologiesRuchikaSachdeva4
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityPriyanshu Ratnakar
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018joshquarrie
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 
Enterprise Security and Cyber Security Cases
Enterprise Security and Cyber Security CasesEnterprise Security and Cyber Security Cases
Enterprise Security and Cyber Security CasesHakan Yüksel
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Morakinyo Animasaun
 
Securign siem for small business
Securign siem for small businessSecurign siem for small business
Securign siem for small businessRajul Sthapak
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uaeRishalHalid1
 
Cyber security Information security
Cyber security Information securityCyber security Information security
Cyber security Information securityAYESHA JAVED
 
Should i study cyber security
Should i study cyber securityShould i study cyber security
Should i study cyber securityVishal Singh
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityAvantika University
 
Cyber Threat Simulation
Cyber Threat SimulationCyber Threat Simulation
Cyber Threat SimulationTonex
 
Protection against cyber threats
Protection against cyber threatsProtection against cyber threats
Protection against cyber threatsTIKAJ
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?RONIKMEHRA
 

Tendances (20)

Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Hot Cyber Security Technologies
Hot Cyber Security TechnologiesHot Cyber Security Technologies
Hot Cyber Security Technologies
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Enterprise Security and Cyber Security Cases
Enterprise Security and Cyber Security CasesEnterprise Security and Cyber Security Cases
Enterprise Security and Cyber Security Cases
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
 
Securign siem for small business
Securign siem for small businessSecurign siem for small business
Securign siem for small business
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uae
 
Cyber security Information security
Cyber security Information securityCyber security Information security
Cyber security Information security
 
Should i study cyber security
Should i study cyber securityShould i study cyber security
Should i study cyber security
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika University
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity Training
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber Threat Simulation
Cyber Threat SimulationCyber Threat Simulation
Cyber Threat Simulation
 
Protection against cyber threats
Protection against cyber threatsProtection against cyber threats
Protection against cyber threats
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 

En vedette

AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTAN
AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTANAWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTAN
AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTANManzoor Parwana
 
SOLEA ORGANIC CLEANING SOLUTIONS
SOLEA ORGANIC CLEANING SOLUTIONSSOLEA ORGANIC CLEANING SOLUTIONS
SOLEA ORGANIC CLEANING SOLUTIONSLaura E. Lomax
 
Diversey Care Overview
Diversey Care OverviewDiversey Care Overview
Diversey Care OverviewPaul Lewis
 
Intro to Diversey, Inc
Intro to Diversey, IncIntro to Diversey, Inc
Intro to Diversey, Incmjmena
 
Personal Hygiene, Hospitality Management
Personal Hygiene, Hospitality Management Personal Hygiene, Hospitality Management
Personal Hygiene, Hospitality Management Inspiria
 
Personal Hygine & Grooming
Personal Hygine & GroomingPersonal Hygine & Grooming
Personal Hygine & GroomingKamal Pandey
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentationelliehood
 

En vedette (7)

AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTAN
AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTANAWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTAN
AWAZ HYGIENE AND SANITATION COMPAIGN IN BALTISTAN
 
SOLEA ORGANIC CLEANING SOLUTIONS
SOLEA ORGANIC CLEANING SOLUTIONSSOLEA ORGANIC CLEANING SOLUTIONS
SOLEA ORGANIC CLEANING SOLUTIONS
 
Diversey Care Overview
Diversey Care OverviewDiversey Care Overview
Diversey Care Overview
 
Intro to Diversey, Inc
Intro to Diversey, IncIntro to Diversey, Inc
Intro to Diversey, Inc
 
Personal Hygiene, Hospitality Management
Personal Hygiene, Hospitality Management Personal Hygiene, Hospitality Management
Personal Hygiene, Hospitality Management
 
Personal Hygine & Grooming
Personal Hygine & GroomingPersonal Hygine & Grooming
Personal Hygine & Grooming
 
Slideshare Powerpoint presentation
Slideshare Powerpoint presentationSlideshare Powerpoint presentation
Slideshare Powerpoint presentation
 

Similaire à Icit analysis-identity-access-management

Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting InformationLaura Martin
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
Identity Security.docx
Identity Security.docxIdentity Security.docx
Identity Security.docxMohsin Abbas
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekkoDMI
 
Appsian securing mobile_ess_solution_brief
Appsian securing mobile_ess_solution_briefAppsian securing mobile_ess_solution_brief
Appsian securing mobile_ess_solution_briefAppsian
 
Peoplesoft Best Practices for Maintaining Security
Peoplesoft Best Practices for Maintaining SecurityPeoplesoft Best Practices for Maintaining Security
Peoplesoft Best Practices for Maintaining SecurityAppsian
 
Peoplesoft Erp
Peoplesoft ErpPeoplesoft Erp
Peoplesoft ErpAppsian
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...Harshada Mulay
 
Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfforladies
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementEMC
 
threat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperthreat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperRudy Piekarski
 

Similaire à Icit analysis-identity-access-management (20)

Measures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacksMeasures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacks
 
Measure To Avoid Cyber Attacks
Measure To Avoid Cyber AttacksMeasure To Avoid Cyber Attacks
Measure To Avoid Cyber Attacks
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Securing And Protecting Information
Securing And Protecting InformationSecuring And Protecting Information
Securing And Protecting Information
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Identity Security.docx
Identity Security.docxIdentity Security.docx
Identity Security.docx
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
 
Appsian securing mobile_ess_solution_brief
Appsian securing mobile_ess_solution_briefAppsian securing mobile_ess_solution_brief
Appsian securing mobile_ess_solution_brief
 
Peoplesoft Best Practices for Maintaining Security
Peoplesoft Best Practices for Maintaining SecurityPeoplesoft Best Practices for Maintaining Security
Peoplesoft Best Practices for Maintaining Security
 
Peoplesoft Erp
Peoplesoft ErpPeoplesoft Erp
Peoplesoft Erp
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
 
CC ss.pptx
CC ss.pptxCC ss.pptx
CC ss.pptx
 
Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdf
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
 
threat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperthreat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaper
 

Plus de Mark Gibson

Strong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakersStrong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakersMark Gibson
 
Centrify rethink security brochure
Centrify rethink security brochureCentrify rethink security brochure
Centrify rethink security brochureMark Gibson
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
Ideas from The Challenger Customer
Ideas from The Challenger CustomerIdeas from The Challenger Customer
Ideas from The Challenger CustomerMark Gibson
 
The B2B Buyers Journey Sales Guide eBook
The B2B Buyers Journey Sales Guide eBookThe B2B Buyers Journey Sales Guide eBook
The B2B Buyers Journey Sales Guide eBookMark Gibson
 
Selling with IMPACT
Selling with IMPACTSelling with IMPACT
Selling with IMPACTMark Gibson
 
Sales and Marketing Alignment eBook 2014
Sales and Marketing Alignment eBook 2014Sales and Marketing Alignment eBook 2014
Sales and Marketing Alignment eBook 2014Mark Gibson
 
Sales Productivity Tips from the Experts
Sales Productivity Tips from the ExpertsSales Productivity Tips from the Experts
Sales Productivity Tips from the ExpertsMark Gibson
 
Sales and Marketing Alignment, Content Reuse with WittyParrot webinar present...
Sales and Marketing Alignment, Content Reuse with WittyParrot webinar present...Sales and Marketing Alignment, Content Reuse with WittyParrot webinar present...
Sales and Marketing Alignment, Content Reuse with WittyParrot webinar present...Mark Gibson
 
Your PowerPoint sucks Learn Visual Storytelling
Your PowerPoint sucks Learn Visual StorytellingYour PowerPoint sucks Learn Visual Storytelling
Your PowerPoint sucks Learn Visual StorytellingMark Gibson
 
Beyond the Whiteboard - Visual Confections That Sell
Beyond the Whiteboard - Visual Confections That SellBeyond the Whiteboard - Visual Confections That Sell
Beyond the Whiteboard - Visual Confections That SellMark Gibson
 
A guide to engaging whiteboard presentations
A guide to engaging whiteboard presentationsA guide to engaging whiteboard presentations
A guide to engaging whiteboard presentationsMark Gibson
 

Plus de Mark Gibson (12)

Strong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakersStrong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakers
 
Centrify rethink security brochure
Centrify rethink security brochureCentrify rethink security brochure
Centrify rethink security brochure
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
Ideas from The Challenger Customer
Ideas from The Challenger CustomerIdeas from The Challenger Customer
Ideas from The Challenger Customer
 
The B2B Buyers Journey Sales Guide eBook
The B2B Buyers Journey Sales Guide eBookThe B2B Buyers Journey Sales Guide eBook
The B2B Buyers Journey Sales Guide eBook
 
Selling with IMPACT
Selling with IMPACTSelling with IMPACT
Selling with IMPACT
 
Sales and Marketing Alignment eBook 2014
Sales and Marketing Alignment eBook 2014Sales and Marketing Alignment eBook 2014
Sales and Marketing Alignment eBook 2014
 
Sales Productivity Tips from the Experts
Sales Productivity Tips from the ExpertsSales Productivity Tips from the Experts
Sales Productivity Tips from the Experts
 
Sales and Marketing Alignment, Content Reuse with WittyParrot webinar present...
Sales and Marketing Alignment, Content Reuse with WittyParrot webinar present...Sales and Marketing Alignment, Content Reuse with WittyParrot webinar present...
Sales and Marketing Alignment, Content Reuse with WittyParrot webinar present...
 
Your PowerPoint sucks Learn Visual Storytelling
Your PowerPoint sucks Learn Visual StorytellingYour PowerPoint sucks Learn Visual Storytelling
Your PowerPoint sucks Learn Visual Storytelling
 
Beyond the Whiteboard - Visual Confections That Sell
Beyond the Whiteboard - Visual Confections That SellBeyond the Whiteboard - Visual Confections That Sell
Beyond the Whiteboard - Visual Confections That Sell
 
A guide to engaging whiteboard presentations
A guide to engaging whiteboard presentationsA guide to engaging whiteboard presentations
A guide to engaging whiteboard presentations
 

Dernier

Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingCIToolkit
 
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Giuseppe De Simone
 
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsDigital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsHannah Smith
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramCIToolkit
 
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...CIToolkit
 
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsCIToolkit
 
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)jennyeacort
 
How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionCIToolkit
 
The Final Activity in Project Management
The Final Activity in Project ManagementThe Final Activity in Project Management
The Final Activity in Project ManagementCIToolkit
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsCIToolkit
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixCIToolkit
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证jdkhjh
 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchRashtriya Kisan Manch
 
Shaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingShaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingGiuseppe De Simone
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insightWayne Abrahams
 
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentFrom Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentCIToolkit
 

Dernier (16)

Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
 
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
 
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic TraitsDigital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
Digital PR Summit - Leadership Lessons: Myths, Mistakes, & Toxic Traits
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
 
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
 
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
 
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
 
How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem Resolution
 
The Final Activity in Project Management
The Final Activity in Project ManagementThe Final Activity in Project Management
The Final Activity in Project Management
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield Metrics
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
 
Shaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingShaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful Thinking
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insight
 
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light AssessmentFrom Red to Green: Enhancing Decision-Making with Traffic Light Assessment
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
 

Icit analysis-identity-access-management

  • 1. Identity and Access Management Solutions Automating Cybersecurity While Embedding Pervasive and UbiquitousCyber-Hygiene-by-Design December 2016 Authors JamesScott(SeniorFellow –InstituteforCriticalInfrastructureTechnology) DrewSpaniel(Researcher–InstituteforCriticalInfrastructureTechnology) `
  • 2. Identity and Access Management Solutions: Automating Cybersecurity While Embedding Pervasive and Ubiquitous Cyber-Hygiene-by-Design December 2016 Authors James Scott, Sr. Fellow, ICIT Drew Spaniel, Research, ICIT Copyright © 2016 Institute for Critical Infrastructure Technology – All Rights Reserved Upcoming Event Learn More about Identity & Access Management at the 2017 ICIT Winter Summit. Registration is Now Open – www.ICITWinterSummit.org
  • 3. Introduction Cyber-hygiene is the collection of behaviors and best practices that ensure responsible decision-making, accountable actions, and continuous security (in terms of confidentiality, availability, and integrity), throughout the daily routine of personnel and in the daily operation of systems and assets. Unlike Cybersecurity, which is predominantly a cooperative effort between individual personnel, the organization, stakeholders, and associated third-parties, cyber-hygiene is a metric of each distinct individual. Aspects of cyber-hygiene include, but are not limited to; • minimization of online data leakage; • curation of digital profiles; • adherence to policies, procedures and guidelines; • informed and intelligent decision making; • avoidance of social engineering lures; • reliance on complex and secure user credentials; and many other sub-routines and behaviors that supersede any one daily activity. Comprehensive cyber- hygiene requires every stakeholder to consider the implications of their every action and to always act according to the optimization of the cybersecurity posture of the organization and according to the minimization of the risk that an adversary will be able to harm the organization as a result of the stakeholder’s action. Effective cyber-hygiene depends on every employee always acting intelligently and in response to the hyper-evolving threat landscape. In short, comprehensive and effective cyber-hygiene can be daunting, exhausting, and distracting, to personnel and stakeholders whose cybersecurity awareness and training may already be limited and whose responsibilities within the organization may already demand their entire attention. As a result, many organizations either fail to implement cyber- hygiene programs or rely on undertrained and underqualified personnel to bear the burden of cyber- hygiene. In both cases, adversarial compromise and exploitation of the organization's critical assets is an inevitable reality and is as easy as launching a social engineering attack which targets staff email lists. An attacker needs only to compromise a single employee account or system in order to establish a persistent presence on the network. Employees ignore, or fail to adhere to, cyber-hygiene initiatives that impede productivity or that frustrate the user due to over-complication, due to an over-abundance of steps or checks, or due to over-utilization of attention, time, or other resources. Cyberattacks depend on the prevalent negligence derivative offailed cyber-hygiene policies, procedures, and controls that inundate personnel into ignoring or disregarding intelligent and informed actions and behaviors that protect the employee and the organization from compromise.
  • 4. Responsible organizations recognize the need to train personnel in cybersecurity best practices and in cyber-hygienic behavior; however, not every organization recognizes its responsibility to streamline and optimize cyber-hygiene efforts. Cyber-hygiene and cybersecurity practices best protect the organization and its interests when they are ubiquitous throughout the workforce, when they permeate the organizational culture, and when they seamlessly integrate into systems to alleviate a portion of the burden on the workforce. Identity and Access Management (IAM) solutions are fundamentally ubiquitous, culturally permeable, and integrate into existing systems bynecessity. Identity and Access Management (IAM) solutions are an essential cornerstone of any cyber-hygiene initiative because IAM solutions unburden personnel of a portion of cyber-hygiene responsibility by automating digital identity verification, credential distributions, privilege management, authentication mechanisms, authorization and access controls, cryptographic controls, auditing and reporting mechanisms, and other services. By securely automating these processes with an IAM solution, organizations gain holistic access controls, user accountability, and system auditability and threat detection. By automating these functions with an IAM solution, organizations weaken adversarial attack chains that rely on compromising un-cyber- hygienic personnel. Access Controls An incident occurs when an adversary or malware gains unauthorized access to a system. Adversaries follow the path of least resistance into the system. In order to obfuscate malicious activity, threat actors often employ social engineering and other attack vectors to compromise legitimate employee system credentials, to obtain legitimate remote access credentials, or to leverage unmanaged third-party access. In 2015, 1 in 3 organizations was not cognizant of their current third-party access policies or contracts and 77% of information security professionals did not update third-party agreements or address third-party cyber-hygiene and system access in response to the hyper-evolving cyber-threat landscape [1]. Users, who fail to adhere to cyber-hygiene best practices, are the weak link in enterprise cybersecurity. Password-based security is an antiquated and inadequate defense against modern cyberattacks, data breaches, and fraud. As of 2015, 77% of organizations had a password policy or standard and 59% of organizations had a user/ privilege access policy [1]. Nevertheless, obtaining privileged credentials remains a fundamental and often trivial step in the typical attack cycle. Threat actors can even obtain compromised credentials on Deep Web markets and forums. In a 2016 study, Forrester estimated that 80% of security breaches involved the use of privileged credentials [2]. Identity and Access Management (IAM) solutions mitigate the risk of obsolete password-based access. For instance, multi-factor authentication (MFA), an IAM subcomponent, adds a layer of security and access and privilege based control by requiring users to provide extra information or factors in order to access corporate applications, networks, or servers.
  • 5. MFA validates the user identity through a combination of something the user knows (such as a username, password, PIN, security question response, etc.); something the user possesses (such as a smartphone, smart card, token, one-time passcode, etc.); and some information characteristic of the user (biometrics, retina scans, voice recognition, gait analysis, etc.). After OPM and other high-profile breaches, MFA adoption is rapidly advancing; however, many organizations fail to realize that decisions to only apply MFA to certain applications, systems, resources, or by certain users, leaves the organization exposed. Consistent and comprehensive authentication policies and applied technologies can eliminate the security gaps that result from asymmetric user privileges and cyber-hygiene levels. Instead, organizations can best mitigate cyberattacks at multiple points in the attack chain by requiring MFA for every end-user, every privileged user, and every tertiary user (such as third-party, contractors, etc.) and for every IT resource (applications, VPNs, endpoints, servers, cloud systems, etc.) [3]. Similarly, IAM solutions from trusted and reliable vendors can be integrated into existing systems to improve employee productivity and to make cyber-hygiene seamless and ubiquitous, through services that consolidate identities across applications and platforms, or that manage user authentication after a single sign-on (SSO). These services mitigate the risk of password reuse and user cyber-hygiene fatigue. Adaptive authentication services enable organizations to adapt their security posture to the hyper- evolving threat landscape through flexible, context-based policies that incorporate location, device details, network characteristics, time of day, user attributes, and other deterministic factors. Scalable IAM solutions from trusted vendors, further protect organizations by securing cloud and on-site applications, as well as mobile, BYOD, and remote-access devices [3]. User Accountability IAM solutions validate a user's identity and thereby, establish an accountability chain that can be used to track suspicious activity and preempt the evolution of incident to breach. If an information security professional is managing or monitoring to detect suspicious activity through analysis tools or through access control rules (i.e. time of day, etc.) then a user account can be monitored and treated as either compromised or malicious. With MFA, it is significantly more difficult, though not impossible, for threat actors to leverage legitimate user accounts and credentials in an attack. In other cases, malicious insider threats can pose a serious threat to organizations by compromising internal defenses, by compromising fellow personnel, by exfiltrating data, by intentionally installing malware, by orchestrating cyber-kinetic lone-wolf attacks, or by providing information to external threat actors, such as nation-state APTs. For instance, in 2015, 72% of Financial sector incidents could be traced to a current or former employee [4]. IAM solutions, such as MFA, provide a mechanism to hold users legally responsible or to detect and monitor active malicious activity.
  • 6. System Auditability IAM solutions can be used to establish context-based rules, to generate log information, and to enable the organization to forensically trace an incident. Information security professionals can use the information to improve incident response plans, to mitigate system vulnerabilities, to monitor the cyber-hygiene of the personnel base, and to improve cybersecurity awareness and training in response to the hyper-evolving threat landscape. Conclusion Identity and Access Management solutions are a critical component of organizational cyber-hygiene and cybersecurity initiatives because IAM solutions automate cyber-hygiene best practices, reduce user fatigue, provide access controls, establish user accountability, institute system auditability, and enable users to mitigate cyberattacks from unsophisticated actors (script kiddies, hacktivists, etc.) and to disrupt and detect attacks from sophisticated attackers (informed malicious insiders, nation-state APTs, etc.). Through the implementation of robust IAM solutions for all users, systems and networks, organizations can realize virtually immediate improvements to their cybersecurity posture while reinforcing cyber- hygiene best practices among personnel. Sources [1] "Bridging the Data Security Chasm: Assessing the Results of Protiviti’s 2014 IT Security andPrivacy Survey," Protiviti, 2015. [Online]. Available: http://resources.idgenterprise.com/original/AST- 0135695_2014-IT-Security-Privacy-Survey-Protiviti.pdf. Accessed: Nov. 30, 2016. [2] A. Cser, S. Balaouras, L. Koetzle, M. Maxim, S. Schiano, and P. Dostie, "Forrester Wave™: Privileged Identity Management, Q3 2016," Forrester, Jul. 2016. [Online]. Available: https://www.centrify.com/resources/centrify-leader-in-forrester-wave-pim-2016/. Accessed: Dec. 1,2016. [3] C. Corporation, Centrify, 2016. [Online]. Available: https://www.centrify.com/. Accessed: Dec.3, 2016. [4] "Global state of information Security® survey 2015," in PWC, PwC, 2016. [Online]. Available: http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html. Accessed: Dec. 3, 2016.