Identity and access management can be a tricky field to navigate, thanks to the complexity of the technologies...
and standards for IAM as well as the many different acronyms for IAM-related terms. But the biggest challenge is figuring out how to handle unstructured content in the enterprise within an IAM strategy.
Solving the acronym challenge -- see sidebar -- and understanding the capabilities that different products provide is important because of the proliferation of data locations and the myriad of ways that data can move. There are currently many vendors providing services to address this challenge, and the field is rapidly growing in this relatively new and evolving area -- with new vendors as well as established vendors expanding their depth of IAM scope.
Without a clear and consistent unstructured data IAM designation, enterprises need to thoroughly vet their prospective providers to assure that pervasive unstructured content is addressed. Adding in the complication of organizational changes, security professionals are faced with vectoring and a rapidly-growing, moving target: uncertainty in where the data is, in the value and sensitivity of the data as well as in having control over access to and sharing of the data. Unlike application-oriented data, which is usually well-documented with protections applied, unstructured content is undocumented and not controlled.
Unstructured data inherently hides and sprawls. This makes it especially vulnerable to threats as it escapes classification and management and cannot be classified as sensitive by legacy security solutions. Numerous research studies show that nearly 80% of enterprise content is unstructured and included in most mission-critical business processes. Potential data threats are exacerbated further by the fact that insider threats, malicious or inadvertent, are the No. 1 cause of data breaches.
"All data monitored will likely contain an identity," said Ken Allan, global information security leader at Ernst & Young, during RSA Conference USA 2016. "Even most harmful data such as malware carries a 'signature' which can be linked to its creator."
Attackers are more frequently using compromised credentials in order to access an enterprise's data. Most malware will execute with the same privileges as their victim, with global administrative privileges giving the malicious code the mother lode of data access.
"Managed security services are mechanisms to help analyze your information and provide detection of any unwanted and harmful data and malware, and subsequently contain the source information, preventing unwanted perpetration and data breach or business disruption," Allan added.
A back to basics approach
Knowing where enterprise data is and controlling its access through concise reports and analytics will mitigate attacks and accelerate forensic investigations in the event of an incident. This also helps achieve compliance. Hopefully the search for the proper tools to accomplish this level of cybersecurity can be made more straightforward with uniform, distinct terminology used by the vendor ecosystem -- rather than hard-to-understand acronyms.
Privacy laws are forcing companies to look at where all their different types of data reside. They also need to develop a definition of what their sensitive data is. This begins by finding and categorizing sensitive data amid the unstructured content. As companies start to add more applications, more servers, more devices and more vendors, the potential for problems can start to scale quickly.
Enterprises can't just rush toward implementing controls without knowing where their data is or what they need to classify and for which data they need to provide reasonable security. Organizations also need to find that data, determine who is touching it and discover how it moves across the organization. This requires using a risk framework with automated tools.
It's time to get back to basics with unstructured data management by building an asset inventory. Enterprises should look at where their sensitive data resides, which systems and devices the data connects to and which protective audit controls are already in place.
Is 'Acronym-phobia' hindering IAM efforts?
Acronym-phobia is a favorite word among tech professionals for the fear of the overuse and abuse of acronyms. Do we really need new acronyms for every nuance of a category? For example, when looking at the term identity access management, or IAM, it's easy to uncover additional acronyms in similar categories, such as privileged identity management (PIM), privileged access management (PAM), user access management (UAM), identity access governance (IAG), identity governance and administration (IGA) and so on.
The list is also growing. Gartner recently coined the term bimodal IAM, but there are also privileged IAM or unstructured Data IAM and other similar terms. And it can be challenging to figure out what some of these terms even mean; for example, when "IGA security" is searched for, the only pertinent results are from IBM and Gartner. Other vendors and organizations, therefore, may use IAG instead IGA.
Here's a quick rundown of several of the many terms within just the IT industry that use the acronym IAM:
There are likely a few more that can be added to this list. To exemplify just how overwhelming the number of meanings that exist for an acronym is, here is a list of PxM products, with "x" standing in for multiple possible words:
- Privileged Access Management
- Privileged User Management
- Privileged Account Management
- Privileged Identity Management
- Privileged Password Management
With all these choices for "IAM" and other related terms, it's no wonder that confusion can take hold of enterprises as they try to find the right language and terms to apply to their cybersecurity problems, needs and strategies.
Leveraging identity and access management
With the addition of cloud services and employees using their personal devices or remotely accessing enterprise data, basic user names and passwords are no longer sufficient or secure. There's also inconsistency in the implementation of IAM systems. Often, peripheral systems contain an organization's most critical data, yet they are protected with significantly less security controls.
In an IBM X-Force Threat Intelligence Quarterly report last year, 17.2% of security professionals responded that distributed denial-of-service attacks are the most common attack type they can identify. However, more than 40% of these same security experts said the most common types of attacks are undisclosed ones. And when most attacks against enterprises are essentially unknown, it's even more important to have a strong IAM system as well as an unstructured data management strategy in place.
Most mission-critical business processes rely on unstructured content in some form or another and typically contains sensitive information, intellectual property, financial details, and other data that should be protected from theft and inappropriate access.
"Many large businesses within the financial industry have formalized identity as a role by appointing an internal leader to provide policy, process and oversight of identity and the responsibility to maintain the relationships between identity and data," Allan said. "It's important to remember, identity may be linked to many 'things' -- for example, self-driving cars may generate information and thus establish themselves with an identity."
Unstructured data management approaches
Business leaders are beginning to realize the exposed and out of control nature of unstructured content. The challenges that organizations are facing, as noted in Whitebox Security's Unstructured Data Governance white paper, are:
- Mapping existing stores of unstructured data;
- Finding data (e.g., folders, files, sites) owners and mapping key user groups;
- Classifying sensitive data; and
- Defining and enforcing authorization policies on data stores.
The immediate actions Whitebox Security recommends to be taken include the following:
- Audit actual data access;
- Map data owners, users groups and usage patterns;
- Analyze the permissions of users and groups to data;
- Recommend entitlement changes to meet business and regulatory policies; and
- Support user-permission review and permission granting processes.
Locking down employee access and privileges
In 2012, Microsoft said research of the previous five years showed that almost 80% of all enterprise content was unstructured. Access does not have to be granted through a formal process for this type of data. According to Microsoft, many organizations at that time estimated that they face data growth of 30% to 40% across their file systems each year; with that in mind, managing unstructured content today is not only an ongoing issue but a likely growing issue as well.
Once enterprises have identified, mapped and classified the unstructured content, they must review their IAM policies and systems. The final piece of advice to protect this data against malware and other threats is to ensure employee privileges are locked down. When speaking to Computer Weekly, Jens Monrad, systems engineer at FireEye, said most malicious code will be able to access data with the same administrative privileges that a compromised individual has.
During an interview conducted at RSA Conference USA 2016, Adam Laub, senior vice president of product marketing at STEALTHbits Technologies, said, "If I have domain administrative credentials and use them to log in to a public-facing system, a successful phishing attack can then use the domain admin credentials to get right to the domain controller. This can compromise the full domain almost immediately."
Enterprises also need to look at behaviors and how the authorization underpins the environment.
"As a hacker captures more and more credentials, we see lateral movement," Laub added. "If you are able to capture authentication information, you can see patterns and anomalies so that you can identify this type of activity more quickly."
Although there's a lot of information to work through when it comes to determining how to improve security and risk management posture, enterprises should start working to develop a clear picture of just how much unstructured content they have and how the proper identity and access controls can protect that content.
Read about IAM challenges in the cloud
Learn how IAM systems can support compliance processes
Find out if bimodal IAM provides better user credential security