WHITE PAPER BEST PRACTICES GUIDE TO STRONG IDENTITY ACCESS MANAGEMENT

Transcription

1 WHITE PAPER BEST PRACTICES GUIDE TO STRONG IDENTITY ACCESS MANAGEMENT Prevent and Contain Breaches Without Impacting Users

2 TABLE OF CONTENTS Executive Summary... 3 The Evolving Face of Cybersecurity... 4 Risk Mitigation and Heightened Security... 5 Cost Reduction and Faster Time to Value... 8 Consolidation and Centralization User Acceptance and Adoption Strong Security. Cost Savings. Seamless Access

3 Executive Summary Across every industry, cyber criminals are attacking businesses large and small. As technologies evolve, so do the possibilities for finding new ways to infiltrate organizational defenses and steal data. These breaches are more than a brand embarrassment; they can drive customers into withdrawing their business and launching civil lawsuits, result in regulatory fines, and leave staff with a massive cleanup effort for months to come. One of the most common and effective criminal methods targets stolen credentials. From cracking passwords to malware that captures keystrokes from an infected device, to buying them on the dark web, obtaining credentials is in every criminal toolbox, from lone wolf hackers to government funded overseas groups. It s no mystery why. One set of valid credentials can open the door to personal data like Social Security numbers, birthdates, and payment card numbers, help infiltrate other accounts or give malicious actors free reign to explore a company database with an insider s privilege. Given the valuable payoff possible, it s no surprise that Verizon s 2017 Data Breach Investigations Report¹ says that 81 percent of confirmed data breaches involved leveraging weak, default or stolen passwords: Static credentials continue to be targeted by several of the top hacking action varieties and malware functionalities. How prevalent are these threats? Consider a finding that 94 percent of Tor requests² are malicious requests designed to harm customers. Project Honey Pot³ found that 18 percent of global spam approximately 6.5 trillion unwanted messages a year start with a bot from the Tor network. These strikes are not just effective, but swift too. According to the Verizon report, attackers were able to compromise systems in minutes or less 93 percent of the time. The infiltrated organizations, on the other hand, typically took weeks or more to discover the breach and usually they were tipped off by customers or law enforcement, rather than their own security teams

4 The Evolving Face of Cybersecurity While every IT team is aware of potential breaches, what s less understood are the most effective defenses. It s clear that the standard username and password combination is not offering sufficient protection. Yet teams trying to address these challenges often do so in check-the-box fashion. That just isn t effective against criminal attacks that are creative, sophisticated and skilled. For instance, a company will typically require its employees to create passwords featuring special characters, upper/ lower case numbers and minimum lengths to stop attackers. Yet password complexity is irrelevant for criminals using keystroke capturing or social phishing. One solution businesses turn to again and again is two-factor authentication. Yet this hasn t provided the right security solution either. Many users resent having to take a burdensome extra step and will try to create a workaround. Hard tokens can present an IT burden, from distribution to replacing lost tokens. Users can still fall prey to social engineering, forget their passwords or create security question answers that can be easily found through social media accounts and public records. If you re looking to read about what other two-factor authentication methods attackers have defeated, we recommend Identity 101: Why two-factor authentication is not enough - These vulnerabilities can surprise teams who believe that meeting compliance regulations equals security. But compliance is only a baseline, rather than a complete blueprint for an adequate security program. Teams must move beyond check-the-box data protection and implement a fresh security approach that s as innovative and modern as the threats they re facing. That approach is exactly what we practice at SecureAuth. As an innovator in this space, we offer advancement in identity access management that is unique in the market. By layering two-factor and adaptive authentication, SecureAuth IdP eliminates cumbersome extra steps to provide smooth and convenient access for users and a multi-layered defense for the organization. Just one set of credentials opens the door to all applications and all on-premise, mobile, cloud, and VPN resources via a secure and burden-less user experience. There s a reason companies have hired us to strengthen security in the aftermath of some of the biggest breaches in history. We know how to implement strong defenses that stop and contain attacks while protecting IT budgets and delivering a first-class user experience. Here are our recommendations for security best practices, as well as tips on how we build the most advanced security programs on the market. 4

5 Recommendation 1: Risk Mitigation and Heightened Security Even as you read this, your risk is growing. From managing inside risk to stopping attackers across the ocean, your team must control access to your applications and data from a rising number of threats. It only takes one staff member to fall for a phishing scam or open a malware-infected attachment to allow malicious actors into your network. Then there s the reality of managing your partners/suppliers and customers, most of whom likely involve different access requirements and different levels of trust. Balancing smooth access with strong security has always required expertise. But the explosion of trends like Shadow IT, BYOD and cloud computing have made the task even more complex. IT teams need to protect a growing matrix of access points and vulnerabilities. Yet instead of adapting to this complexity through innovation, many companies simply hire more people to manage their risk, driving up costs without any real guarantee of protection. What s needed: security controls that offer the same complexity and sophistication as the attacks they stop while minimizing the disruption to daily routines of authenticating users. 5

6 Statistics Don't Lie: The Facts on Risk $7.9M1 Each Breaches cost the average U.S. enterprise 66% of Executives are not confident they re protected² 80% of breaches come from outside the organization³ Best Practices Implement at least 3 pre-authentication or adaptive authentication techniques Two-factor authentication can play a valued role on the perimeter, but it must be partnered with additional layers of adaptive authentication security. Adaptive authentication can check the risk of a user s IP address, device, geo-location and other factors, to verify users; only if risks are present are users burdened with an additional authentication step. This validates authentic users, like doctors, while blocking attackers with compromised, yet legitimate, credentials. Develop, analyze and score risk profiles for user groups Risk is contextual. Not all user groups are created equal; an IT administrator will need different privileges and greater scrutiny than the emergency room staff or consulting physicians. By creating different authentication processes for different user types, your security program can analyze diverse threats and workflows and apply appropriate levels of security to step up or step down protective measures as necessary. You ll ensure adequate protection for your highest vulnerabilities while avoiding squandering resources on areas with negligible risk. 94% of TOR network requests are per se malicious⁴ 81% of confirmed data breaches involved leveraging weak/ default/stolen passwords⁵ 97% of breaches featuring stolen credentials leverage legitimate partner access⁶ 92.9% of 2015 breaches happened in less than hour⁷ 101 Automate actions based on risk By understanding those specific risk levels, your system can take automated actions such as allow access with username and password, deny access outright, send requestor to a safe zone/honeypot or ask for additional authentication steps. Your system can also send notifications to users or administrators. Valid users, such as providers who work out of multiple facilities, can resolve minor issues with selfservice tools that reduce Help Desk costs and enhance staff productivity. Use multi-factor authentication controls that are difficult to socially engineer The human element never disappears from the challenge of cybersecurity. If a lab tech, patient or nurse does fall for a social engineering scam, your security program should use controls that block the possibility of success. Instead of implementing security questions that someone could guess from reading a Facebook or provider review page, utilize multiple layers of controls that will thwart a criminal who obtained a valid password by impersonating an IT administrator or hospital authority figure. Examine failed, denied, and other authentication events in concert with additional Security Operations Center (SOC) data. Successful security is built on the analysis of successful and attempted attacks. Take a good look at failed authentications, instances when authentication demanded additional actions and other security-related events. By closely inspecting your aggregated access data, you ll have a better idea of where your risk is and the controls you need to implement. SIEM integration is key to building an accurate holistic view. days before they re discovered⁸ 6

7 The SecureAuth Way: Advanced Risk Management SecureAuth IdP offers risk-based analysis for unrivaled protection that goes beyond compliance standards. By providing 25+ multi-factor authentication methods with adaptive authentication, we offer more layers of risk analysis than any other access control vendor coupled with more choice and flexibility for multi-factor authentication. Global threat intelligence, via a network of millions of advanced threat sensors, is combined with contextual factors such as IP address reputation, geo-location or geo-velocity to match security controls to risk. Device recognition further distinguishes between devices that match a stored footprint and are assigned to a specific user and devices that don t. Teams enjoy extensive visibility into login activity (including failures), application and realm usage, password strength, and compliance thanks to a record documenting access and usage by every user across every connected system. When correlated with other SIEM data, the result: reduced time to detect malicious actors or compromised credentials and start breach remediation. SecureAuth s flexible identity access management options are especially useful for mitigating risk and security gaps with partners and customers in addition to employees. Customizable workflows for various users and groups can be harnessed to adaptive security controls, with convenient multifactor authentication based on identified risks. Because SecureAuth IdP adapts to what organizations are already utilizing, third parties and customers can be on-boarded quickly and confidently with minimal learning curve. As a result, organizations experience consistent identity and access protection without a negative impact or even awareness of higher security steps among their user communities (employees, partners, and customers). 1 IBM Security (Must register to use tool) A 2015 Survey Cybersecurity in the Boardroom. tok=3rkmmjwwff9wsrogs6tbzkxonjhpfsx87uslwag1lmi/0er3fovrpufgji4atmjipa+tfawtg5toziv8r7fmlm160ciqwrjj 3 Verizon Data Breach Report The Trouble with Tor. 5 Verizon Data Breach Report Verizon Data Breach Report. 7 Verizon Data Breach Report Mandiant M-Trends Report

8 Recommendation 2: Cost Reduction and Faster Time to Value In our mobile world, businesses face an increasing loss of control over their data, devices and applications. The fear of a breach can be so intense that many IT leaders will evaluate solutions in terms of technical effectiveness, rather than cost savings and business efficiency. Yet for many, the decision to direct more budget toward security has not reduced their challenges, only reduced their ability to invest in new innovations. Consider the unpredictability of anticipating implementation costs. Many teams struggle to accurately understand the resources required, or how to control budget spending. According to Gartner¹, Integration typically consumes 35 percent of the cost and effort of an application solution. Businesses that spend a significant portion of their security budget on integration or developer labor may not have the additional budget required to protect their resources in a sustainable, flexible security program. With millions of dollars on the line in many cases, teams need a solution that delivers adequate security while integrating with existing solutions. Businesses must prioritize cost effective technologies that offer rapid time to value. 1 ftp://public.dhe.ibm.com/software/websphere/pdf/gartnerroireport.pdf 8

9 Best Practices 30+% of Helpdesk calls are for password resets, account unlocking calls Average helpdesk wage and productivity loss for user = $35 per call Phase out hard tokens Hard tokens involve replacement costs and an administrative burden in managing and deploying them. A smarter choice is evolving to more modern authentication techniques that identify users through elements such as device recognition, location, and multi-factor authentication methods that utilize mechanisms users already use daily (smartphone, , land-line phones). Not only does this eliminate the burden of an extra step for staff and doctors, they can access their data wherever they are without carrying a hard token around. Utilize self-service tools whenever possible Every day Help Desk teams and hospital staff lose hours of productivity tackling password resets, locked user accounts, enrollment, and provisioning requests. Selfservice tools are more secure and can get users back to work instead of spending long periods of time on calls and checking the status of their latest ticket. The IT team can address higher-value tasks and save budget for important projects instead of support overhead. If users call the helpdesk once a month in just a 5000 person organization the cost for password reset and account unlocking calls = $630,000 per year Consider the Total Cost of Ownership When it comes to pricing security solutions, the Total Cost of Ownership is the metric that matters in assessing value. A new platform that takes months to deploy out of the box must be evaluated in terms of the productivity lost. If it fails to integrate with custom built applications, if developers must spend weeks on coding new workflows and building integrations, those costs must be factored in as well. By prioritizing solutions that minimize labor and maintenance costs, teams can save millions of dollars. The SecureAuth Way: Savings and Speed SecureAuth IdP offers a number of features that save budget while accelerating time to value. Self-Service tools can reset passwords, unlock accounts, handle autoenrollment/ provisioning and speed overall resolution, while reducing support costs. Thanks to standards-based development, SecureAuth IdP can integrate into custom built applications and nearly every device, VPN, identity store, application and more, saving thousands of hours in labor. A GUI-based configuration wizard accelerates deployment by allowing teams to point and click their way through deployment. SecureAuth solutions deploy in days, rather than months or years, to deliver immediate impact. We invite you to review our pricing and deployment times vs other alternative solutions. 9

10 Recommendation 3: Consolidation and Centralization 13% of people tested click on a phishing attachment.1 A typical organization today deals with an array of VPN, cloud, on-premise, mobile, and homegrown resources. This kind of complexity requires an advanced, consolidated access control approach that centralizes security while offering the agility to address future needs. Yet many organizations selectively deploy security and access controls in some areas or departments while leaving other parts of the enterprise open. Often this is because the team lacks centralized management. Instead they deal with multiple authentication systems, various solution limitations, and conflicting policies that were created anew for each application, group of applications, and/or groups of users. Users often have multiple logins across different silos. The overall result is a tangle of technologies and rules that alienate and confuse users. Specialized administrators with expertise in specific platforms must be hired to tackle multiple integrations and manage disparate systems. All of this adds up to rising administrative costs. Users encounter rigid authentication workflows, inconsistent policies and burdensome requirements. The disorganization burns up staff hours and resources while obstructing the team s ability to detect anomalies and respond to threats across the organization. 1 Verizon Data Breach Report. 10

11 Best Practices Drop the idea of the quick fix for an enterprise solution When a problem arises, many teams turn to quick fix solutions that later become more complicated and demanding than anticipated. With point solutions everywhere, the team finds itself supporting and maintaining an ever-growing number of technologies, which then breeds multiple multi-factor authentication controls and policies simply to let users perform their jobs. Users also suffer from even more passwords, policies, and disruptions. Prioritize the most flexible solution with the most future potential Many teams believe that only cloud solutions can protect cloud resources, but this isn t true. On-premise tools can manage cloud identities, while cloud solutions can manage on-premise identities. What matters is selecting a solution that provides the greatest flexibility now and in the foreseeable future. Choose integration-friendly solutions that maximize existing security investments When a new security solution requires abandoning existing tools, that s a sign to look elsewhere and find a solution that lets your team utilize what you already have. All too often teams find themselves asked to deploy a new datastore or directory when they already have what they need. Or they have a mixed bag of client devices to support - ios, Android, Windows, Mac, Java - but the new vendor only supports a few of them. Finding a solution that can work with existing tools, saves time and money. Look for a vendor who can be a partner in both security and compliance Auditing and reporting might not seem like the most urgent aspect of security when you are worrying about a breach. But they are key to fulfilling compliance regulations, which means you want to choose a vendor that can share useful information with your existing SIEM or UBA, such as adding failed authentications to your SOC dashboard. Only then will you achieve an accurate holistic view of all security threats, and save considerable effort in compliance audits with a centralized repository of data. The SecureAuth Way: Centralized Security SecureAuth IdP works with your existing security ecosystem and technologies to reveal meaningful trends, patterns and anomalies for more accurate interpretation. With more support for devices, identity types, VPNs, identity stores, MFA methods, and applications, SecureAuth IdP requires minimal coding and supports more integrations than any other identity security vendor, so that it easily fits in with other investments. Centralized contemporary and advanced access control options leverage adaptive authentication, customizable workflows and progressive multifactor authentication that can utilize the same day-to-day mechanisms already in use. Standards-based technology creates a single over-arching layer for managing identities with reduced administration, while employees, contractors, partners, and customers enjoy familiar and consistent access. 11

12 Recommendation 4: User Acceptance and Adoption Technology is as good as the people behind it, but that doesn t mean only the IT experts who design and implement systems. The habits and preferences of users must be factored into the security program too. People often choose processes that are easy and convenient, as opposed to what adheres to security policy. There s also the matter of simple fallibility. Users forget their passwords, write them on visible sticky notes or use the same credentials across multiple applications. They can also grow resentful when forced to comply with old-fashioned security practices. Few users like creating complex passwords every few months for multiple applications, then recreating them when a breach is reported, worrying about losing a hardware token and waiting on hold with Help Desk calls. Instead, many develop workarounds and poor security practices that put data at risk, such as keeping a paper list of passwords at a busy nurses station. Only a multi-layered security approach with consideration for user experience can offer true protection. 12

13 Best Practices Provide the best possible user experience Today s security innovations allow users to enjoy a smooth authentication experience while unknowingly complying with more controls. By only requiring action when risk factors are high, organizations balance security needs with user preferences. Build in safeguards against human fallibility Users are susceptible to phishing attacks. They create guessable passwords, lose laptops, FOBs, phones and share credentials even when instructed not to. By adopting controls such as device recognition, geo-location, IP address interrogation, and more (Adaptive Authentication), organizations can protect themselves from the inevitable human element. Use other identity signifiers instead of passwords Device recognition, unique keystroke identifiers, geo-location and valid IP addresses are harder for criminals to obtain, duplicate or steal. Instead of relying only on passwords and multi-factor authentication, IT teams should implement controls that cannot be compromised as easily so that even if credentials are compromised, the risk is still severely reduced. Empower staff with self-service tools Features like self-service password reset and account unlocking aren t just about reducing overhead they empower users with the ability to get back to work and access data without having to call the Help Desk or initiate an online support ticket. This is especially critical in instances such as healthcare IT, where physicians may need to access test results or medications in a life or death situation. The SecureAuth Way: Seamless Security SecureAuth IdP ensures users enjoy the best customer experience possible even as the organization experiences uncompromising security. Once a user has successfully authenticated their identity through elements such device recognition, threat services, IP interrogation, geographic location, and more, they can easily access data wherever they are without the burden of an extra authentication step. Instead of carrying hard tokens and extra tools, they can use the smartphone and they re already using if an additional multi-factor authentication step is even warranted. Self-service tools help users sidestep lengthy Help Desk calls and address their own administrative tasks like enrollment and updating personal information. By accessing their own data on the go, instead of being tied to hard tokens and other two-factor requirements, users enjoy greater freedom, enhanced productivity and more independence. While organizations gain the assurance of multi-layered identity security checks for greater protection. We ve reduced the number of passwords, made it easier for our users to log into applications and our network, and improved security. Chris Joerg, Director, Global Information Security - Unisys 13

14 The SecureAuth Way: Strong Security. Cost Savings. Seamless Access. SecureAuth IdP Delivers Identity Access Management that Protects Your Budget and Your Organization. Operating at the intersection of cybersecurity and health information security, SecureAuth IdP delivers strength and simplicity for advanced identity access control. By partnering adaptive and two-factor authentication alongside Single Sign-On and self-service tools, SecureAuth IdP helps IT teams achieve powerful security and convenient access, while saving huge in implementation costs. Ready to find out how SecureAuth can protect your organization? Visit secureauth.com to get started. 14

15 2018 SecureAuth Corporation. All Rights Reserved. SecureAuth IdP is a trademark of SecureAuth Corporation in the United States and/or other countries. 15