Identity security in organizations | Kaspersky official blog
Credit to Author: Stan Kaminsky| Date: Thu, 08 Jun 2023 13:14:22 +0000
The benefits of digital business transformation are well documented: processes become streamlined, business scaling is easier, and the process of creating products and services is greatly accelerated. But security risks are increasingly becoming a major obstacle to such transformation, as the number of cyberattacks and the damage they cause grow year by year. Statistics show that more than 60% of attacks on companies begin with the theft of accounts or access tokens. Moreover, most companies’ approach to account management and security is hopelessly outdated — still relying on 30-year-old technologies. Meanwhile, infrastructure has moved on in leaps and bounds — we now have public clouds, remote work stations, and other convenient but often insecure technologies.
Modernizing account security is one of the most important and strategically valuable steps you can take to sow long-term growth potential in your company’s IT systems. If basic digital hygiene measures — such as endpoint and server protection and unified IT and IS policies — are already in place, the next logical next step is to implement “identity security”.
The basic principles of identity security
Managing all kinds of accounts and identities. It’s important to understand that the concept of identity applies not only to employee accounts, but also to servers and applications. In modern companies, the number of non-live accounts often greatly outweighs the employee headcount. A comprehensive identity security approach means managing access tokens, secret keys stored in applications, and so on.
Trustworthy authentication. This is the cornerstone of account protection. The company must implement up-to-date multifactor authentication standards that take into account the level of access and risk for each employee, service or server.
Proportionate, structured authorization. An authenticated account must be granted the access and permissions necessary and sufficient for the job in hand, and no more. Access and permissions are defined according to a centralized policy and are identical for employees or services performing the same task. In the ideal scenario, besides the principle of least privilege, you also need to implement the principle of timeliness; that is, permissions should be granted for the exact period of time they’re needed. For example, administrators are given high-level access to a server only when performing necessary maintenance on the server, after which their privileges are automatically downgraded to basic.
Centralization and auditability. The goal should be to centralize the database of accounts and unify the authentication process using SSO (single sign-on). All stages of both authentication and authorization must be carefully logged, and any adding, changing or deleting of accounts should be carefully regulated and documented. This greatly reduces the risk of violating other identity security principles. Moreover, with a controlled and centralized authentication portal, the company can detect cyberattacks earlier and more effectively by identifying anomalies typical of hacker activity.
Implementing account security and privileged access management is a vital step in building a zero trust information security architecture.
Account security from the employees’ standpoint
Well-designed account protection doesn’t complicate matters; on the contrary, it simplifies the life of employees. First, they use the same login mechanics for most corporate services — be they internal file portals, cloud-based business travel reporting software, or any other IT systems. There’s no need to remember multiple passwords or start the morning by signing in to a dozen different accounts. Moreover, forgetting credentials becomes much less of an issue. This increases all-round team productivity.
Second, an authentication system based on risk profiles is able to annoy the user no more than necessary. This basically means that, having logged in to the corporate system from their usual workstation, employees can use a token once at the beginning of the working day to unlock the computer and then spend no more time on security at all. At the same time, attempts to perform uncharacteristic actions or requests for access to important information may result in several additional checks.
Third, identity security simplifies remote working and collaboration with external contractors. When out of office, perhaps using a personal device, employees can still access corporate services in line with company policy. True, the list of checks and level of access can vary.
Benefits of identity security
Secure migration to the cloud. A great many corporate IT services are provided through public cloud services (Microsoft 365, Salesforce) or hybrid clouds, while access to them is often less regulated and secure than traditional resources on the company’s servers. A unified approach to account protection across all IT services reduces the risk of hacking and speeds up the adoption of digital services that benefit the company.
Increased employee productivity. There’s no need for employees to create accounts in all systems and spend time logging in every day and changing passwords every quarter. On a company-wide scale, this translates into tangible time-saving — time that will instead be spent on productive work.
Reduced workload and associated costs. Worth a separate note is the significant reduction in the workload on IT and cybersecurity departments, which will be able to manage all accounts centrally and stop worrying about tens of thousands of passwords. In some companies, password-related requests to the help-desk account for up to 40% of all requests to IT specialists. Switching to centralized account protection significantly lowers this figure. What’s more, having a standardized account lifecycle makes it much easier to hire, fire or transfer employees — the required permissions are assigned and withdrawn automatically.
Reduced regulatory risks. In many countries, information security regulators are beginning to impose strict requirements on corporate security systems — partly out of concern for the personal data of employees and customers. A centralized identity security system not only reduces the risk of a successful cyberattack, but ensures that everyone in the company adheres to approved secure practices in respect of passwords, remote working, and other areas. That way, you can be sure that a sudden audit by the regulator won’t result in a hefty fine.