Secure access to resources
How to control administrators’ access to resources?
Challenge
Regulating the rights of administrators and those with privileged access to corporate resources is an important part of building an organization’s security. One manufacturing company found this out, where resource permissions were granted based on descriptive requests. The review of privileges took place once a year and was kept in an excel sheet.
Shortly after the production director left for another organization, it became apparent that the design and offerings used by the competition were very similar to those used by the described company. Following this event, the organization took a hard look at the procedure for granting privileged access.
Was the organization able to reduce the risk of this situation and protect itself from leaking production-sensitive data? What was missing to properly manage data access?
- Lack of a solution for multi-factor authentication.
- Lack of solutions to manage identity and privileged access.
- Lack of security between data accessed in the cloud and the end device.
Solution
The basic principle of risk reduction in the context of granting access is the principle of minimum access, also known as the principle of “least privilege.” According to it, access to resources, even by people high up in the organization, should be limited to the minimum necessary to enable them to work. Such precise management of the granting of privileges and access is possible thanks to, among other things, IAM/AM (Identity Access Management/Access Management) class tools. These types of solutions allow to supervise such aspects as: who logs into the system, for what purpose they do it, from where the logging takes place, to what resources they have permissions, who granted them and when they did it. The tool used to accomplish these tasks is NetIQ Identity and Access Management from Microfocus.
To avoid visits from “unwanted guests”, in the case of people with privileged access, it is also necessary to take care of full user verification during login. At the first stage, it is worth using multi-factor authentication implemented by MFA-class tools – Multi-Factor Authentication. Thanks to them, a user logging into the company’s resources not only has to confirm his identity by entering a login and password, but should also have, for example, a physical device to which a verification code is sent. An example of an MFA-class solution is SecurID SSO from RSA.
Protection of sensitive data stored in the cloud is also ensured by a tool such as CASB (Cloud Access Security Broker). It bridges the gap between the cloud and the end device and provides insight into how cloud resources are processed on users’ devices. It encrypts data so that it cannot be used on external systems in a way that does not comply with security policies. It also allows them to be classified so that attempts to take sensitive information to destinations undefined by policies end up blocking the connection. CASB allows you to control how individual users process data in the cloud and whether they do so in an authorized manner, even when they use mobile devices not secured by the company. A CASB-class tool that accomplishes this task is CloudSOC CASB from Broadcom.
An important component that is used to build full security in access to resources for administrators and privileged persons is a Privileged Access Management (PAM)-class – tool for managing such access. Tools of this type are used for so-called intelligent control of privileges. Access to administrators’ resources is granted only for a certain period of time with a detailed definition of the range of possible activities. Issues related to managing privileged access do not apply only to individuals, but also to systems and applications. A PAM-class tool worth keeping in mind is CyberArk PAM, a module within the comprehensive CyberArk identity management platform.
