By: Dan Conrad, Federal CTO at One Identity
The Government can no longer think of itself as an entity that is just physically protecting private individuals and nation state interests. With the advent of cyberattacks, which are continuously increasing in sophistication, digital borders have become an attack vector just as much as physical ones.
Should a military ship’s network be hijacked, for instance, an intruder could potentially gain control of its data and command-and-control systems. If said ship’s authentication measures were to be based on static elements such as passwords, logins or IDs, then an attacker could be able to gain access undetected and compromise the safety of troops and national security.
Typically, government agencies would use more layered forms of authentication, which require users to provide a knowledge-based key (a password) and something the user has (an ID badge or token). Two-factor authentication is a crucial starting point for security. It is, however, also an insufficient protection for systems and databases of such cruciality as governmental ones.
This article will explore the ways in which governmental institutions – but, more broadly, all organisations with critical operational technology, sensitive data and critical systems – can ensure that their digital assets are protected, and that they are safe as well as secure.
Build behavioural profiles for users
Insider threats are among the hardest attacks to detect. If a user with the right keys to critical systems and sensitive databases – intentionally or accidentally – causes a data breach, his/her actions can often go unnoticed by threat intelligence models, which are programmed to detect malicious signatures rather than a login with the correct password.
To prevent a breach from the inside, organisations have the option of building a profile for each user to determine what normal behaviour looks like. For instance, let’s say that a user typically runs an application between 9am and 5pm. If the same user logs in at 2am, the system will compare that behaviour to that user’s baseline and will flag the activity as atypical, alerting system administrators.
With time, the accuracy of users’ individual baseline increases, and trust scores can be assigned to verify identity and determine the level of user access. When the behavioural score reaches something considered malicious, the session can be automatically terminated, and all anomalies flagged.
Automate privileged access
Large organisations such as governmental bodies have the challenge of keeping track of who has access to what, and when. It is paramount for them to limit access to the network based on user roles, as well as to track sessions on particularly sensitive areas of the network itself.
Administrators used to be given access to everything, but this is no longer the case. Agencies such as the Ministry of Defence, but any large enterprise, too, should be aware how data is accessed and who can access it at all times.
From there, they should choose which users should have what level of access, and limit the number of privileged users. This can be done by automation engines, that can audit administrators and hold them accountable for what tasks they perform in sensitive areas of the network, without disrupting their ability to get their work done efficiently.
Adopt a zero trust model
The Government is a good example of an entity that stores data of the utmost sensitivity. For this reason, its authentication methods should be the benchmark for all other organisations who wish to be not only compliant, but also to secure their data at the best of their abilities. To do so, it is necessary to adopt a zero trust model, in that every user and every device is considered guilty until proven innocent.
According to this principle, devices that are connected to the network are only the ones that have been vetted and ascertained to be free of malicious software or vulnerabilities that could serve as an entry point. This also applies to individuals: as many as 77% of IT security professionals admit that they could steal data from their organisations if they wanted to. As threats continue to increase, and as breaches keep happening at an alarming rate, a zero trust architecture can significantly reduce the risk surface of an organisation.
All organisations hold sensitive data to varying degrees and the stakes if that data is put at risk have never been higher. To build barriers is no longer enough to protect this information. By using advancements in AI through behavioural biometrics, paying closer attention and holding individuals accountable for accessing information and trusting no one, organisations of all types can ultimately make themselves more secure.
About the author
Dan Conrad is Federal CTO for Quest Software/One Identity. He has been with One Identity/Quest Software since 2007 where his roles have included Systems Consultant and a Solutions Architect for Compliance Solutions as well as Identity and Access Management Specialist.
He retired from the USAF in 2004 and returned to government IT as a contractor where his primary focus was Active Directory design, migration, and sustainment. He holds many certifications, the highlights include CISSP, MCITP, and MCSE/MCSA.
About One Identity
One Identity, a Quest Software business, lets organizations achieve an identity-centric security strategy with a uniquely broad and integrated portfolio of identity management offerings including account management, identity governance and administration and privileged access management. One Identity empowers organizations to reach their full potential, unimpeded by security, yet safeguarded against threats.
One Identity and its approach is trusted by customers worldwide, where more than 7,500 organizations worldwide depend on One Identity solutions to manage more than 125 million identities, enhancing their agility and efficiency while securing access to their systems and data – on-prem, cloud or hybrid. For more information, visit http://www.oneidentity.com.
The post #Privacy: What can the government teach us about Identity Access Management? appeared first on PrivSec Report.