A recipe to avoid becoming the next headline

Tue, Aug 18 2015 | Author: PT. Central Data Technology

Every day we hear of a “major” security breach at another big company. Inevitably, the organization breached goes on a spin campaign to shift blame away from itself, but never simply says, “We could have prevented this if we had our act together.”

Security breaches can’t happen unless someone gets access they shouldn’t have. Access is totally within the organization’s control  (or should be), and, while there’s no list to  guarantee you’ll never be the victim of a breach, there are some simple best practices to make you a harder target, and minimize the damage if someone does get in.

  1. It starts with authentication and authorization. Identity and access management 101 explains that access is the combination of authentication (proving you are who you claim you are) and authorization (limiting what you can do based on who you are). Too often, access is executed haphazardly, taking a path-of-least-resistance approach that secures things appropriately as long as it’s not too difficult. It’s well worth the investment, however, to establish rights correctly, ensuring that every user has access to everything they need to do their job, and nothing else. Here are some tips to make this elusive goal more achievable.
  2. Treat data security as a single issue, not several separate issues. The knee-jerk reaction to regulations and security is to search for the most likely target and find a way to secure it. The result is a siloed approach that’s neither efficient nor consistently secure. A better approach is to unify the things that control access (policy, identity, authentication, provisioning, role, etc.) and get it right once. If a single role definition includes all the appropriate access rights for a group of employees, the risk of someone going rogue, or someone doing something bad with stolen credentials, goes way down. If they can’t get it, how can they abuse it?
  3. Put the right people in control. The vast majority of access controls are set up by people who know how to manage the system, rather than those with the most at stake. IT usually is at the front line of implementing access controls, because they have the rights, tools, and knowledge necessary to set up access for individuals and groups. But, IT typically lacks the context to know what access individuals should have. That’s the property of line-of-business personnel. Find a way to put the line-of-business in control of access rights and as much of the management process as possible.
  4. Dont forget about your administrators. Finally, the “super user” credentials associated with every system are the crown jewels of access. Someone logging in with these shared, anonymous, and all-powerful sets of rights, can do anything and everything they want, from planting malware to stealing data. Technologies exist that remove the shared nature and anonymity of administrative credentials, and audit all activities performed with them. This one practice alone could prevent the majority of high-profile breaches permeating the news. Just because you trust your employees doesn’t mean you shouldn’t implement access control on them – all of them.

Source : NetworkAsia