The answer is easy, don't correctly manage the people you let into your business!
I have been working in Identity and Access Management for over 10 Years, both as the leader of the Identity Services team at JP Morgan Chase and as an Identity Management Architect at RSA.
I've had countless discussions with customers about their processes for assigning and revoking user access and reviewing areas that introduce the greatest amount of access risk. In 2015, a large financial services firm in London experienced a bad access incident. One day, every single meeting room in all their facilities were booked for the full day by a contractor named 'Mike J.', causing huge disruption to their business and creating some long term negative effects on projects and activities. It would seem that 'Mike J.' had successfully executed the first Denial of Meeting attack in history!
After the incident, everybody at the firm was asking, "Who is Mike J.?" The answer is that nobody knew! They could tell that he was a contractor and that he had an AD account that had been deleted, but they could not find the request to create the account or any other information about him.
While Mike's actions caused a major business disruption, there is no telling what greater damage he could have done if he had wanted to.
People are coming into and leaving your organization all the time and many of them don't come or exit through your Human Resources process. Even when they do, HR doesn't want to be the gate keeper of who should be accessing which sets of information and systems-and why should they?
For Information Security teams to be successful, you do need to know for every person with access to a system, application or database 4 key elements of information:
1.) Who are they?
Who is the physical person you are just about to give access to your systems and data? This is more than just a name. Can you trust they are who they say they are? Have you been given their information from a trusted source?
The context of who they are is vital to managing their identity lifecycle within your business, and if you don't have a process to get this information, you have failed before you start.
Many organizations only use account creation requests to give people they don't know access, and then call their account, their identity. These types of accounts are often left active after the user leaves, opening up security vulnerabilities.
2.) Why are they here?
Understanding the justification of 'why' people are working in your environment gives you a huge amount of context to manage their access throughout their lifecycle and understand where issues could, have, or are occurring.
For example, a contractor comes to work in your business and is working on a project to create a new finance application for you. If the contractor is given access to existing core finance applications, or privileged access to infrastructure systems, that would be suspicious-but only with true business context of why the contractor is here.
3.) When should they leave?
It is reasonable to understand how long a person might be working for you so that you can ensure that their access is removed in a timely manner. While it would be great to always have the Line of Business people responsible for them notify you when the user separates from the business, it is not realistic. Unfortunately in many organizations, this is too often the standard.
Whether you have a rigid process for removing access on the user's last day, needing an extension to keep it, or you just note it down and ask if they are staying longer when the day comes up, it gives you insight you would not have had otherwise.
4.) Who is responsible for them?
Anybody coming into your business must have a sponsor, a person responsible for assuring that the user needs to be there and that they should have access to your systems and data.
Sponsors in the HR context would be managers or supervisors, but in the broader sense, they only really have to be responsible company citizens. Sponsors can give all of this information and more, but only if you have one assigned.
Understanding these 4 key points about ALL the people you legitimately let into your business and keeping an identity record of these details is the only way to manage them correctly. This significantly reduces the risk of letting the wrong people in-or worse-not knowing who they are when they do something wrong, like denying meeting room availability!
If you would you like more information, download our Joiner, Mover, Leaver (JML) Playbook from the RSA Community to learn more.
Author: Stephen Mowll
Category: RSA Fundamentals, Blog Post, Securing the Digital World
Keywords: 0-Day, Zero Day, Zero Day Vulnerability