Setting Up IAM: Managing Permissions to Ensure Compliance

Try Okta for free

Stay compliant with your industry’s standards with our IAM solutions. Try Okta free for 30 days.

Try Now

DevOps in Identity And Access Management

DevOps in Identity And Access Management

5 tips to get started with DevOps in IAM projects

DevOps in Identity & Access Management

When you think of DevOps, you often think of developing applications and services, but DevOps’ strategies can bring much more. Applying DevOps strategies in Identity & Access Management (IAM) implementations is not such a bad idea at all. You can take a lot of advantage of DevOps are adjusting configuration items, automating object creation and performing tests.

Some of the advantages of DevOps that apply to software development can also be used in IAM projects:
• Automation makes the environment more stable; configurations are stored in code repositories, which has several advantages:
o the change or setting is documented
o the chance of typos or incorrect input is minimized
o versioning makes it easy to roll back a change

Various strategies are possible to reduce risks. Consider, for example, automating backups of necessary settings before a change is made or automatically performing regression tests after an adjustment.

As changes occur more often, and automation becomes routine, the cold-water fear of making changes disappears, especially if a change is demonstrably easy to reverse. To give you some tips on where you can start with DevOps in IAM projects, we have listed five tips.

5 Tips to get started with DevOps for Identity & Access Management projects

  1. Start ‘small’

Try not to aim for the sky, and demanding too much for one session. Automating tasks sometimes requires a slightly different mindset, and it also takes time to get used to the tools. Use these first steps to discover, for example, which naming conventions work best, how large the projects within a source repository must be to remain manageable, and how to report changes status.

  1. Think big

Don’t think too quickly that a specific action cannot be automated, because it is too complicated. Often some challenges need to be overcome once. To overcome them could take extra time, but the investment is quickly regained by reusing the solution found.

  1. Invest in knowledge building

It pays to build knowledge of a few tools, such as GitLab, Ansible and Python. In this example, GitLab takes care of versioning and deployment via pipelines to the different environments; Ansible orchestrates processes and clusters, and Python is used as a glue tool to execute API calls. The choice of platform or language does not matter, as long as they offer enough flexibility and possibilities, and above all are widely supported.

  1. Build security in from the start

Do not compromise on security (for example, by distinguishing between dev/test and production environments). By building in security right from the start, both for ‘data at rest’ and ‘data in transit’ (also think of application passwords or secrets in installation files), the chance of security issues is much smaller at a later stage. There are also many solutions to this. Security must be included in the solution from the start.

For DevOps teams to use solutions, they must be “consumable”, which means that they are secure and easy, but also that they match their working method. For DevOps and Continuous Integration / Continuous Delivery (CI / CD), solutions that are invoked by calling a piece of standardized code are an excellent example of this.

  1. Automate testing

Automatic testing gives confidence in the proper functioning of the environment and also serves as an early warning system for changes. By including as much functionality as possible in tests, and running these tests daily, it quickly becomes apparent that a change has unwanted effects, and it is easy to reverse this change.

Get in touch

Do you want to discuss the possibilities and get to know us?

Contact us

The Egregious 11: Examining the Top Cloud Computing Threats

The Egregious 11: Examining the Top Cloud Computing Threats

Each year, the Cloud Security Alliance (CSA) releases its “Top Threats to Cloud Computing” study to raise awareness of key risks and vulnerabilities in the cloud and promote strong security practices.

The latest edition, The Egregious 11, ranks the top eleven cloud threats and provides recommendations for security, compliance, risk and technology practitioners. This installment reflects the widespread surge in cloud use and overall maturation in organizations’ understanding of cloud environments. However, it hints at continued over-reliance on cloud vendors to protect workloads, a troublesome trend we also observed in the CyberArk Global Advanced Threat Landscape 2019 report.

The CSA recorded a drop in rankings of traditional cloud security issues under the responsibility of cloud service providers – such as denial of service, shared technology vulnerabilities and CSP data loss – suggesting these issues are less of a concern for organizations than in years past. The biggest threats now come from issues like misconfigurations and insufficient identity access management where the customer is solely responsible for security.

As organizations utilize the cloud to enable remote work and accelerate digital transformation, there is a need to understand where potential security risks exist and address them head on. Here’s a look at five of the “Egregious 11,” along with steps organizations can take to strengthen their security posture. To explore all 11 cloud security challenges, along with CSA recommendations, check out the full study.

Data Breach

With the average total cost of a data breach now at $3.92 million, it’s unsurprising this is ranked as the number one cloud threat. Cyber attackers are after data – particularly personal information – and data accessible via the Internet is the most vulnerable asset to misconfiguration or exploitation. As more data shifts to the cloud, effectively protecting it begins with the question, “Who has access to this?”

Misconfiguration and Inadequate Change Control

Misconfigurations – including granting excessive permissions or unchanged default credentials – occur when computing assets and access are set up incorrectly. Misconfiguration of cloud resources is a leading cause of data breaches and can result in deleted or modified resources and service interruptions. The dynamic nature of the cloud makes traditional change control approaches for proper configuration extremely difficult.

To overcome cloud misconfiguration maladies, the CSA urges organizations to embrace automation tools that can continuously discover issues like unmanaged privileged accounts and instances to prevent misuse.

Insufficient Identity, Credential, Access and Key Management

The cloud introduces a host of changes and challenges related to identity and access management (IAM) and particularly to privileged access management (PAM), since privileged credentials associated with human users as well as applications and machine identities are exceptionally powerful and highly susceptible to compromise in cloud environments.

Once an attacker obtains privileged credentials, they can gain full access to sensitive databases, or even to an organization’s entire cloud environment. Attackers know this. Many recent attacks targeting IaaS and PaaS environments have exploited unsecured credentials, resulting in cryptojacking, data breaches and destruction of intellectual property and other sensitive data.

The CSA stresses the need for strict IAM controls for cloud users and identities including following the principle of least privilege to protect privileged access to high-value data and assets. It also notes that cloud access keys (e.g., AWS access keys, Google Cloud keys and Azure keys) must be rotated and centrally managed, while unused credentials or access privileges are removed.

Account Hijacking

Using phishing methods, vulnerability exploitation or stolen credentials, malicious attackers look for ways to access highly privileged accounts in the cloud, like cloud service accounts or subscriptions. Account and service hijacking means full compromise: control of the account, its services and the data within. The fallout from such compromises can be severe – from significant operational and business disruptions to complete elimination of organization assets, data and capabilities.

To protect against account hijacking, the CSA recommends defense-in-depth and strong IAM and PAM controls, such as credential lifecycle and provisioning management and segregation of duties.

Insider Threats

Malicious insiders can be current or former employees, contractors or other trusted third parties who use their access to act in a way that could negatively affect the organization. Since insiders have legitimate access, pinpointing potential security issues can be extremely difficult and remediating incidents can be costly. According to the Ponemon Institute’s 2020 Cost of Insider Threats Study, the average global cost of insider threats rose by 31% in two years to $11.45 million and the frequency of incidents spiked by 47% in the same time period.

Whether it’s a privileged user abusing their level of access or inadvertently misconfiguring a cloud resource, having a PAM program in place to protect from these insider abuses is paramount.

Don’t Be An Egregious Offender. Secure Your Cloud with PAM

The cloud has fundamentally changed the notion of privilege. Now, even ordinary user credentials in the cloud and DevOps environments can hold as much power as administrator-level credentials do for other types of systems. Add in a complex and highly dynamic mix of machines and applications and the privilege-related attack surface grows dramatically.

Poor cloud security practices will inevitably lead to a breach or failed audit and force organizations to slow down – something that simply isn’t an option in the always-on, ultra-competitive digital era.

Strong privileged access controls help ensure that humans, applications and machines have only the necessary levels of access to sensitive applications and infrastructure to do their jobs and that activities occurring within the cloud environment aren’t risky (or if they are, privileged access controls enable SecOps teams to take swift action).

If you’re looking for more in-depth guidance beyond the CSA’s initial recommendations, tap into these actionable steps for protecting privileged access in cloud environments.

Original written by: Justyna Kucharczak

Decentralized Identity (virtual panel discussion)

Over the past 12-18 months, there has been a mounting interest in the next generation of IAM systems. The promises of decentralized and self-sovereign identity promote a frictionless user experience, improved privacy controls, and appeal to organizations looking to reduce both costs and risks. How do you get started? Many organizations are just starting their journey to cloud, so the idea of a decentralized identity may seem too futuristic.In this session, experts from IBM, Pontis Research, PathMaker-Group & SecurIT discuss the value of such a transition and how clients are progressively moving towards it. Learn how use cases like password less authentication for law enforcement personnel and digital job credentials are becoming a reality. With the right strategy the next generation IAM is closer than you think.

Shift Your Cybersecurity Mindset to Maintain Cyber Resilience

As the business world navigates the ups and downs of today’s economy, a mindset shift is required to maintain cyber resilience. Cybersecurity, often an afterthought in a strong economy, must not be neglected in responding to shifts in the business landscape.

As more companies expand their remote workforce, the number of endpoints with access to corporate resources is proliferating. Hackers are seizing the opportunities this presents: Phishing email click rates have risen from around 5 percent to over 40 percent in recent months, according to Forbes.

With a strong cybersecurity mindset and some strategic planning, your company can position itself to survive these new working conditions and build up even more cyber resilience as you adapt. Because cybersecurity professionals are facing formidable adversaries, understanding how hackers think can go a long way in mitigating the threat they pose.

An Unfair Advantage

Security expert Frank Abagnale is one of the foremost experts on the thought processes of threat actors, and he was kind enough to lend his expertise to this piece.

Since the number of successful phishing attacks has skyrocketed, I asked him if this is more a function of hackers stepping up their game, or employees not possessing the right cybersecurity mindset to pay attention.

“It’s both,” he explained. “Any crisis is a perfect backdrop to phishing attacks. At the same time, employees are in a new environment, working from home with more distractions than ever. Add to this stress, cabin fever and anxiety, and you have the perfect phishing storm.”

What makes bad actors so successful, according to experts, is that they take advantage of the human condition. And the human condition is less guarded by security layers today than it has been in quite some time.

“Any fear and anxiety gets people to do things they normally would not do,” said Abagnale.

Take It From the Top

So what can an enterprise do to swim against this foreboding tide? Abagnale insists that vigilance is the key.

“It’s the way to go in normal times and especially now,” he said. “If a link or email sounds too good to be true, it probably is. Don’t rush to fill forms and provide your information to anyone who claims to be the IRS” — or someone who can accelerate your tax return.

But employees can’t be expected to bear the full responsibility of security, or even to recognize established best practices in every scenario. If something is too confusing or complicated and employees don’t know much about it, failure can seem inevitable. Good cybersecurity must be taught in ways that are easy to understand and that include actionable takeaways.

“We must use this time to educate and keep employees alert,” Abagnale asserted. And today, the cybersecurity responsibility elevator operates with only one button and one destination: the C-suite. It therefore falls to chief information security officers (CISOs) and security practitioners to connect the dots and ensure their colleagues understand what they can do to help.

Modern Problems, Modern Solutions

As we continue working, could the altered landscape change Abagnale’s mindset around cybersecurity? Would most of his convictions hold?

“I have been talking and warning executives and companies for over four decades about what criminals do to exploit unsuspecting humans,” he explained. “I now live to see the full effect of it, in a time that is ripe for fraud and deceit. My convictions are more reinforced today than ever. I am more energized to help educate the public about cybercrime and how we move forward to a better and more secure internet.”

Abagnale firmly believes that we must elevate our systems to prepare for the future, and the first piece of advice he would give to any company and security practitioner is to stop using passwords.

“Once you take the secret away from the human user, they cannot give it to the crooks,” he said. “They will not fall prey to keyloggers. It’s time we move forward from a 1960s technology to the 21st century.” Now may just be the time to put into action what Abagnale has been suggesting for years, and the path to a passwordless world may be simpler than you think.

Of course, moving away from passwords is just one aspect of the mindset shift security experts must embrace to bolster their cyber resilience. Don’t just keep cybersecurity and cyber hygiene front of mind; take the opportunity to reevaluate the true efficacy of our fundamental assumptions about security. Drastic changes in the threat landscape will continue to develop as working norms are overhauled, and security measures devised for outdated threats likely won’t serve us in the future — or even the present.

Original post: