In a typical computing environment, an identity establishes the relationship between a physical presence and its digital alter ego. Backed by several accounts, several identifiers and an infinite number of rights in electronic format, it can quickly become a headache for CISOs.
With the proliferation of digital environments, those responsible for the security of information systems must not overlook certain points related to identity management. Focus on 6 identity security issues.
1. Employees with the same or similar names
Most business email addresses are formed from first name and last name one way or the other. As the business grows, it is likely that there will be multiple accounts with the same name. Generally, we opt for the addition of an intermediate initial or a number as a suffix. However, the coexistence of several comparable entries in the list of addresses can complicate the identification of a person. The sender will need to verify a user’s function and geographic location to ensure that it is the correct person. Truncating a person’s name for assigning an account or email address can therefore be problematic. And the more you abbreviate, the more problematic it becomes. It is recommended to adopt an account creation nomenclature based on full names, with a middle initial if necessary or a series of letters and numbers to avoid conflicts. In this way, we will avoid sending e-mails to the wrong person with the risk of disclosing sensitive information and exposing ourselves to problems of respect for confidentiality. This practice also avoids any confusion when carrying out an identity attestation by identity.
2. Mobile employees
If some employees in the organization change departments frequently, such as nurses or consultants, there will likely be identity classification issues. How to register them in the identity governance solution and in the directories? Are the permissions, privileges and role changed with each new assignment? The access rights granted should be adapted to each change of role. However, mobile employees often have quite broad rights and it is difficult at any given time to decree what the appropriate access rights should be in the situation. Often, they are granted excessive rights to allow them to perform their various roles, which brings us to problem #3.
3. Excessive Privileges
An administrator/superuser account often has excessive rights and does not always follow best practices. Combined with an identity, an admin account can confer full control over an environment. An admin should always be a member of admin groups to allow reporting of who has access to what. It is enough for a user to know the admin credentials without being referenced in an admin group to create a serious problem. Privileged access with excessive rights is a common problem. This happens frequently because we share accounts without associating them with identities.
4. Mergers and Acquisitions
Even the most experienced professionals fear mergers and acquisitions. When consolidating IT, such as domains, identities, applications, and policies, it can be tempting to overlook best practices to achieve goals faster. Identity problems can arise from this: excessive rights, coexistence of several accounts and non-compliant domain names. This can lead to a cascade of other identity-related issues: applications that only work in certain domains, inconsistencies between pre-existing and new deployments. If companies don’t merge their standard operating procedures and establish an IT baseline, all subsequent project and identity management initiatives risk suffering.
5. Non-human identities
With modern computing environments, many types of non-human identities (also known as machine identities) have proliferated. According to Forrester Research, “machine identities multiply twice as much as human identities”. Their management therefore becomes a serious problem. They should be treated according to the functions they perform and their interactions with human beings. However, companies do not always know how to correctly classify identities reserved for robotics, automation, industrial control systems, etc. to the point of exposing these machine identities to the whims of cybercriminals. Attestation reporting of machine identities is often inaccurate because their ownership and access rights are poorly documented. To address this, all machine identities should have an ownership assignment, similar to account-identity relationships.
6. Identities of Third Parties/Suppliers
Almost all companies use service providers, auditors, subcontractors and temporary workers to perform various functions. Whenever third parties need to gain access to a company’s environment, specific controls must be applied to manage the identities of these providers and validate the legitimacy of their activity. However, if these service providers change often, the burden of managing their identities may weigh heavily on the company. When it comes to managing third party/vendor identities, companies should consider creating controls outside of the usual directory services and avoiding generic “Contractor1” or “Vendor_XYZ” type accounts. The ideal is to assign these users valid account names for the duration of their mission and to favor a management paradigm reflecting the simplicity and the temporary nature of the authorized accesses. In other words, the choice to record the identities of third parties in a directory service or in a solution dedicated to the remote access of service providers depends on the level of rights they need to accomplish their mission. The group or solution should follow the least privilege model, with robust monitoring tools, and be much easier to administer than employees. This means managing the entire lifecycle, from onboarding to departure, including internal mutations and ensuring that no orphaned account persists once the identity has expired.