Don’t forget about the I in IAM

Location: Acme Revenues, Inc., executive conference room

Time/Date: 5:30 pm on a Summer Friday

Participants: CEO, CISO, CSO, Head of PR

CEO: “What’s up? I’ve already missed my tee time, I can’t miss dinner.”

CISO: “We got hacked.”

CEO: {long pause, deep breath} “Again? The Russians?”

CISO: {clearing throat} “No, ma’am, a contractor from IT Markup dot com.”

CEO: “How? I keep approving security measures; didn’t I sign off on $20 million for EAM a year ago?”

CISO: {clearing throat again} “That was IAM – Identity Access Management – and we don’t know how.”

CEO: “What does IAM do? Isn’t that supposed to keep bad actors out of our systems?”

{CISO and CSO look at each other panic-stricken and then look down at the floor}

CEO: “Guys, what am I missing?”

CSO: “We rely on the contractors to vet their own people.”

CEO: “So we manage identities about which we know nothing – other than that they cost us a fortune?”

{CISO and CSO look at each other panic-stricken and then look down at the floor}

CEO: “Guys, I assume you’ve revoked access to all systems for all contractors and that you’ll have a plan to fix this on my desk on Monday?”

{CISO and CSO nod gingerly}

CEO: {quietly} “Please get to work – RIGHT NOW.”

{CISO and CSO slink away}

CEO: {to head of PR} “Erin, I don’t know what you’re going to tell the Street, but this is why you get paid the big bucks.”

Head of PR: “I rarely say this, but I’m speechless. I’ll try to keep it short and sweet. Hope is not a strategy but that’s about all we have right now.”

CEO: “Do the best you can – text me in an hour when you’ve got a draft ready.”

Most security resources today are devoted to stopping unauthorized intruders from accessing facilities or systems. This is understandable given how difficult it can be to lock down large, far-flung facilities or defend systems from hackers. However, it is not sufficient.

Corporate growth today is inextricably linked to the use of contractors and vendors; there are too many complex tasks to completely to avoid outsourcing. Delivery and maintenance personnel, and professional services and IT experts, and everyone in between is allowed into a company’s most security-sensitive locations and systems.

Scenarios like the one described above happen far too often. Furthermore, according to a survey assessing data risks associated with third parties, 37 percent of companies said they doubted contractors would self-report an incident perpetrated by one of their own; that number jumps to 73 percent when the offending party is under contract to the contractor. Of even greater concern, 75 percent of respondents think vendor-involved security incidents will continue to grow.

Before and after breaches occur, systems must be established to detect, minimize, and mitigate potential threats. Many existing physical and cyber security resources and processes can be brought to bear, but not all.

The moral of the story is to spend as much time on the I in IAM as you do on the M. Fortunately, it won’t cost as much.

The rapid growth in the identity and access management (IAM) market, which industry analysts estimate will increase to $14.8 billion by 2021, reflects increasing concern about hacks. Growth is being driven by security and regulatory compliance, rising cloud and software as a service (SaaS) adoption, as well as increasing demand for mobility solutions – and the new security concerns that accompany them.

IAM consists of business processes and security measures to ensure that access to sensitive IT systems is granted only to authorized individuals, and it allows organizations to automate how user identities, and their associated permissions, are managed. The North American IAM market accounts for one-third of demand, with many governmental agencies requiring employees to use authentication measures like hardware-based identification cards to access IT systems.

Today’s security leaders, however, are largely focused on managing what happens once a user is granted access to a system. In doing so, they are overlooking a critical element: the I in IAM.

Who is cleared is much more important than how access is managed once an individual is in the system. Fundamentally, you need to verify identity to ensure that people who present a potential threat are not given access in the first place.

Digital advances fueling growth in use of vendors and contractors

Not all hackers are remote, perpetrating attacks from across town or across the ocean. Some seek and gain access to vendors or contractors and walk in the front door every morning. Of course, these individuals have several key advantages over remote hackers: they don’t need to breach firewalls, break passwords, reverse-engineer data schemas, or guess at which systems present the most attractive targets.

We have found that many companies do not screen or vet vendors and contractors nearly as rigorously as they do their own employees, creating an extensive vulnerability.

Consider the case of Fannie Mae: An IT contractor who was fired installed a “logic bomb” on the financial firm’s UNIX servers in the hours after he was terminated and before his access was revoked. The malicious script was discovered by accident, avoiding a potential loss of millions of dollars and a week-long shutdown. More recently, WikiLeaks attributed leaks of Central Intelligence Agency’s cyber attack strategies in February to outside contractors. Unless your core business is security, it’s highly unlikely that you have put in place effective measures to address this threat. Although a PwC survey found that nearly one-third of executives said that insider crimes were costlier or more damaging than those committed by external hackers, less than half (49%) said they had put a plan in place to deal with them.

“In a digital world, organizations must allow insiders out and outsiders in,” Gartner research VP Lori Robinson says. “To do so in a secure manner, organizations must establish an IAM program for third-party access.”

What is identity?

Simply put, your identity is your persona: a combination of biographical and biometric data, as well as employment status or access permissions. Unfortunately, people aren’t always who they say they are. Hiding behind a screen or faking identity – in the digital or physical worlds, or both – is becoming more common as tools get more capable and easier to use.

A “high-assurance” identity certifies that a person is who they say they are. It consists of a universal identity subject to proofing, a thorough background screen, adjudication of the results, and issuance of a credential. Optimally, it can be accepted by organizations of all shapes and sizes.

“Identity has been at the heart of most every breach in the past two years,” Richard Kneeley wrote in PwC’s Global State of Information Security Survey 2017 report. “Many of these breaches have involved someone gaining access by using compromised identity, then changing their identity once inside the network to ratchet up access to data and systems by taking over a privileged account and in the process gaining unlimited access to the network, to systems and to data.”

What does it take to gain access?

Clearly, the future lies in outsourcing. By 2020, 40 percent of identity and access management (IAM) purchases will use the IDaaS delivery model — up from less than 20 percent in 2016. Of those IDaaS implementations, Gartner believes that 40 percent will replace on-premises IAM implementations, rather than simply augment those implementations — up from 10 percent in 2016.

It just takes one person to put your business and reputation at risk. A comprehensive approach to system-wide identity assurance must encompass three key areas:

1. Vendors and contractors: You need to certify that all individuals, not just your employees, to whom you are giving access are who they say they are.
2. Recurring monitoring: An end-to-end identity assurance solution doesn’t stop when individuals are given access; it continues to monitor public and proprietary information sources for disqualifying activities, so access can be revoked if necessary.
3. Security for physical and technological access: Contractors and vendors are rarely vetted as thoroughly as employees, but they often work across departments, can enter multiple buildings and have access to most systems.

A strong model is emerging to counter the risks posed by vendors and contractors: identity and access management as a service (IDaaS). For most organizations, an outsourced comprehensive approach can represent a significant upgrade to its capabilities.

To safely outsource critically important vendor and contractor vetting and credentialing, look for a solution with eight key components:

• Flexibility: The system must be able to be tailored to customer threat profiles and risk parameters. This allows you to fine-tune the dials to meet requirements that differ between business units.
• Unified credential: High-security IDs can be recognized by multiple departments, companies, and locations.
• Pre-clearance: The system needs to include strict checks before credentials are issued and access is granted.
• Ongoing screening: Automated notifications for revocation allow you to remove access when required.
• Unbiased vetting: Outsourced background screens prevent unfair results.
• Managed service: All operations are handled by identity management provider, and vendors and contractors can be charged to participate.
• Scale: All companies, regardless of size, get access to industrial-grade security.
• Collaboration: Encourages engagement and participation by both cyber and physical security executives.

Conduct a self-assessment: Six questions you need to ask

Do you know how well your organization vets and verifies identity? To gain a better understanding of how well your company is managing the “I” in IAM, start with this list of questions:

1. Do the legal agreements I have with my vendors require a background screen?
2. Does my organization have a system in place to properly vet contractors and vendors before they are granted access?
3. If contractors and vendors vet their own employees, is my organization performing audits to ensure my standards are adhered to?
4. Are these populations subject to ongoing vetting by the contractors themselves or by my organization?
5. Are contractors accepting our requirements, even if they cause duplication of effort for other companies they serve?
6. Am I able to stay current with advances in security, or are software and hardware patches taking an inordinate amount of time and attention?

Act now to protect your business and reputation

It’s a universal truth: There will always be people willing to go to great lengths to breach your company’s systems. Today’s increasingly complex business environment, with multiple interconnected systems and a proliferation of data, has made it more important than ever to ensure that new approaches for vetting contractor and vendor employees be adopted.

It’s time to stop overlooking the I in IAM, or assuming that somebody else is handling the “I.”   This is the best way to stay out of the boss’s office late on a Friday. 

About the Author: Justin P. Oberman, vice president of identity strategy at SureID, Inc., brings decades of experience in identity security. At SureID, he focuses on leading industry discourse on identity assurance with a focus on enterprise accounts, the digital economy and other emerging markets. As one of the first employees and earliest leaders at the Transportation Security Administration (TSA) following 9/11, Oberman served as the first assistant administrator for Transportation Threat Assessment and Credentialing.