SEO Blogspot,SEO Freelancer,Website Design and development Blogspot,SEO Blogger,Digital Marketing Blogspot,SEO Bloggers Bangalore India.
alt =""
Showing posts with label Identity Management. Show all posts
Showing posts with label Identity Management. Show all posts

Wednesday, 30 September 2015

How to Protect Your Data from Third-Party Breaches

 How to Protect Your Data from Third-Party Breaches

The December 2013 Target data breach that compromised the credit card information of 40 million customers was the first of many wake-up calls to organizations, bringing home the damage a company can sustain when a partner’s systems are hacked. As the whole world now knows, the HVAC supplier had access to more of Target’s systems than was needed or intended, and hackers infiltrated Target’s network through the partner’s own vulnerable solution.

Sadly, Target is not the lone case. More recently, 15,000 Boston Medical Center patients’ personal information and the payment card details of 868,000 Good will customers were compromised through data breaches at vendor companies with access to the organizations’ systems. In fact, a recent PwC study found the biggest challenge to security today is from internal sources – employees and partners – not external threats.

Vendors often need remote access to maintain your internal systems, but they may not be as stringent about security processes as your chief security officer, CIO, or IT team. For example, partners’ systems may use software that a developer no longer supports, and is hence, vulnerable. Even worse, they may use the same administrative passwords across every customers’ systems.

All this translates into the need for a far more comprehensive information security risk management strategy — one that not only oversees your data, but also third-party access rights, the robustness of network defenses, and more.

Here are some best practices to help protect your network from third-party data breaches:

Be aware of what your vendors can remotely access. Understand what kind of data and which systems your vendors can access, and the levels of access they enjoy. Can they retrieve any critical data they do not need for their work? Or do they have access only to the resources necessary to perform their jobs? This is of particular importance when you work with infrastructure management partners, for instance, because these have privileged access that could pose a significant threat if not properly secured. Provide access to data and systems only on a need to know basis.

How to Protect Your Data from Third-Party Breaches

Standardize remote access methodologies. The proliferation of available remote access methodologies (WebEx, web conferencing tools, and virtual private networks, for example) makes it difficult to monitor and manage access controls. Simplify this and better manage connections made to your network by defining the specific methodologies you will allow.

Use stronger authentication. Insist that vendors who must access your environment use two-factor authentication and institute well-defined access control processes.

Segment your network behind firewalls. It is advisable to allow vendors access only to a specific segment of the network, with this segment being firewalled from others. Network segmentation can limit the damage from a third-party data breach. To make this even more effective, provide dedicated systems for vendors, so they do not use their systems to connect to your network.

Monitor network defenses frequently. Frequently audit access controls and security policies to identify potential security gaps that can be plugged before a breach occurs. Real-time analyses allow your IT department to see what is being accessed by whom and why, as your vendors connect to your network. This helps proactively identify any problematic activity.

Hold vendors to the same security standards you hold yourself. However stringent your organization’s security system, all is nullified if your vendors are not equally particular. Define your security requirements upfront when signing on a new vendor. Review their security processes and access control policies, and check if they conduct regular penetration testing on their systems and network. Insist they adhere to the same standards as your organization in the areas of data protection, identity management, authentication, and other security measures.

Proactively plan for third-party breaches. You will (or should) already have a robust incident response and disaster recovery plan for attacks on your own systems. Take this a step further by planning a defense against third-party attacks as well. Ask your vendors to demonstrate how they protect your data, their incident response plan, and how they will deal with breaches that can affect your data.  

Periodically verify your vendor’s security posture. Security assurance is not a one-time task but a continuous process. Conduct periodic audits of your vendors to make sure that they follow best practices and have the necessary technical controls in place. The aim should not be to review every vendor you engage, but to conduct a thorough audit with greater frequency for targeted, high-risk vendors.

In this, as in other aspects of your relationship with your vendors, work with partners to identify security gaps and protect against breaches before they occur. Industry standards are gradually evolving to this end as well. The latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.0) mandates that organizations pay closer attention to partners’ security practices. This will probably provide the much-needed nudge to get businesses to think beyond only their own security posture.

Monday, 21 September 2015

Identity and Access Management

With organizations increasingly focusing on access governance (as they should!), it would be foolish to underestimate the importance of Identity Management. Data on the what, why and when of information access must be complemented by the knowledge of who accesses datain other words, the identity of the person accessing data. Identity management refers to the process of creating and implementing policies that define roles for every member of the organization (employees and vendors), and their associated privileges and access rights. The level of access that a user enjoys to applications, data, and different parts of the network,are defined by his role and responsibilities, and what he needs to perform his job.
 Identity and Access Management
An identity management system helps to automate provisioning, re-provisioning and de-provisioning of users as well, reducing time and effort spent, as well as human error.
Identity management is more than simply governing user access rights. It includes: a) defining enterprise-wide access policies; b) designing reporting mechanisms; c) defining rules-based alerts for when there is an unusual request or when a user tries to access information outside the scope of his role; and d)the regular monitoring of role assignments and changes (when employees move out of the organization, a particular role, or to a different function, and their identity within the organization changes accordingly).

Best practices in implementing an identity management system that can enhance security and compliance

  • Establish a single virtual directory of identities that consolidates the multiple directories spread across the enterprise. This is essential to facilitate both the standardization of authentication systems as well as access management and governance.
  • Assign access permissions to job roles rather than to the people in those roles.Linking permissions to people who may change their job roles (and thus, responsibilities) or quit the organization could result in privilege creep or orphan accounts if access governance is tardy. Linking permissions to job roles allows for easier long-term identity management.
  • Establish a workflow that automates the processes of requesting for and approving access rights. This can make the identity management more efficient. Such a workflow should be complemented by a self-service user interface that offers employees, data owners and business decision-makers a detailed view of identities and associated access rights.
  • Since identity management is so closely linked to compliance initiatives, it is imperative to consider the impact of regulatory compliance requirements on identity management systems during the planning stage. Essentially, these requirements will inform the scope of the system.
  • It is not advisable for IT to be overly involved in identity management; instead limit their role to developing and implementing the appropriate tools and infrastructure. Essentially, when IT is enabled to grant access based on requests, without the benefit of business context, it will be unable to take an informed call on whether that level of access is appropriate for that particular role.
  • Have a strong review process in place. Identities are dynamic, and it is imperative that the organization engage in frequent recertification to ensure that the right people have access to the right data. Continual reviews of identities and their assigned permissions reduce the enterprise’s exposure to risk.
Finally, remember that just like any other aspect of security, identity management too is an on-going, iterative process that does not end with the implementation of a solution.