From the recent cybersecurity executive order to updates to the NIST Cybersecurity Framework, there’s no question that improving security is a government-wide priority. In theory, these efforts and programs like the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) are key steps in keeping government ahead of the bad guys.
CDM, described as a dynamic approach to fortifying the cybersecurity of government networks and systems, is meant to provide accessible solutions for agencies. Though DHS’s work is a move in the right direction, CDM alone leaves room for risk. What areas must be addressed to keep government’s mission critical data safe?
Active directory (AD) is a largely overlooked piece of the cybersecurity puzzle. Every federal civilian and defense agency relies on access granted or denied by AD, and unfortunately, AD accounts are popular targets for bad actors. While CDM addresses areas of authentication, such as PIV login, it only touches the surface of a consideration that could be the difference between safeguarded government data and a hack the magnitude of OPM or greater.
This is where identity and access management (IAM) can go beyond the basics to fill existing gaps and meet security challenges government agencies are facing. There are three key areas of IAM CDM is missing that can help create a safe environment in government and transition security into a mission enabler:
Eliminate excessive access
Employees regularly move from one role to the next within a government agency. Though this is common practice agencies miss an important step in this process, leaving employees with access to systems and information needed in their prior roles, plus their newly granted rights. This creates vulnerability, especially in AD environments.
When regular users have more access than necessary, bad actors don’t need to target a top-level administrator to view sensitive information. There is often less weight behind security and monitoring of these accounts, potentially providing an easy in to obtain data unnoticed. The resolution to this challenge doesn’t need to be complicated. Agencies need a streamlined approach to remove unnecessary privileges from users whose needs have changed.
In AD a least-privileged model can be implemented, meaning individuals can view the resources they need to do their job and nothing more. At the same time, security needs to be much more than the practice of denial and restriction. Temporary rights can be granted when users need sensitive data. To maintain security, it’s possible to control access time and what actions can be taken, in turn limiting bad actors as well as qualified users.
Remove unnecessary accounts
While some current users may have more access than is necessary, in some cases entire unused accounts exist within federal agencies. These may belong to employees who have left the agency, and as a result are not regularly monitored. This makes them easy targets for those with malicious intent, who can break in and do undetected damage.
From a security perspective, it is important agencies consider solutions that automatically disable inactive accounts after a set number of days. Flexible solutions will allow agencies to tailor policies to their organization’s requirements. This doesn’t mean the user information will disappear. Records are still available allowing agencies to meet forensics or compliance needs.
Automate, automate, automate
Often agencies believe they can address authentication manually, but in reality are not prepared for the demands of manual implementation. These complex processes lead administrators to take the easy route, granting too much access rather than looking at accounts on a case-by-case basis or allowing past employee accounts to remain active for longer than necessary.
Automated provisioning and deprovisioning can eliminate opportunities for mistakes, redundancies, inefficiencies and other occasions of human error that unintentionally put sensitive data at risk. At the same time, greater accuracy and efficiency in provisioning gives users reliable access to the information necessary to perform their jobs and meet agency missions.
Government’s security needs are quickly changing and agencies need to adjust accordingly. Through addressing excessive access, necessary provisioning and automation, especially in AD environments, agencies can achieve holistic security. Don’t let these gaps cause the next big breach – take a deep dive into IAM and stay one step ahead of risky practices.
Andy Vallila, Vice President and General Manager, One Identity Americas