Am I the only one who has been seeing a lot in the press recently about privileged users and the tools and solutions focused on them?
When I read this article on insider threats in Network World, I realized that dynamic user provisioning, which Imanami has been offering our clients for years, is a fundamental building block to privileged user security!
We are constantly yelling from the rooftops about how critical it is to make sure that your users are automatically provisioned into Active Directory. And we yell even louder about the importance of making sure that they are automatically and dynamically de-provisioned and re-provisioned as their job, location, and employment status changes.
This article had some great data to support that point of view. According to Verizon’s 2010 Data Breach Investigations Report, insiders were involved in 48% of breaches. And nearly all of those cases (90%) are deliberate.
The breaches usually resulted from a misuse of privileges. One example was given by Phil Cox of SystemExperts:
“A sys admin who moved from group to group in IT operations over a decade, in networking, telecom and desktop support. Over time, he accumulated access he didn’t need for his job,” Cox says. He was a foreign national who ended up quitting his job, and the company started looking at the last weeks of his stored e-mail, which was a common exit strategy there. They saw something “weird” that got managers thinking he had taken data. They went looking at logs and saw he had been accessing data he had access to three years ago.”
We hear this story over and over again. Prospects come to us when they realize that their employees are accumulating access to systems and data like adding keys to a giant key chain. They realize that IT has no way to tell who has what keys and no guaranteed way to get them back.
In this case, had the company implemented a solution which dynamically updated their employees’ security group memberships and used those memberships to grant access to system resources then he likely wouldn’t have been able to access those systems which he no longer had authorization to.
If there is one thing that we hear from our clients it is that a great many people request new access, but no one ever gives it back voluntarily. That’s why doing it automatically makes so much sense! It’s a simple solution to implement, it doesn’t cost a lot of money, and it solves a huge piece of the problem without resorting to spyware.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.