In previous blogs, we’ve stressed the need for IT to go outside of itself and embrace application owners, line-of-business owners, and other stakeholders within your user base. These people generally have better insight into the daily needs and changes related to the applications and resources that they use and can therefore manage the access to these resources with greater accuracy than IT. Employing the help of others in this manner will actually make the network more secure while also taking work off IT’s shoulders.
But handing over the reigns of managing even a small portion of your Active Directory’s group memberships, like many other security-related services, isn’t a decision that you should take lightly. You can’t just give this access to users. Without the proper measures in place, users themselves can be a danger to the organization when IT delegates responsibility.
As cited previously, 73% of organizations are concerned about users who might share passwords freely with other users[1], and 32% of employees admit that they’ve shared passwords[2]. The use of stolen credentials by external attackers represents an equally dangerous threat, coming in as the second-most prevalent threat vector today[3]. These facts make the assignment of any elevated privileges within an organization a real concern, requiring that any delegation be done in a way that ensures both the security of the access and the identity of the user.
So, how can IT extend privileges and delegate responsibility to the user securely?
There are two steps to accomplishing this:
- The first has to do with tightening your policies for end-user tasks centered around IT. Defining specific roles and associated capabilities are necessary. You can’t be secure if you don’t know who has what permissions. (And a cautionary note here: If you’re going to use groups as the basis for delegating permissions, you need to make sure you have a handle on the lifecycle of the management of those groups. If you don’t, it easy to get lost in a jungle of unmanageable groups because they were neglected for so long, leaving groups with too many assigned permissions and with memberships that haven’t been validated.)
- The second step is to implement multi-factor authentication (MFA). This is a key method of ensuring that only the intended users are able to exercise any delegated IT permissions, and it prevents external attackers from using services that can be used to further their access within your network. Going beyond simple password-based authentication allows you to utilize cell phones, social media accounts, and other external means of identification.
The challenge is to ensure that your automation systems and solutions support multi-factor authentication. Otherwise, all of this simply represents an exercise in wishes and dreams. Integration with single sign-on and/or MFA solutions makes those solutions much more valuable as a central way of protecting not just data but also processes — and the corresponding security implications of these processes.
[1] Ponemon, Unintentional Insider Risk Report (2015)
[2] Sailpoint, Market Pulse Report (2016)
[3] Verizon, Data Breach Investigations Report (2016)
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.