9 Latest Cybersecurity Threats To Be Aware Of In 2020

The advancements in technology are all good until it is used for the benefit of society as a whole. But like everything else, there is a darker side to it. A bigger cyber network means more hidden loopholes, and thus, leading to more cases of cheating and fraud.

It is essential to plan ahead when it comes to maintaining cybersecurity so that your attackers don’t have the opportunity to get ahead before you. The number of cybersecurity breaches has considerably increased in the past few years. This can be dangerous, especially for companies, as it erodes their brand reliability. The less attention you pay to your cybersecurity, the more are the chances that the attackers will target you and take advantage of it because they are getting smarter. This could lead to the attackers obtaining sensitive information from your company. Attackers are constantly inventing new ways to damage the reputation and the functioning of their target company or individual but there are some tried and tested ways to commit fraud to back them up. Protection against these threats will ensure that your company’s data is much safer than before.

Listed below are nine imminent cybersecurity threats you should protect yourself from in 2020.

1. Ransomware

Ransomware attacks that hold information for ransom in exchange for money cause tremendous losses to companies every year. There have reportedly been fewer ransomware attacks on individuals and more attacks on companies and businesses. Even in the first quarter of 2019, there was a 340% increase in the detections of ransomware attacks in businesses.

Ransomware is a piece of disguised malware that encrypts all of the victim’s data. To get their information back, the victim has to pay a certain amount of ransom that the attacker demands or lose their data forever. Businesses are being targeted by such encryption malware as they have more reasons to protect their information and to offer more money as ransom. Some attackers also target high net-worth individuals, trying to break into their vulnerable cloud data in order to cause damage. The surge with cryptocurrency, like Bitcoin, enables the attackers to get paid anonymously, playing to their advantage.

In order to protect yourself or your company from such ransomware, you will have to fortify your perimeter security by using firewalls. All devices connected to that network must have an antivirus program installed to scan any attachments from outside for any signs of infiltration by such encryption malware. Thirdly, it is wise to regularly back up your important data somewhere so that even if in case you lose your data to ransomware, you can still restore it with minimal losses or damage to your company.

2. Phishing Scams

Phishing attacks are a serious concern that cannot be dismissed easily even today. Phishing attacks happen when the attacker sends an email with convincing text in order to trick people into clicking the link in the email to surrender sensitive information or install the malware in their systems. This information like the login ID or password or credit card details and later be used to abuse the company’s system.

Phishing strategies are cheap for the attackers to come up with and carry low risk with them. These are so common that about four phishing emails are sent to an employee’s inbox every week on an average. The hackers employ creative strategies, going so far as to use machine learning software that can create convincing content to cheat an unsuspicious person easily. To prevent this, the employees of the company must be trained to recognize such phishing attempts. Their access to important data should be kept at a minimum and anti-phishing software should be installed to detect such emails and delete them.

3. IoT Attacks

IoT or Internet of Things refers to the various devices that are interconnected so that it is more convenient for the user and the business to streamline information quickly. Nowadays, laptops, tablets, phones, smartwatches, and other household application devices are interconnected.  But not all of these devices have strong security against incoming cybercrime attacks. A larger interconnected network means a larger scope for loose ends and risks, which is why such networks are more vulnerable. To prevent IoT attacks from installing malware in the devices, you should regularly update the firmware of the devices in your network.

4. Insider Threats

In many cases, the biggest threats to the security of a company have been their own employees. It has been documented that one-third of all the threats caused to the safety of a company’s data are insider threats. Some employees misuse their exclusive insiders’ access in order to illegally obtain and sell sensitive data to third parties. Employees cause data theft, accidentally share or leak undisclosed information, have their accounts hacked by attackers due to poor security, or are even tricked into downloading malware into their devices, in their workstations that might cause the important data they have to be compromised.

These insider attacks are considered huge threats that companies face on a daily basis because they have the potential to wreak havoc in a company. Even a single employee who is careless or has fraudulent intentions in their mind can easily cause a major data security breach. Such attacks are unprecedented and are hard to deal with, no matter how big the company.

In order to prevent their own employees from turning into threats, companies should apply a strict policy of least privilege, so that employees can access only the minimum of the resources that are enough to let them do their work. Thus, even if the employee’s account is hacked or compromised, it still won’t cause much damage to the entire system or network of the company.

5. Crypto-Jacking

Crypto-jacking is the term used when cyber-criminals hijack or obtain unauthorized access to a computer, phone, or other devices of a third party to mine for cryptocurrency. Cryptocurrency is a virtual currency that can be used in place of real money in order to exchange for goods or services. These cryptocurrencies can be mined through a computer by using special programs to solve complex mathematical equations to gain a piece of the currency. The cryptocurrency obtains its value from how hard it is to find, making its value fluctuate. The more devices, the easier it is to mine for cryptocurrencies like Bitcoin. All the cybercriminals have to do is hack someone’s computer with code and use their devices and energy to mine for cryptocurrency. This code can be installed in the host computer through phishing email attachments and works in the background without the user of the host computer knowing about it.

Crypto-jacking can be detected by observing the speed and performance of the device. If the processor usage is high, leading to the device getting heated too soon or if the response of the device is suddenly slow, crypto-jacking can be suspected. To prevent devices from being the victims of crypto-jacking, strong security software and ad-blockers have to be installed. Anti-crypto mining extensions for browsers are also available. It is important to stay alert for any phishing emails.

6. Shortage of Cyber Professionals

Cybercriminals find the internet an easy place to obtain quick and easy money from millions of innocent people. This is because there are so many loopholes in cybersecurity that can easily be exploited by them. These criminals are in constant touch with any technological development and usually seem a step ahead of the victims. In order to deal with these cunning criminals, an equally smart team of cyber professionals are required. But there is a huge shortage for such skilled cyber professionals and both, the businesses and government are struggling to hire such people. To cope up with the shortage of cyber professionals, companies must see which candidate has the greatest potential to fit and suit the job and offer them training or an apprenticeship program so as to develop the required skills while retaining their loyalty. 

7. DDoS Attacks

Distributed Denial of Service is a form of attack where the normal functioning and traffic of a targeted website or a server is disturbed by overwhelming its network with internet traffic beyond its capacity of handling. The sources of this immense traffic are various IoT devices that had been previously attacked by cybercriminals. Malware is downloaded into these devices, turning them into bots. These bots are then instructed by the attacker, who sends them updated commands through remote control. Each of these bots sends a request to the victim’s IP address at the same time, overwhelming the server, thus causing them to deny service to the normal, genuine traffic. What makes these types of attacks extremely dangerous is that there are various categories within them. It is very difficult to separate normal traffic and bot traffic, since all of the bots stem from genuine accounts and devices, without their knowledge.

DDoS attacks can also be used as a distraction for some other forms of cyber-attacks that happen simultaneously so that they can go undetected with a larger problem at hand. The bots merge with the normal traffic and that is the goal of the attacker. There is no one way to prevent it since the more complex and layered the attack, the more strategic the defender would have to be to protect the network. An easy solution is blackhole routing. Blackhole routing means to direct both malicious and genuine traffic into a null route. The rate of requests can also be predetermined and limited to a particular number. Apart from these, a firewall can also help in thwarting a few types of DDoS attacks.

8. Gaps in Cybersecurity

Even though big businesses have shifted online, there still remains an immense number of gaps in the very fabric of the internet security system that cybercriminals happily exploit. Due to the global outreach and complex technology used with the help of the internet, one has to be prepared all the time to detect any incoming attacks. If the company does not know what they are dealing with, it becomes very easy for the attacker to compromise the company’s network and data. The accessibility of the internet makes it possible for an account or a website to be attacked anytime. In order to prevent attackers from finding loopholes, constant vigilance is absolutely necessary. The functioning must be supervised and the network monitored to detect any such threats before they have a chance to infiltrate a network.

9. AI Attacks

While Artificial Intelligence is the pinnacle of human achievements in terms of technology, it is also highly dangerous in the chance that it is turned against the very reason it was made for – to help the society. AI has enabled computers to attack other networks on their own effectively. They can lead to the hacking of networks spanning multiple devices within seconds, all because of a few lines of code written specifically to exploit the target’s weaknesses. Machine learning is both a boon and a bane for the society because when misused, it can lead to harmful effects. Companies can be discredited with rumors, fake news, and propaganda can be spread across the social media, hidden voice commands that are given by dangerous malware can hijack the workings of voice-enabled systems and appliances, leading to a breach of security. AI attacks can go as far as to cause threats to the military. To prevent such attacks, new algorithms to improve AI resilience should be developed and implemented after thorough testing and research.

Conclusion

The future brings with it many new leaps in technology, and cyber-attacks are not stopping anytime soon. It is essential to be safe than sorry in the cyber realm, and the best way to do that is to be updated about the various techniques used by cybercriminals and take preventive measures accordingly. Building up a highly resilient cyber defence system would prove to be extremely beneficial for an individual or a business in the long run.

Identity and Access Management- Guide To IAM Solutions

Defining Identity and Access Management

Identity and Access Management is an umbrella term that covers an infinite number of different virtual tools, devOps practices, concepts, processes, policies, and technologies. It can be defined as the IT security discipline, framework, and solution that manages digital identities, which includes identity provisioning and de-provisioning, identity authentication and security, and access authorization to resources or for performing specific actions. In other words, it protects data security and privacy with effective user authentication and authorization with the help of a single sign-on solution that features multi-factor authentication, after which, users are assigned access rights to particular resources with Identity management solutions that consistently monitors access while keeping a check on least privilege access rights.

Today, ensuring that our crucial information remains protected while giving users access to accomplish their different tasks is quite a balancing act. With the cyber attacks being more severe and on the rise today, there has to be a concrete solution for managing both identity and access. And, since no two users are alike, the access and permissions must be issued accordingly to maintain the security of the entire system. And, this is what an identity and access management system helps you with. It defines and designates roles and access privileges of different users on the network. You can deploy these systems on premises with the help of a third-party vendor through a cloud subscription or can get it deployed in a hybrid model.  

Fundamentals of Identity and Access Management

A fundamental security component, identity management makes sure the users have the required access while the systems, data, and applications remain inaccessible to unauthorized users.

Here’s how things are defined:

  • Identifying users and then assigning them the roles
  • The systems, information, and other critical areas remain protected by IAM
  • Defining correct levels of protection and access for sensitive data, information, and location
  • Flexibility to add, remove, and amend users in the IAM system
  • Defining role’s access rights in the IAM system with effective additions, removals or amendments

How does Identity and Access Management Works: Technology Behind IAM

IAM is supported by a centralized technology that either replaces or seamlessly integrates with the existing systems. It comes with a central directory of users, roles, and predefined permission levels, granting access rights to users based on their role and need to access specific resources.

Here’s how identity is managed?

Identity management helps organizations to identify, authenticate, and authorize users by following authentication steps like:

  • Unique username and password
  • Multi-factor Authentication (MFA)
  • Single Sign-On (SSO)

Here’s how access is managed?

Though interconnected, access is slightly different from identity and defines the resources that an identity is permitted to use. It works in the following manner:

  • Role-based access control (RBAC)
  • Granting user privileges

Basic Elements of Identity and Access Management System?

IAM system allows the IT to have control on user access to sensitive information within the organization  and regulates it in the following ways:

  • Managing the employee database of users and job roles
  • Recording, capturing, and authenticating user login information like usernames, passwords, etc.
  • Adding, deleting, and changing individual users and their roles as per their job roles
  • Collecting login history and systems access for audit purposes
  • Defining access controls for every part of the system and data
  • Monitoring and tracking user activities across different resources
  • Consistent reporting on user activities
  • Enforcing access policies across resources

Key Features of Identity and Access Management

Though there are many technologies to streamline password management and other aspects of IAM, some of the most commonly used solutions are:

Multi-Factor Authentication (MFA)

Taking a layered approach to security, the IAM framework is based on multi-factor authentication, which uses a combination of different security passages like the password, security token, or a fingerprint to grant access to the user with multiple authentication factors.

Single Sign On (SSO)

A system that allows users to authenticate themselves once and then granting them access to all the associated applications, systems, data, and software without having to log into each of them separately. In short, no additional authentication is required for the services they wish to utilize thereafter.

Privileged Access Management

PAM is a segment of network security solutions that authorizes, manages, and monitors account access with a high degree of administrative permissions in order to protect the organization’s most vital information and resources. In other words, it controls and monitors the privileged user activity of the internal employee. These systems keep a check on security when users with high-level permissions get access to sensitive systems.

Different Ways to Achieve Authentication with IAM

There is a range of digital authentication methods that can be implemented with the help of an IAM like:

Pre-shared Key (PSK)

A type of digital authentication in which the password is shared among authorized users that have access to the same resources. However, this kind of authentication is usually less secure as compared to individual passwords.

Unique Passwords

One of the most common types of authentication where the organizations require long or complex passwords, which should be the combination of letters, numbers, and special characters for advanced security.

Behavioral Authentication

When it is about granting access to highly sensitive information and systems, behavioral authentication can be implemented for more granular access. With IAM systems artificial intelligence, organizations can figure out if the user or machine behavior does not match while automatically locking down the entire systems.

Biometrics

For a more precise authentication, modern IAM systems use biometrics in the form of fingerprints, irises, faces, palms, and voices, etc. Biometrics has turned out to be the most effective way of authentication as compared to passwords.

Different Areas Where Implementation of IAM Systems Must Be Considered?  

Implementation of IAM systems helps you with that extra layer of security in protecting your crucial enterprise systems, software, applications, information, and other assets against unauthorized access. With IAM solutions, the impact or likelihood of data breaches gets reduced while ensuring only legit and authenticated users have access to the resources. Below are the different areas that must be protected with IAM, allowing just the authorized access:

  • Protection of sensitive data and information stored on local servers, in the cloud, or anywhere else
  • Securing software and applications used by the employees, customers, business partners, and others
  •  Protecting all IT environments that are used for development, testing, staging, operations, and launch
  • Safeguarding devices like laptops, desktops, smartphones, tablets, and other stuff against cyber attacks
  • Protection of business locations including private workplaces, data centers, and secure locations
  • Security of data that is being transmitted, received, stored, or interacted with between different areas

Benefits of Identity and Access Management

Mobile integration got easier with IAM

With the trend of work-from-home culture on the rise, IAM technologies come with protocols that allow easy integration with this kind of work culture, ensuring complete protection to the mobile users and employees.

Reducing the need for frequent password resets

IAM decentralizes the standard help desk practices by allowing user authentication from anywhere, anytime.

Automated audit trails

Besides authentication and authorization, IAM systems also help with audit automation, providing you with detailed records of attempted access along with reducing the risk of external threats and the impact of the attempted breach.

Increased system efficiency

Implementing IAM systems lead to efficient systems and reduced operating costs as it allows the organizations to use a single network for different internal operations and client-facing purposes.

Reduced internal and external breaches

Well-managed identities help the admin with better control over user activities and permissions, resulting in reduced internal and external breaches. So the overall impact of the breach is lessened on the implementation of an IAM system, which ensures network security as per the compliance standards.

Why IAM?

With organizations integrating new technologies into their business, it has become all the more important to protect the identity and access. Today, digitization has shifted the security perimeter to identity from firewall and systems like IAM helps us enforce policies, restricting the amount of information and applications that can be accessed by specific users. It protects our sensitive information, data, applications, and systems from getting breached while allowing only the authorized users to have access.

Introduction To Cloud Security With Microsoft Azure

Do you know an average large organization gets around 17000 security alerts, weekly and it takes almost an average of 99 days to figure out these security breaches? Well, this is too much time for a solution. On the contrary, these breaches can compromise your security in less than 48 hours, leaving your systems totally vulnerable. So we need instant and real quick solutions to handle it all.

With cyber-attacks on the rise and the companies worldwide being challenged by the continuously evolving cloud security threats, there is an urgent need for more robust internet protection. Protection against hackers, ransomware, insider threats, data breaches, scams, and breached third-party connections need to be managed before they make a big impact. And, with technologies like cloud influencing the businesses on a global scale, there’s an increasing need for businesses to invest in cybersecurity with a strong security strategy, ensuring that the infrastructure is thoroughly protected and is reliable. This is where Microsoft Azure can help strengthen your security posture with less complexity and reduced costs. Azure comes with security in every aspect, offering unique advantages and sophisticated controls that help protect your apps and data while supporting your compliance efforts with all-around security of your organization.  

Azure facilitates security in three key areas:

  • The Microsoft provided a secure foundation
  • Configuring security across the full-stack with built-in security controls
  • Protecting data and responding to threats in real-time with unique cloud intelligence

Every year Microsoft spends $1 billion on security while employing 3500 experts to look after the security of your data, applications, and assets. Moving to Azure offers businesses a range of benefits like saving big on costs, access to a number of tools and services, and the ability to future-proof their IT infrastructure with cutting-edge security, privacy, and compliance solutions.

The Azure cloud security is divided into six categories, each category having a set of tools and services that provide you the visibility and control over your cloud resources.

  1. Operations: It covers:
    • Security and Audit Dashboard
    • Azure Resource Manager
    • Azure Monitor
    • Azure Monitor Logs
    • Application Insights
    • Azure Advisor
    • Azure Security Center
  2. Applications: It includes:
    • Penetration testing
    • Application Gateway (WAF)
    • Authentication and Authorization
    • A layered service architecture
    • Web server and application diagnostics
  3. Storage: It comes with:
    • Role-based Access Control (RBAC)
    • Shared Access Signature (SAS)
    • Encryption in Transit
    • Encryption at Rest
    • Storage analytics
    • Cross-origin Resource Sharing (Configurations for browser-based access)
  4. Networking: It defines:
    • Network security groups
    • Route control and forced tunnelling
    • VNet (Azure Virtual Network)
    • Azure Application Gateway
    • Traffic Manager
    • Azure DNS
  5. Compute: This category includes:
    • Anti-malware and antivirus software
    • A hardware security module
    • Azure Backup for Azure VMs
    • Azure Site Recovery
    • Azure Disk Encryption for VMs
    • Virtual Networking
  6. Identity and Access Management: The IAM is provided by the Azure Active Directory, which includes features like:
    • MFA (Multi-factor Authentication)
    • Role-based Authentication
    • Token-based and hybrid Authentication

Here’s a look at the five specific security features that make Azure security stand out.

  1. Multi-layered Cloud Security: Microsoft Azure lets you protect your workloads across identity, data, networking, and apps. Its built-in controls and services can be accessed via a security center to ensure multi-layered security in the cloud. The global data center infrastructure of Azure ensures there’s no unauthorized access to customer data. Thus, offering complete physical security. A four-pronged approach is used to safeguard customer data, which comprises segregation, encryption, redundancy, and destruction. You will be protected at all points with automatic monitoring, security scores, and a range of security and compliance tools, allowing better security visibility into your data, applications, and activity.

2. Network and Data Security: The risk of data being exposed while moving across the network is high. This is where Microsoft Azure brings in the right tools to overcome these risks and secure your network and data. The features include:

  • Encryption of data-right from files to applications both at transit and at rest.
  • Protection against Distributed Denial of Service attacks (DDoS protection)
  • Ensuring secure access via key vault that protects the keys, certificates, and other critical information for accessing applications and systems
  • Advanced anti-virus and malware screening
  • Offering network segmentation, private connections, and WAF

3. Round the Clock Monitoring and Advanced Protection Tools: Microsoft Azure comes with tools that provide consistent monitoring of its cloud infrastructure for threats. The constant monitoring, logging, and analysis provide real-time visibility and alerts, allowing you to identify and address the issues before they impact your system. Additionally, Azure lets you track application performance while keeping a keen eye on security threats and other issues. The Azure Security Center keeps you updated on the data and underlying infrastructure configuration for identifying risks and providing strategies for security improvement in both cloud and hybrid instances. All these tools combine robust controls and reporting to deliver complete data security.

4. Identity and Access Management: Microsoft Azure treats identity as a critical security factor and provides all the tools and guidance to help businesses implement the best practices. As a result, unauthorized users cannot get access to crucial information like health records, financial services, or any other sensitive data. The Azure active directory, a central system, manages access across all your cloud services and assures top-notch security with multi-factor authentication, single sign-on, strong passwords, and automated tools that can identify if the particular account is compromised. With tools like Identity Secure Store, you get an automatic checkup on this critical aspect of security management with actionable recommendations to curb these risks. Azure brings to you both a simple way of user access management and a robust set of features for a customized plan for full-proof Azure identity and access management.

5. Compliance Tools and Certifications: With over 90 compliance certifications, which is more than any other cloud provider, Microsoft Azure can meet all your evolving privacy demands around the world. It offers a set of tools to simplify compliance-right from maintaining audit trails, accessing logs to built-in compliance controls, implementation and guidance resources, configuration management tools to third-party audit reporting capabilities, Azure can manage it all. It has even created compliance blueprints for easy implementation of carefully designed, repeatable compliance roadmaps for deployment and ongoing management. In all, a layered approach to security followed by the best practices and tools enables Microsoft Azure to provide high-end security to your data, workloads, and applications.

No doubt, moving to the cloud brings many benefits for the organizations but maintaining adequate cloud security can be a big challenge amidst growing cyberattacks. Having said that, Microsoft Azure incorporates the best security practices that can significantly reduce the potential impact of an attempted breach. It features more security solutions as compared to other cloud providers, which are more of a customer-managed security controls, making it one of the most trusted cloud security services.  

Another plus of migrating to Azure is, it supports a wide range of operating systems, programming languages, tools, databases, frameworks, and devices and has all the abilities to safeguard your applications and data, in a way, effectively securing your cloud-based assets. It offers a trustworthy foundation that can meet the security requirements of businesses. Its wide array of configurable security options allows you to control and customize them as per your organization’s unique requirements.

With the competition soaring high for the best cloud services, Microsoft Azure is the name you can trust. Security today is paramount than ever, so moving your sensitive data and workloads to the cloud must be done with complete attention to detail.  It’s time to stay ahead of the evolving security threats with Microsoft Azure.    

Top Security Features Of Microsoft 365

With cybercrimes being the fastest-growing category of crimes around the world, it’s high time that organizations must ramp up their security systems. There are a number of security products and services available today but the issue with all these solutions is, when implemented, either they have overlapping features or there is negligible communication between the different platforms. This is where Microsoft 365 comes into the picture.

Now it is very obvious to think that data stored in a privately controlled datacenter is safer than the one stored in the cloud. However, it’s a myth. With M365, you get access to a broad range of security features on putting your data in the cloud, which makes it more secure than in on-premises servers.

Microsoft 365 is an integrated solution including Office 365 and Windows 10 Enterprise that comes with leading-edge security features for businesses while empowering the employees with the flexibility to work from anywhere, anytime, on any device.

Here some of its features that make it one of the most secured cloud services:

  • Multi-factor Authentication: Office 365 has two MFA options. One is a basic, built-in option, which is the most commonly used by most companies. It increases the security of user logins beyond just a password, where the users have to acknowledge a phone call, text message, or an app notification on their smartphones after correctly entering the password. The user can sign in only after this second authentication has been satisfied. The other option is the Azure Multi-factor Authentication, which is an add-on security feature that comes at an additional cost. It is beneficial for those companies that are looking for more control or have some specific compliance requirements.
  • Mobile Device Management: This security feature of Microsoft 365 allows you to have control over the corporate data on different mobile devices. For instance, if an employee leaves the company or loses his personal mobile device, the data of the company will remain protected and the employee’s private data will remain private. This feature comes with multiple options, providing you with different levels of control as per your requirement. Like, the built-in MDM feature allows the employees to access email only through the company-issued mobile devices.

For the employees who need access to more than just emails and will be using their own devices, Microsoft Intune is what they should use. This is an add-on feature, available at an extra cost, which gives you more control over the company data when accessed on mobile devices. Also, this feature safeguards the organizations against risky employee activities by ensuring all managed devices are in sync with baseline security policies. These policies can be custom created as per one’s requirements.

  • Avant-garde Threat Protection: Microsoft 365 takes a layered approach to security, protecting your company against both external threats and data leaks.
    1. You will be protected against sophisticated threats that come via email attachments and links followed by advanced defense mechanisms against ransomware, zero-day threats, and other advance threat attempts.
    2. The company’s sensitive information is also protected from getting leaked, which includes social security numbers, health records, and credit card numbers. By applying data loss prevention policies, all your sensitive information can be saved from falling into wrong hands.
    3. M365 also gives you control over data access, with which, you can manage and control access by applying restrictions while you also get the remote access of lost or stolen mobile devices that allow you to protect the crucial company information without impacting one’s private data.
  • Azure Information Protection Feature: With Microsoft 365’s information protection policies, the user can control and manage the way information is accessed. For instance, it enables you to control who can have access and who cannot. It helps you in the following ways:
    1. It allows you to mark your sensitive information as confidential with restrictions like how it can be shared inside and outside the business.
    2. It lets you remotely remove all the crucial company information from a device without affecting its private information.
    3. With M365, you can apply encryption and restrictions to your emails and documents such as “do not copy,” “do not print”, “do not forward”, etc.

In short, this feature of Microsoft 365 lets you classify sensitive information for the purpose of limited access, where you can define who has the permission to access data and what they are allowed to access. The users are notified as soon as the recipient gets their message. However, if the recipient tries to access something that’s not allowed, the Azure Information Protection feature will notify the sender while instantly blocking its attempt.  

  • Privileged Identity Management: This feature of Microsoft 365 allows you to designate temporary admins by marking the specific users as eligible admins who can request admin privileges when required.  The request is customizable where you can control the time for which they can access the admin privileges and what all information will be required to activate this request. It is always advisable to limit the number of users with admin privileges to avoid a data breach.

So here summarizing the top 7 ways in which Microsoft 365 is securing the cloud and making it a better place to be for all the organizations.

  • It has a wider scope of threat intelligence where links are checked in real-time to alert on the malicious sites, AI-powered attachment scanning is done followed by effective monitoring of Windows devices for suspicious processes such as ransomware.
  • It offers all-inclusive Office365 protections, which include anti-phishing, malware detection, anti-spoofing, safe links, and safe attachments.
  • Along with conditional access, it also enables its users to reset their passwords or unlock accounts with the help of security codes sent to their mobile devices or email addresses.
  • You also get the benefit of features like eDiscovery, litigation hold, and retention policies that are of great help in the event of a security breach.
  • It comes with greater automation so there’s less risk of a security breach, giving you an additional layer of protection.
  • It exhibits uniformity and simplicity. So protection, detection, and response to threats are easier to identify.
  • It creates a smaller breach boundary making it difficult for the attacker to breach your domain and gain access.
  • The cross-application security model of M365 takes your security to a new level, delivering integrated and context-aware security capabilities.
  • Transparency and constant innovation are the other two factors that make M365 one of the most secured cloud services as it keeps on updating its features to a more advanced level, making it safer and better for the users.

Today, an average enterprise uses almost 75 security products for their network security, which incurs not just hefty expenses but a lot of time and attention towards their management too. This is where Microsoft 365 aims to streamline the security processes of the organizations. It not just helps you maintain an advanced level of security but also lets you scale down your existing security products that were just complicating the entire process. With Microsoft 365, you will not just have significant cost savings but also better productivity and improved security.

With cybersecurity, data protection, and regulatory compliance being the important factors for any business today, the inherent protections of Microsoft365 will help with creating, storing, and sending secure documents, emails, and spreadsheets. Security is all about end-to-end protection that ensures the complete safety of the entire organization. With advanced security features of Microsoft365, you can take the security of your business one step higher.

Get started with your M365 subscription today or if you already have one, upgrade it to access its more and better features. Configure a smarter solution for your organization today without compromising your productivity or security.  

Introduction to AWS Identity and Access Management (IAM)

When talking about secure access, it is important the organizations have control over whom to permit access to their AWS resources, what are the available resources, and what actions authorized users are permitted to perform. In short, the ultimate goal of this service is to help IT administrators in managing AWS user identities and their different levels of access to AWS resources. In simpler words, it gives you the power to control access by creating users and groups and assigning them specific permissions and policies.

So here in this article, we’ll be covering the fundamentals of AWS Identity and Access Management, how it helps you identify its unique benefits while helping you learn how to safeguard your AWS accounts. We will take you through its key important features and all the latest updates.

Defining AWS Identity and Access Management (IAM)

AWS IAM is a web service that allows you to have secure access control to AWS resources. IAM lets you grant permissions on who is authenticated and authorized to use the resources. It can manage users and security credentials as well. Let’s understand this in a better way

On creating an AWS account for the first time, you need a single sign-in identity for accessing various AWS services. This identity is the AWS account root user, which can be accessed by signing in the username and password that were used to create an account. Now AWS IAM will help you in the following ways:

  • You can set users, permissions, and roles with its help and can grant access to the different parts of the AWS platform.
  • Organizations can centrally manage users and security credentials with the help of AWS IAM
  • It allows the AWS customers to manage users and user permissions in AWS
  • It also facilitates creating multiple users, each having their unique security credentials that will be controlled and billed to a single AWS account

Since cloud security remains the biggest barrier in the adoption of the cloud, following the best security practices for a smooth transition and building a strong foundation is important. This is where AWS IAM’s granular approach helps in providing permissions and access control within your environment. It gives you the freedom to control who can and who cannot use the specific resources and in what ways. In this way, AWS lets you create exceedingly secure environments.

Features that set AWS IAM apart

  • AWS Organizations: For control on multiple AWS accounts, AWS Organizations can be used to segment the different accounts into groups with permission boundaries assigned. It helps in centrally managing the control access, compliance, and security and sharing resources across your AWS accounts.
  • Identity Federation: This feature helps you integrate access from other identity providers. This means users with passwords elsewhere can access federated services.
  • Secured Shared Access to AWS Accounts: You can permit people to administer and use resources in your AWS account without having to share your credentials.
  • Granular Permissions: IAM lets you configure and tune permissions as per the needs of your users. In simpler words, different permissions can be granted to different people for different resources.
  • Authentication (MFA): You can create and manage identities with IAM while enabling authentication for people, services, apps, and resources within your AWS account, adding an extra layer of security to it.
  • Authorization: This feature comprises two main components- policies and permissions, where each “Policy” grants a specific set of permissions, and “Permission” allows you to perform actions on AWS resources.
  • Access Analyzer: This is the newest addition to AWS IAM. Access Analyzer comes with an additional level of security that allows you to continuously examine and analyze permissions given using policies for all organization’s resources.   

Different ways to access AWS IAM

Working with AWS IAM can be done in any of the following ways:

  • IAM HTTPS API

IAM and AWS can be accessed programmatically with the help of IAM HTTPS API that allows you to issue HTTPS requests directly to the service. When using HTTPS API, always include code to digitally sign requests using your credentials.

  • AWS SDKs

AWS comes with Software Development Kits (SDKs) that include libraries and sample code for different programming languages and platforms. The SDKs help with a convenient way to create programmatic access to IAM and AWS.

  • AWS Command Line Tools

There are two sets of command line tools in AWS- AWS CLI (Command Line Interface) and AWS Tools for Windows PowerShell. These tools can be used to issue commands at your system’s command line for performing AWS and IAM tasks. These tools are also useful while building scripts that perform AWS tasks. As compared to console, they are faster and convenient.

  • AWS Management Console

You can access IAM and AWS resources with the help AWS Management Console. The console is a browser-based interface, ensuring secure and easy access while bringing in the unparalleled depth of AWS to your system or mobile phones. It helps you find new AWS services, configure services, and much more. It lets you take action quickly.

How do AWS IAM works?

With the best infrastructure in place, AWS IAM controls all the authorization and authentication. Here’s how the entire system works:

  • The principal takes an action on the AWS resource. The first principle is the administrative IAM user that can grant access to the users for specific services in order to assume a role. Federated users can also be allowed access to your AWS services.
  • When using the AWS management console, a request is sent to the AWS by the API or CLI, specifying the following information:

Actions are defined as the principals, which can be performed on the resources and the principle information includes the details of the GET request that has been previously made.

  • After the above two steps, comes the authentication which is the most commonly used principle to sign in for AWS while sending it the request. While it also consists of Amazon S3 services that allow requests from the unknown users, so to authenticate from the console, you must sign-in with your login credentials like username and password. However, to authenticate, you will also need to provide the access key along with other required additional security information.
  • Next is authorization, in which all the matching policies will be checked and evaluated for the request made while deciding whether to allow or deny it. Then AWS IAM comes into the picture to inspect all the policies with respect to the requests. In case the single action gets denied, the entire request will be denied by IAM with no evaluation of the remaining ones too, which is known as explicit deny. Below are the general rules for evaluating a request within a single account:

1. All requests are denied by default except the ones made through the AWS root account

2. This default is overridden by an explicit, which is allowed in any permission policy

3. An explicit deny can override any allow in any policy

  • After the request authorization, the action is approved by AWS in the form of a request, where you are permitted to perform your requested actions like creating, editing, deleting, and viewing.
  • Once all the operations get approved in your request by AWS, they can be performed on the related resources within your account.

In this way, the entire system works in sync to manage all the identities and access.

The best AWS IAM practices to follow

To secure your AWS resources the right way, here the best AWS IAM practices that you must take note of.

  • Do not use your root account unless it is strictly necessary

Avoid using your root account for your day to day admin activities. The root account user has access to all resources for all AWS services by default, therefore, it’s best to create IAM users with least privilege access. Also, do not create access keys for your root account unless it is necessary. It is important to secure your root account with consistent monitoring, which detects and alerts on all the account activities followed by a hardware-based multi-factor authentication setup for accessing root account.   

  • Never share your credentials with anyone

It is advisable to use temporary credentials for anyone who has access requirements. In this regard, credentials that are dynamically generated and expire after a specific period of time, are a great way to keep the security intact.

  • Follow the least privilege principle and check all IAM permissions periodically

It is important to go with the least privilege method to ensure complete security, which means if a user doesn’t want to interact with a resource, it is better not to provide them access to that resource. IAM permissions allow for very granular access controls, so avoid using policy statements that give access to all resources, actions, or principals. Additionally, make use of the IAM Access Advisor on a regular basis to make sure all the assigned permissions to a specific user are being used.  

  • Make use of policy conditions for an extra layer of security

Define the conditions under which your IAM policies grant access to a resource. For instance, conditions can be on allowing a specific range of allowable IP addresses. You can also set conditions requiring the use of SSL and MFA.  

  • Regularly monitor the activities in your AWS account

Use the logging features in AWS to check out the actions users have taken in your account and what resources have been used. The log files indicate the time and date of actions, the source IP from where the action is taken, and actions that failed due to inadequate permissions, and much more. The AWS services like Amazon CloudFront, AWS CloudTrail, Amazon CloudWatch, AWS Config, and Amazon S3 come with logging features that can help you keep track of the users’ activities.

  • Ensure Multi-factor Authentication

Add an extra layer of security for all users in your account with MFA. This way both the user’s credentials and device-generated response will be required to complete the sign-in process. Even if the user’s password or access keys are compromised, your account resources will still be secured because of the additional authentication in place.

  • Create a strong password policy

Enforce a strong password policy that requires the users to create strong passwords, rotate their passwords periodically, allowing only alphanumeric characters and so on.

Conclusion

AWS is the biggest cloud platform and cloud service provider that has brought in several measures to improve security, out of which, IAM is the most important and widely used one. In this article, we have tried to cover most of the aspects that will help you learn about AWS IAM, its advanced security features, and the best practices in the simplest way possible. We hope this article will help you understand Identity and Access Management in a better way.

How to Establish Organisational Cyber Resilience and Agility

It’s Not Really About The 98% Caught, But Its About The 2% You Miss.

Introduction

You might become complacent and consider a cyber-attack against your business to be a remote possibility. But attack methods are becoming more sophisticated every day, and organisations are increasingly reliant on technology to drive every aspect of their business. With this heavy reliance on technology, this means any organisation is susceptible to a cyber-attack.

The goal of cyber prevention has been to reduce the probability of an attack against the organisation; cyber resilience looks to minimise the impact of these attacks through effective cyber risk management. A cyber resilience program still considers detection and prevention techniques, but it also assumes that a breach is probable. This stance accentuates expectation, agility, and adaptation. In the cyber world, not every attack can be prevented, but with a cyber resilience program, damage can be minimised or avoided altogether.

But, it is not the 98.5 per cent that is caught that is the issue; it is the 1.5 per cent that is missed. With a small fraction of that same 1.5 per cent of current threats is missed by the NGFW (Next Generation Firewall), IPS (Intrusion Prevention System), and endpoint protection (EPP) system; then we have the beginning of a breach.

Modern-day cyberattack campaigns involve stealthy, persistent, and sophisticated activities to establish a footing in organisational systems; maintain that footing and extend the set of resources the adversary controls, and exfiltrate sensitive information or disrupt corporate operations.

Enterprise architecture and systems engineering must, therefore, be based on cyber risk management principles to ensure that mission and business functions will continue to operate in the presence of a security compromise.

To protect your critical organisational assets — and to keep your business running — you need to build cyber resilience and agility as part of your core business strategy.

Here are some recommendations for building a cybersecurity resilience program

Assess and Analyse

Cyber-attacks can impact businesses in several ways, from the loss of data and intellectual property to business interruption and more. To protect all your critical assets and effectively manage cyber risk, it’s vital that you understand the cyber scenarios your organisation is most likely to face — and how much they can cost your business.

To assess your cyber risk, you should:

Identify and inventory critical assets — data, systems, and infrastructure — that are essential to your operations.
Review your internal controls and digital profile to identify internal vulnerabilities and external threats.
Value your cyber assets at risk using modelling and other data and technology tools.
By adopting these steps, the organisation can objectively measure its cyber risk, and incorporate quantitative data into your risk management decision-making.

Embed cybersecurity into the core business strategy

Cybersecurity must be core to and aligned with your organisational business strategy. This should be enabled by default and entrenched across technology stacks by design. This must begin with a typical project’s inception and be continuously validated across the entire project lifecycle, thereby reducing risk potential and maximising delivery assurance. As cybersecurity gets entrenched into core business strategy, organisations inherently gain a greater understanding of risks they face, and embrace the innovation needed to counter identified threats, and have the resilience to restore operations in the event of a security breach.

Drive security from the top-down and encourage a bottom-up reporting approach

Security is everyone’s responsibility. The Board and Executives must demonstrate accountability and support for safety across the organisation. Recognise and empower employee vigilance and engagement as an extension of the cybersecurity programme with the power to drive cultural change. Create cybersecurity consciousness. It’s far more cost-effective to investigate suspicious or fraudulent activity observed by an employee early in the attack cycle than to respond after it has occurred.

Mitigate the impact of ransomware

Remain risk-focused. Minimise exposure to data by enforcing ‘need to know’ policies and implementing data and network segmentation. Prioritise and perform endpoint hygiene, including acceptable usage policies and end-user training to reduce the likelihood of users running malicious files. Boost monitoring to identify ransomware infections early. Enforce backup strategies and store backups offline. Maintain focus on foundational practices such as patch and vulnerability management, data encryption, and identity and access controls.

Use multisource intelligence

Use threat intelligence to prioritise resources effectively and mitigate threats before they impact your business. Incorporate it into the attack and breach simulations to improve cyber defences and incident management processes.

Outpace adversary sophistication through cybersecurity dexterity

Cybersecurity must move at the speed of digital business. The attack surface is fed by continuous releases by DevOps of features and application components that expose new vulnerabilities daily rather than over the much longer release cycles of pre-digital development. Be agile and responsive. Shift resources based on the changing risk landscape and short development cycles.

IN CONCLUSION

The threat landscape is dominated by email phishing threats, exploitable vulnerabilities, and insider actions. Attackers are using macros, scripts, and social engineering methods, finding unpatched vulnerabilities, and compromising access credentials.

They’re also using newer methods, such as compromising trusted supply chains, shared infrastructure, source code, and applications, thereby increasing the need for software component validation. Although their ways continue to evolve, attackers still favour the path of least resistance.

Risks are less predictable than before, and attackers are developing more sophisticated ways of breaching defences. This calls for a mature and comprehensive approach to cybersecurity, understanding the risks while gaining buy-in from organisational leaders.

Over the last decade, one observation has remained constant: our adversaries operate on a global level, and we must counter this by investing in the right capabilities across people, process, and technologies to scale at the pace at which cybercriminals operate. With this approach in mind, and considering increasing demands by customers, industry, regulators, and governments, organisations must establish cybersecurity agility to seek competitive advantage.

To develop a resilient and agile cybersecurity strategy, please contact the Author by sending email to support@dangata.com. Or contact him directly at dangata@dangata.com.

Top 10 Tips on How to Improve Security Inside the Firewall

Big companies have significantly improved the security of the network perimeter, and despite considerable investments in this area, most enterprise networks remain vulnerable at their core. Techniques that have deployed and proved highly successful at defending the network perimeter have not been sufficient for protecting the internal system, because of both scalability and perception issues. Despite this, security practitioners can make significant steps in shielding their internal networks by aligning their tactics with the realities of internal network security.

The following ten tips explain ways to tackle the security challenges of large, active internal networks. Furthermore, since these tips involve defensive tactics, they offer a workable a tactical plan for improving the security of an extended enterprise network.

1. Internal security is different from perimeter security.

There is a stack of difference in the threat model between internal security and perimeter security. Perimeter security defends your networks from Internet attackers, armed with zero-day exploits of standard Internet services like HTTP and SMTP. However, the access a maintenance man has to your network, just by plugging into an Ethernet jack, dwarfs the access a sophisticated hacker gains with scripts. Deploy “hacker defences” at the perimeter; configure and enforce tight but flexible policy to address potential internal threats.

2. Tighten VPN access.

Virtual private network clients are a substantial internal security threat because they position poorly locked down desktop operating systems outside the protection of the corporate firewall. Therefore, be unambiguous about what VPN users can access by ensuring there is a clear policy in place. Do not give every VPN user unfettered access to the entire internal network. Apply access-control lists to limit classes of VPN users’ access to only what they need, such as mail servers or limited intranet resources.

3. Perform due diligence on business partners and build internet-style perimeters for extranets.

Partner networks contribute to internal security challenges. Although highly experienced security administrators know how to configure their firewalls to block MS-SQL, the Slammer worm penetrated defences and brought down networks because companies had given their partner’s access to internal resources without proper risk analysis. Since you can’t control the security policies and practices of your partners so, create a DMZ for each partner, place resources they need to access in that DMZ and disallow any other access to your network.

4. Automate security policy tracking.

Intelligent security policy is the key to active security practice. The challenge is that changes in business operations significantly outpace the ability to adapt security policy manually. This reality demands that you devise automated methods of detecting business practice changes that require reconciliation with security policy. This can be as in-depth as tracking when employees are hired and fired, and as simple as monitoring network usage and observing which computers talk to which file servers. Most importantly, ensure your security policy is not too limiting to impact its day-to-day operational use.

5. Closed off unused network services and ports.

Multiple numbers of servers might be deployed just for delivering email service alone, but a typical corporate network might also have upward of 100 other servers listening on the SMTP port alone. It would help if you audited the network for services that shouldn’t be running. If a server is acting as a Windows file server but has never been used as a file server in a long time, turn off file-sharing protocols on this server.

6. Protect your business-critical assets first.

Perform a complete audit of your network for wireless connectivity, and eliminate rogue wireless access points. It would help if you recognised that wireless network access is a compelling and useful facility, and offer secure wireless access to your network users. You should Position an access point outside your of your perimeter firewalls and allow users to access your VPN through it. The chances of your users trying to install and use rogue access points are eliminated if you already provide wireless access on the network.

7. Build protected wireless access.

Perform a complete audit of your network for wireless connectivity, and eliminate rogue wireless access points. It would help if you recognised that wireless network access is a compelling and useful facility, and offer secure wireless access to your network users. You should Position an access point outside your of your perimeter firewalls and allow users to access your VPN through it. The chances of your users trying to install and use rogue access points are eliminated if you already provide wireless access on the network.

8. Build protected visitor access.

Open access to the internal network should be strictly prohibited to visitors. In many organisations, security administrators and engineers attempt to enforce a No Internet Access from certain areas, like the conference rooms. This policy can force employees to give unauthorised access to visitors from alternative desks areas that are harder to track. To mitigate the chance of this happening, build visitor network segments for conference rooms, outside the perimeter firewalls.

9. Install virtual perimeters.

Hosts will remain vulnerable to attack as long as human beings are operating them. Instead of creating unrealistic goals like “no host should ever be compromised,” make it the intention that no one host gives an attacker complete access to the network if it is compromised. Analyse how your network is used and build virtual perimeters around business units. If a human resources user’s machine is compromised, the attacker should not be able to pivot to other business units, such as IT, for example. So, implement access control between HR and IT. Organisations have experienced network staff who knows how to build perimeters between the internet and internal networks. It’s, therefore, time that these skills are put to use in deploying boundaries between different business user groups on the network.

10. Streamline security decisions.

Network users are a critical ally in the efforts to improve network security. Typical users may not know the difference between RADIUS and TACACS, or proxy and packet filtering firewalls, but they are likely to cooperate if you are honest and straightforward with them. Make the network readily accessible to use for typical users. If users never have bad experiences with convoluted security practices, they will be more responsive to evolving security practices put in place to protect the organisation.

Privileged User Monitoring and Auditing

Why Continuous Monitoring is Critical for Enterprise Compliance and Security

Foreword

Recording the detailed actions of privileged users is more critical in today’s business environment that is driving cost efficiencies through IT outsourcing, offshoring and augmenting IT staff with external staff. Third Parties such as, Cloud Providers, Service Providers and ISVs also have security and compliance issues, which need to be addressed. Additionally, every significant compliance regulation requires organisations to document the activities and actions of what users do with privileges and rights granted to them. Conventional approaches, such as log files, cannot fully meet these compliance obligations. Log files are suitable for aggregating and connecting events and management data for alerting and reporting purposes. However, for capturing of specific actions that were taken on a specific system, at a specific time, by a particular user, there is no replacement for a high-reliability capturing of single user activities. By capturing all privileged user activity (screen actions, events and metadata) a complete picture of intentions and impacts can be accomplished. Organisations need to ensure that every privileged user can be monitored and inspected across their dispersed infrastructure creating a high level of visibility on UNIX, Linux and Windows systems whether in the on-premise data centre or cloud infrastructure. Furthermore, the auditing approach should scale up to meet organisations growing needs without interruptions and with minimal administrative resources. The solution should be realised with a verified architectural approach that is fault tolerant, reliable and highly scalable across a vast number of systems and users.

INTRODUCTION

Organisations are facing escalating complexity in every aspect of their IT operations including the data centre, IAM infrastructure, cross-platform systems and staffing. Setting up and maintaining a security and compliance presence, in what is often an unrelated and continually changing environment, is frequently cited as the top concern of IT leaders who have responsibility for addressing risks and defending the information assets of their companies. Moreover, companies of all sizes are cutting costs through outsourcing, off-shoring and short-term personnel and progressively depend on cloud service providers and ISVs to manage crucial parts of their information systems. How do assiduous IT leaders create culpability, inspect this multifaceted environment and protect against unintended and destructive actions of privileged users which may lead to a system failure or data breach?.

In this article, I provide guidance on choosing solutions that solve the security, compliance and third-party access challenges organisations face when auditing and monitoring UNIX, Linux and Windows systems, and why traditional approaches, like log rollup tools, alone cannot meet the requirements of today’s demanding IT settings. There is a compelling case for organisations to implement solutions that capture high fidelity video and associated events and metadata, which give organisations the missing user-centric background they require to prove compliance, secure against internal threats and monitor third-party access by a variety of privileged users.

Traditional Approaches Alone Has Failed to Tackle Requirements

Log files produced by systems and applications present an incomplete picture because they contain vast amounts of an insignificant event and management data and are often not accurate enough to conclude which user carried out specific actions on a system that resulted in a system crash or compromise. Besides, interpreting log files is time-consuming and requires specialised skills held by only a minimal subset of people in the organisation. Log information is helpful for important warning and notification of likely issues but logged activities are not tied to the actions of a particular user so troubleshooting and root-cause analysis cannot provide the accountability that security best practices and compliance regulations demand.

Additional mission-critical factor organisations must consider, is lack of visibility because some applications have little or no internal auditing. It can often be the case with bespoke software solutions where auditing capabilities may not be the top priority and software developers may not know the organisation’s audit needs plus the level of detail required and importance of protecting access to log information itself. Additionally, many enterprise applications that are highly customised may not be logging critical events.

To increase visibility and gain a clearer understanding of the intents, actions and results of privileged user activity on systems higher-level alerts should point to more detailed data on actions, events and commands that the user performed on the system that leads up to the alert being triggered and captured. This metadata can only be collected by capturing the critical user-centric data (events and screen video) and cannot be reconstructed from log data generated by systems and applications.

This new, user-centric way to privileged auditing systems can address the security, compliance and third-party challenges organisations face.

User Activity Auditing Can Address Critical Compliance Challenges

Compliance Demands

The numerous compliance regulations create ongoing difficulties for businesses in every industry, and many businesses must meet multiple requirements for internal controls (SOX), payment cards security (PCI-DSS), and other industry-specific requirements. A Commonality to every first compliance regulation and industry mandate are requirements to ensure users authenticate with a unique identity, privileges are limited to only ones needed to perform job functions, and user activity is audited with enough detail to determine what events occurred, who performed them and what the the outcome was.

Table 1-1 Sample of major user activity auditing compliance requirements

Compliance RuleDescription
Sarbanes-Oxley Section 404 (2)…contain an assessment… of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
PCI DSS 10.2.1-210.2 Implement automated audit trails to reconstruct the [user activity], for all system components. 1. Verify all individual access to cardholder data 2. Verify actions taken by any individual with root or administrative privileges.
​NIST SP 800-53 (AU-14)The information system provides the capability to: a.       Capture/record and log all content related to a user session; and b.      Remotely view all content related to an established user session in real time.
NERC CIP -005-1 R3 (Monitoring Electronic Access)
Implement and document and electronic or manual process(es) for monitoring and logging access.

Compliance requirements often refer to “logging” or “record” when describing a specific audit control. To adequately address the compliance rule and satisfy auditors it often requires organisations to offer more information than application, and system log files can provide – this had caused an audit hole. Privileged user activity auditing provides the detailed metadata and visual record of actions that meet the strictest interpretation of the regulation.

The absence of sufficient and comprehensive user activity auditing can result in higher costs due to slower compliance reporting, increased staff time and essentially fines for non-compliance. Users are tracked through system logs when they sign-in and sign-out but fails to capture activity with sufficient details to address compliance requirements.

Lessening Insider Compromises

Information Security Managers’ crucial worry remains the risk of insider compromise that can lead to a data breach or system outage. Several factors have led to an increase in insider incidents including the sharing account credentials, privileged users with too many credentials across systems and assignment of privileges that are too broad concerning the job responsibilities of the user. Because many organisations have privileged users that are geographically dispersed organisations be able to have visibility into their activities of local and remote administrators and users.

User activity auditing can create the accountability required for security and compliance including:

  • Capture and search historical user activity so that suspicious actions can be examined to determine if an attack is occurring – before the damage is done.
  • Alter privileged user behaviour through deterrents ensuring that trustworthy employees are not taking shortcuts and disgruntled employees know any malicious actions are recorded.
  • Set a clear, explicit record for evidence in legal proceedings and dispute resolution.

Moreover, insider threats are not going away anytime soon, according to the ca technologies 2018 insider report:

90% of organizations feel vulnerable to insider attacks. 37% of the respondents said, the main enabling risk factors include too many users with excessive access privileges, 36% of devices with access to sensitive data, and 35% said there is an increasing complexity of information technology.
53% confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). 27% of organizations surveyed for the report say insider attacks have become more frequent.
64% of organizations are shifting their focus on detection of insider threats, followed by 58% deterrence methods and analysis and 48% post breach forensics. The use of user behaviour monitoring is accelerating; 94% of organizations deploy some method of monitoring users and 93% monitor access to sensitive data.
The most popular technologies to deter insider threats are Data Loss Prevention (DLP), encryption, and identity and access management solutions. To better detect active insider threats, companies deploy Intrusion Detection and Prevention (IDS), log management and SIEM platforms.
86% of respondent organizations already have or are building an insider threat program. Thirty-six percent have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

Intermediary Access Review and Awareness Education

Today’s business environment is driving enterprises to find cost efficiencies at every level of their operations. Outsourcing, off-shoring and cloud computing are giving organisations agility, flexibility and the cost control they require to remain competitive but, organisations are still responsible for the security and compliance of their IT systems. This is made more explicit in newly revised compliance requirements that specifically call put the enterprise’s responsibility when contracting Independent Software Vendors, Service Providers and outsourcing firms.

Third-party user access creates even more stimulus to use thorough user activity inspection. In addition to the insider attacks and compliance demands already mentioned third-party access increases the pressure to quickly troubleshoot ailing systems, auto-document critical processes and create training procedures for personnel hand-offs, which occur more frequently with contractors and service providers.

Critical Requirements for User Activity Auditing

For enterprises to take complete advantage of the privileges that user activity auditing can provide they should contemplate the requirements that are vital to the smooth and efficient acquisition and collection of user activity; and thorough search with a full replay of user sessions. Also, any solution for privileged user auditing should fit into the enterprise environment integrating with existing infrastructure and ensuring that audit data is secure and can only be replayed by auditors, security managers and other authorised staff. Below is a list of requirements organisations should consider when deploying a user activity auditing solution.

Capture and Collection Requirements

Capture both remotely as well as locally initiated user sessions across Windows, UNIX and Linux Systems.
Ensure the solution can scale up from a single deployment to the growing demands of auditing user sessions on thousands of cross-platform systems.
Supports the ability to selectively capture sessions based on Active Directory users and groups.
High fidelity capture of session video with detailed capture of events and metadata.
Encryption and compression of all audit data in transit and at rest.

Search and Replay Requirements

Easy to use interface supporting granular queries across multiple user sessions and systems.
Support for ad-hoc, distributed searches for commands, applications and text independent of operating system.
Intuitive and fast session navigation, preview and replay.

Enterprise Ready and Integrated Requirements

Automated discovery and re-configuration of audit system components for reliability and fault-tolerance with minimal administrative personnel involvement.
Ensure only trusted components can participate in the auditing system.
Built-in integration support for existing SIEM, event and monitoring tools.

Security Management Requirements

Role-based control to user session replay so only authorised users can access audit data and replay sessions.
Delegated administration and management of all auditing system components.

IN CONCLUSION

Ultimately, the information security leaders and their companies need to determine the answers to the following strategic questions and decisions when it comes to privileged access security:

What should we do and when? (You can’t do it all at once!)
What is the best mix of controls? (Prevent and detect)
How much is enough? (Find the balance between “adequately secure” and “overly restrictive.”)

Ten Simple Steps to An Effective Data Security Strategy

Most IT professionals realise that there is such a thing as a data lifecycle, but there’s no common rule on what it is. Lifecycle may be a misleading term, since most lifecycles lead to reproduction or recycling, and data doesn’t. However, at least we can agree that the data lifecycle has some distinct phases during which it needs to be managed.

The data life cycle refers to the process of acquisition, usage, storage and archiving of information in a system or setting. Since we are already in the information age, it will be wrong to say that information can get lost as cloud systems exist to ensure that remote backups are a distinct possibility

I’ve identified 4 different phases of the data lifecycle that most data passes through, and sound data management is one of the foundations on which lies the lifeblood of every company—its data.

1. Data acquisition/creation

How does data enter your organisation? When an employee creates a file, design research, compiles results in a spreadsheet, capture forms on your website, or any other kind of data creation, that information automatically becomes part of your company’s data. This active data is stored locally on servers, in the cloud, or a host data centre.

2. Data usage & processing

At this stage, is when the data is used and moved around your enterprise. Maybe it’s being transformed and enhanced by end users. Data usage can even be a product or service that your enterprise offers to your customers. It is at this phase where governance and compliance challenges arise.

3. Data storage and archiving

At some point in time, the data in your system will have no immediate use, and it’s time to file it in case it might be needed in the future for legal or compliance purposes. This removes the data from your active environment and moves it off to storage. The data is still at risk while in storage, so your controls should always be applied to the data at rest. One of the best ways to achieve security with your data while at rest is through high strength encryption.

4. Data destruction

When you no longer need data, it must be destroyed. This is another point in the data lifecycle where a governance and compliance issue might be raised. It’s essential to ensure that the data has been appropriately destroyed early. Deletion of data may occur on the surface, but there will always be a trail of breadcrumbs which lead back to the existence of the original dataset in the first place. Utilise industry best practices for data destruction to ensure you are not leaving any footprints of the data, which might be of use to cybercriminals in the event of a compromise.

Exemptions to the data lifecycle stages There are exceptions to these lifecycle stages. Data must not pass through these phases strictly in that order, because sometimes data is used repeatedly through some of the steps while skipping others.

It also doesn’t describe the environments that exist for data. Data can live in information silos where some of these stages don’t necessarily apply.

The main point to the data lifecycle is that data management and its distinct governance and compliance issues have phases that must be managed appropriately, which is an often-cumbersome task for enterprises with large amounts of data flowing through its infrastructure.

Recommended Best Practices

The creation of processes, policies and rules that govern the information lifecycle change as technologies regarding both hardware and software. Technology grows at a faster rate than ever and data security as it exchanges hands or moves from one end of the lifecycle to the other is often neglected. Follow these ten simple steps to achieve an effective DATA SECURITY strategy.

  1. Create rules which adhere to industry standards. Such standards include but are not limited to EU-GDPR, PCI-DSS, The UK DPA and others which are critical towards the maintenance of data security not only in the United Kingdom but globally as well.
  2. Implement policies to protect sensitive data and their transmission across networks. Such security policies serve as a form of self-regulation by your organisation within the information technology industry.
  3. Continuously search for vulnerabilities within information systems and on networks. This “prevention is better than cure” approach is one surefire way of keeping systems up and running without fear of shutdown or attack by malicious individuals and criminals.
  4. Improve your access technologies to information systems. This would also include the continuous upgrading of the various cryptographic techniques available which are the fundamental basis for the access to data in the first place. This improvement is always an ongoing process, and it is something that is compulsory as yesterdays’ technology is out of date as at last night.
  5. Implement physical controls to protect information facilities to prevent insider access to your critical crown jewels, your data.
  6. Be security conscious in the selection of personnel which are required for employment in your organisation. Humanity has reached a point where an in-depth background check of individuals who would be working in organisations who deal with peoples’ data should be required. A psychological evaluation of such individuals is also encouraged. Constant behavioural analysis by supervisors should also be the norm, and part of your regular security hygiene.
  7. Implement NGFW (Next Generation Firewalls) in IT systems to prevent unauthorised access to critical components of information technology networks. Firewalls play an extremely vital role in making sure that attackers are kept out of networks where they can do much harm and steal information.
  8. Consistently monitor systems using scanning software (such as malware scans) and other in-depth analysis software for any evidence of abnormal software behaviour. Heuristic methods of finding such anomalous files is another way of securing data. This must be done in all forms of software systems and at all levels of the information lifecycle.
  9. Train your employees who have access to data and records on possible social engineering methods and practices. If a malicious individual may not be able to get access to information the technical way, the human form is also a weak link which can be exploited by such individuals. As such, it is the responsibility of cybersecurity leaders to train employees on such possible means of exploitation.
  10. Use emerging technologies such as blockchain to improve security. Blockchain technology and other emerging technologies have given cybersecurity professionals the kind of hope where everything is possible. Integration of blockchain solutions to existing information technology systems is another way of data protection in the information lifecycle. This is because the fundamental basis of blockchain technology is based on cryptography which is one of the foundational aspects of cybersecurity.

IN CONCLUSION

With the above, it is expected that the information lifecycle is continuously improved upon with the latest techniques and methods of data protection. Achieving a good security posture requires good security hygiene to be built into your overall security program. It is also essential that your security program is reviewed periodically, preferably bi-annually to ascertain if it is still fit for purpose against newly sophisticated attack vectors.

Powering Business Through Cloud-Based Identity and Access Management

Businesses of all sizes and types are increasingly using cloud computing services in production deployments for business-critical operations. Some of these organisations use cloud services to store and process their most sensitive business data. To gain the security advantages of simplicity and consistency, it is crucial to integrate the identity and access management (IAM) systems in use for cloud-based systems with the IAM protections used in-house. Let’s discuss critical considerations for that integration in this article.

Additionally, cloud technologies offer a promising platform for the deployment of IAM services themselves. When implemented well, cloud-based services for IAM can provide significant benefits, including:

Shorter deployment cycles: Traditional on-premises IAM implementation can run as long as several years. This is because some do not offer returns on investment quickly enough. IAM programs can lose momentum and face cancellation. With the advent of cloud computing, this has begun to change. A cloud-based IAM service deployment can slash implementation time to a matter of months., allowing the programs to demonstrate their benefits faster and meet the shorter datelines companies may have for access risk remediation and system improvements.
Elasticity and dynamic nature of services capacity: A cloud-based IAM service deployment enables an organisation to expand and contract services and right-size computing resources on demand, based on the organisation’s needs. For example, IAM processes such as “Access Review and Certification” can benefit from resource flexibility. There are typically only short periods of peak usage when organisations conduct their reviews and certification of individuals’ access. In a traditional on-premises IAM implementation, companies are forced to buy systems robust enough to handle that peak demand, even though they only need it for a short period. By comparison, cloud-based IAM services can dynamically adjust resources to accommodate these spikes.

Lower total cost of ownership: In a cloud-based IAM deployment, ongoing service support maintenance is handled by a trusted service provider, allowing your organisation to focus your resources on initiatives that support your core business. Cloud licensing models will enable you to only pay for what you use; so, costs are based on your usage of the service. Additionally, the cloud-based model in a hosted arrangement may eliminate the need to procure hardware, facilities, and other core IT infrastructure that is often needed to support the solution.When considering cloud for IAM services, the organisation should carefully determine cloud strategies that are aligned with business needs. These strategies typically involve the following:

IAM cloud deployment models (on-premises/hosted, private, public, or hybrid)
IAM service models (IaaS, PaaS, and SaaS)
IAM cloud security and risk management.

IAM CLOUD DEPLOYMENT MODELS

1. Private cloud

Private cloud refers to a form of deployment in which a cloud environment is set up exclusively for a given entity or organisation. As shown in Figure 1.1, this cloud environment may be on premises, meaning that the private cloud deployed within the organisation or may be hosted off-premises at a cloud service provider (CSF) with a dedicated environment for the organisation (resources are not shared with any other entity). Private cloud deployment can fit a wide range of business models. They are an efficient solution when setting up a shared pool of IAM services for a large organisation with several separate business units. It allows a delegation of IAM provisioning and other tasks that are better performed closer to each business unit’s end users. Private clouds are ideal when you need to accelerate innovation and have some large compute requirements with strict control, security, and compliance needs.

2. Private cloud

In a public cloud deployment, applications, infrastructure, and platforms are shared across multiple organisations, and a public medium such as the internet is used to access the cloud service. Amazon EC2 would be an example of a public cloud service. It provides a virtual compute environment over the internet, enabling an organisation to use web service interfaces to launch instances with a variety of operating systems, load them with a custom application environment, manage network access permissions, and run the compute image using as many or few systems as the organisation requires. Public cloud can all or some select layers of enterprise architecture, from storage to user interface. As shown above, in Figure 1-1, public cloud IAM deployments provide an IAM service shared across multiple tenants. A tenant is any application either inside or outside the organisation that requires its own exclusive virtual computing environment. In public clouds, multi-tenants are interactive applications with multiple enterprise end users. The main benefit of public cloud IAM services is the cost savings. Resources are shared with many users, and the hardware the CSP provides is built on a system that makes the most efficient use of it. The organisation doesn’t have some upfront costs or time for IAM implementation for basic functionality as the traditional IAM deployment.

3. Hybrid cloud

Hybrid cloud deployment model is composed of two or more clouds, public or private; or on-premises IAM solutions in combination with off-premises public or private clouds. In both scenarios, at least two unique entities are set up and connected (under common management) by standardised technology that provides data and application between the two.

One of the benefits of a hybrid cloud model is that for organisations that are sceptical about the move to the cloud, it offers a “safer” deployment environment to move IAM services to the private cloud. As the first step in combination with their on-premises IAM services and eventually scale to a public cloud for excellent IAM services once the organisation has a higher degree of confidence in the cloud model. This is especially true for IAM as service processes that involve sensitive identity and access data such as provisioning and certification. Use of a hybrid approach enables organisations to continue to use on-premises solutions while beginning to implement security in the cloud and have the flexibility to move to the cloud on their schedule, instead of adopting an “all or nothing” approach.

There is a common misconception that IAM cloud computing implies an “external” cloud, based on public cloud services. IAM cloud computing is a way of computing, not a physical destination. Most enterprises will benefit from IAM cloud computing within their own data centres, building “private clouds,” and getting there in an iterative process through their existing virtualisation initiatives. When considering cloud deployment models, organisations should choose after careful consideration of business needs and goals. There are three common deployment models:

  1. Employ a public to offload time-consuming maintenance tasks
  2. Establish a private cloud to become an IAM service provider to your business units
  3. Move non-revenue generating functions out of your datacentres

Figure 1-2 depicts the select attributes of the deployment options to summarise the fundamental differences of the models. In the next section of this article, I describe the cloud services models that are typically used in conjunction with these deployments help organisations achieve their business goals.

IAM CLOUD SERVICE MODELS

Cloud-based IAM services can be categorised into three distinct types of cloud service models:

1. Software as a service (SaaS)

SaaS refers to a means of providing business functionality through applications typically running on an externally hosted environment in which the purchaser/consumer pays by usage fee or a monthly fee. These software services usually delivered through the web and require a web browser to access applications (g., web-based CRM). The purchaser does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application maintenance, with the possible exception of limited user-specific application configuration settings. Hosted IAM services are often provided through the SaaS model. For example, within the IAM process domain, “Enforcement” and “Review and Certification” domains provide additional benefits based on the predictable nature of resource usage. A cloud-based IAM solution for these process domains can provide resource flexibility by adjusting resources to accommodate anticipated peak usage demand (e.g., annual or quarterly review cycles).

2. Platform as a Service (PaaS)

According to the National Institute of Standards and Technology (NIST), PaaS is “the capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage but has control over the deployed applications by possibly application hosting environment configurations. PaaS focuses on everything underneath the application layer, including the underlying platform and some components of infrastructure. IAM deployments in the PaaS model will seek to share resources at the software platform level will have more transparency and control in comparison to the SaaS model.

3. Infrastructure as a service (IaaS)

IaaS refers to a service model that provides a hosted environment wherein a buyer can purchase infrastructure capacity that can be rapidly provisioned and deployed according to need. This may be useful in IAM deployments where the organisation seeks more control and transparency over security and availability of capabilities.
A cloud-based IAM service model should be aligned with your organisation’s target state business scenario and IAM process, protected resources and type of targeted user population. Common business scenarios within these IAM process domains are the following:
Employee access to external applications (both traditional hosted and cloud-based hosted business applications)
Employee access to internal applications
Business to business partner access
Consumer access to internally hosted and externally hosted services.

As shown in Figure 1-4, for each of these scenarios, protected resources can include SaaS applications (Google Apps, Office 365, etc.), and traditional on-premises applications.

For example, an organisation may choose to implement a shared authentication service for its cloud-based applications and on-premises applications to provide its employees with a seamless user experience across applications. Another example would be that an organisation can provide an access review and certification process as a cloud-based IAM service and the results of the review and certification may feed into an internal access de-provisioning process.

IAM CLOUD SECURITY AND RISK MANAGEMENT

A primary inhibitor of widespread adoption of cloud-based IAM service models is a concern for the security of applications and sensitive data that may need to reside in the cloud. For cloud-based IAM services to become a vital part of the IT enterprise portfolio, providers need to implement adequate security controls for sensitive enterprise data and applications. Cloud-based IAM service providers have made significant strides in addressing these concerns through their internal controls and service provisioning strategies. The purchasing organisation’s internal controls must augment the service provider’s security and privacy protections and validated further by that organisation’s third-party risk management program.

The fundamentals of protecting the confidentiality, integrity, and availability of information are not different in cloud-based services. When using a cloud environment, organisations must understand the risks to their systems and data. Asking some fundamental questions to your organisation’s CSP is a good starting point. Typical questions to ask:
Where will the organisation’s data be located?
Who will have access to the organisation’s assets and data? How will the organisation’s systems and data be secured?
What is being monitored and logged?
What evidentiary reporting will the CSP provide to enable compliance?

Regardless of the deployment and service model used, cloud computing creates new IAM challenges that must be addressed. Management of virtual machines within the cloud requires elevated rights that when compromised may give attackers the ability to gain control of the most valuable targets in the cloud. Such rights also provide the attackers with the ability to create sophisticated data intercept capabilities that may be difficult for cloud providers to detect promptly. The risk of undetected data loss, tampering, and resultant fraud can be magnified unless controls are in place.

CSPs should have documented processes for their IAM practices. This includes both physical and logical access environments. Traditional vendor risk management practices will apply for physical access to the hosting environments (background checks, employment status, hosting company location, roles and responsibilities, etc.) On the logical access side, the flexible and dynamic nature of virtual environments introduce new challenges as virtual machines can be moved, copied, or important configuration settings can be modified easily. For this reason, automated security controls at the hypervisor level are necessary. For example, CSPs must implement privileged access management (PAM) solution at the hypervisor level. Organisations should take steps required to understand the controls CSPs have implemented around each hypervisor administrator identity. Organisations considering a cloud-based IAM service model should tailor security controls to the type of cloud deployment, service model, security requirements for IAM service, and confirm that CSP can meet these requirements. Can the cloud service provider security controls in compliance with the organisation’s security policies for on-premises solutions? Can the organisation still operate its IAM security process if one or more parts of the cloud-based IAM service become unavailable?

CONCLUSION

Both my research and experience working for large enterprise organisations indicate that organisations that turn IAM into an explicit business enabler rather than a cost centre will create competitive advantage. By offering cloud-based IAM services around the six IAM processes of request and approval, provisioning, enforcement, (authentication and authorisation), review and certification, reconciliation, and reporting and auditing, the IT security organisation become and IAM CSPM to the rest of the enterprise.