Monday, 11:55 PM: It’s been a long day for Bob. He worked all day as an information security professional, and then, he entertained a large group of friends all evening while watching Monday Night Football.
Tuesday, 6:00 AM: Slow to wake and feeling a bit under the weather, Bob gets ready for work. He eventually starts his commute, but after 10 miles his car starts to act up. He pulls over on the highway after the car completely dies and deals with the process of getting a tow.
Tuesday, 9:30 AM: After dealing with the tow truck driver, repair shop and several calls from his son about Holiday plans, Bob gives up on going into work. He decides to work from home the rest of the day since his remaining schedule is filled with non-stop conference calls. As a result, he ignores his normal morning operational duties and saves them for tomorrow. Plus, his phone has received a few security notifications throughout the busy morning, but since these occur regularly and he is overly stressed about life, he isn’t too concerned.
The scenario above is probably quite common throughout the world today. We have all been stressed, have bad days and lose focus because of personal events from time to time. How much risk do these types of events really pose to an organization? On a typical day, you might think there isn’t much risk associated with Bob’s experience.
However, if you add some IT security-related variables to the above situation, the risk becomes considerable. Let’s explore how single points of failure and manual processes combined with various events can impact this organization’s security stance…
Bob’s company deals with sensitive data, which drives its entire business.
Monday, 4:00 PM: An employee is terminated who has privileged access to several systems. The employee was considered non-threatening at the time, so no special termination processes were initiated. Terminations happen all the time, so HR assumes the information security team will disable access using their standard processes.
Bob’s organization unfortunately handles terminations and new hires in a manual fashion without automation. The IT security team (i.e. Bob) gets a daily report and manually disables access across the various systems. Since Bob is the primary security resource, it is his responsibility to complete this work.
Ok, now there are a few things adding up to a possible high-risk incident. Bob, in a stressed state, has ignored security alerts because he is desensitized to the common alerts. These could be originating from a DLP, IDS or SIEM system. His numbness to the high quantity of alerts is common in the information security world and is probably the result of inefficient security system automation. Finally, a terminated employee who has privileged access still has an active account. Injecting the other common events into the above scenario dramatically increases the potential of an active breach.
What does all this mean? How can risk be reduced? Basically, it shows that organizations in today’s world of targeted information security breaches need to also understand their capabilities in two critical areas:
- Resource Continuity
- Automation (or lack of automation)
Continuity: If security duties (and other critical business resources) are not spread across multiple resources, a single-point-of-failure exists in your operations. In the scenario above, the organization depended 100% on Bob to handle security tasks. While there might be more formalized processes to take over if Bob went on vacation, these processes typically fail during unexpected absences. Apply business continuity planning to ensure your critical information security tasks have coverage in any situation to avoid high-risk situations.
Automation: When organizations have limited resources with a high percentage of manual processes, something must give. In the IT security world, the "GIVE" usually occurs in identity and access management processes. These nagging tasks often add up, take time and are easy to drop in favor of more interesting work. If Bob leveraged technology to automatically disable accounts when HR terminates an employee, errors and delays with terminations would be avoided. Wherever possible, execute high-risk processes with software automation.
Automation can also have negative impacts on your organization when the solution is not managed properly or is too complex. For instance, having poorly configured "automated" alerting systems can make your information security team immune to the constant alerts. Spend time optimizing the tools you do have so you can respond effectively when a true incident occurs. An easy-to-use and well-optimized basic solution can often provide better results than an overly-complex top-tier solution.
Along with your other risk-related initiatives occurring throughout your organization, you need to also consider resource continuity and automation capabilities as potential incident-inducing variables. Possessing the latest and greatest IT security tools is great, but when they are misconfigured or you only have one person managing a given process, you can potentially get burned.
In Bob’s situation, the mind-numbing task of manually disabling accounts should be automated with identity management software. Implementing automation will dramatically improve security by ensuring accounts are deactivated regardless of Bob’s availability. Bob’s other critical responsibilities, such as responding to security alerts, should also be shared with at least one other person. A cross training and documentation initiative should occur so the organization is covered when Bob is unavailable or if he leaves the organization. By applying focus to these areas, Bob’s private life will no longer pose risk to the entire organization.
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.