We were reminded last week that the bigger the organization the more prone it is to be at risk as a target for infiltrating its security. The latest reminder came in the form of a claim from the hacking group AntiSec. This affiliate of the "Anonymous" hacking collective, which last year announced it was targeting government agencies, claimed it had obtained personal data from 12 million Apple iPhone and iPad users by breaching an FBI computer.
While FBI and Apple spokespeople declined to comment, Denmark-based eCrime specialist Peter Kruse confirmed via Twitter that the leak "is real"; his proof — three of his own devices were among those nabbed in the hack, which uncovered Apple unique device IDs (UDID).
This factor sheds much needed light upon an intersection of technological cyber security needs. Whereas most companies do employ identity management — both internally for employees and, where applicable, externally for customers — there is less of a focus on securing devices from cyber security risks. Organizations generally lump their own hardware under an umbrella effort overseen by the IT department, but in this, the age of BYOD — Bring Your Own Device — they also need to turn their focus on the security of employee-owned devices that access the organization’s database.
From a technological standpoint, the most obvious steps to take to nip identity management cyber security threats in the bud include:
- Implementing a firewall — intercepts network traffic and allows only authorized data to pass through.
- Developing a corporate security policy — outlines consequences for network tampering and unauthorized entry.
- Encrypting User Lists — renders data unusable, so even if it is hacked, the hacker cannot benefit from it or reveal it
- Updating Operating Systems — ensures the latest patches or new versions of software are present; these often address points of vulnerability in the software
- Assessing Application Software Quality — highlights flaws and limitations in programs; historically these assessments had been large platform-based offerings, but some are now available as SaaS
- Security-Mapping Files — associates the file’s contents with access rights for those files
- Keeping Current on Network Security — every company needs to keep up with the hackers, because the hackers keep getting smarter and more resourceful
- But can the technology solutions be merged with security measures for devices?
- The answer is an emphatic, "Yes!"
There most definitely is a middle ground where the circles of influence for both software/data security and device security overlap under a sphere of security and compliance management known as "administrative management". With administrative management, securing hardware is incorporated into the same process as the one used to manage individuals — Identity and Access Management (IAM).
By incorporating administrative management, when an employee introduces to the IT system either a personally-owned device or one issued to him or her by the company, a user provisioning request can be made for IAM measures directly through the organization’s IT store. Once the request is made, the software takes over and approves or disapproves access to data based on the automated user provisioning rules that are already established by the company before automatically passing along the final confirmation request to the right human being.
Introducing this level of automation — from the ordering to the initial approvals process — streamlines the process by eliminating IT or human resources from the decisions until the very end. This facilitates registration and access to key files in a far more expedient manner.
What may be even more valuable, however, is that the reverse is also true. If a device is lost or the employee or even supply chain partner leaves, everything can be turned off at once in an expedient manner.
And if the FBI and Apple can be victimized, we should all heed the warning and engage administrative management measures to protect ourselves from unauthorized access — no organization is too large or too small for cyber security threats.
Watch the Avatier Identity and Access Management Time to Value Gwinnett Medical Center Customer Testimonial
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.