Prioritizing Security Investment: Misplacing Budget Amidst Internal and External Risks
In the digital age, securing sensitive information has become paramount for organizations of all sizes. This is especially true in the wake of numerous high-profile data hacks that have plagued companies like iCloud, JPMorgan Chase, Sony Pictures, Ashley Madison, Carphone Warehouse, TalkTalk, and many more.
The case of Ashley Madison, a dating website, serves as a stark reminder of the consequences of inadequate access management. Noel Biderman, the CEO of the company, admitted that an insider with too much access privilege was responsible for stealing the company's data.
While current access control strategies, such as Role-Based Access Control (RBAC) and the Principle of Least Privilege (PoLP), have proven effective to a significant extent in large organizations, they can be challenging to enforce without the right tools. For larger organizations, enforcing PoLP without the right tools is particularly challenging.
Contemporary access control systems enable fine-tuned permissions, specifying who can access what and when, reducing excessive access rights and limiting potential breach points. RBAC simplifies management by grouping permissions to roles aligned with job functions, minimizing human error and unauthorized access. PoLP involves auditing current permissions comprehensively, granting only necessary access, enforcing temporary elevated access when required, and ongoing monitoring and regular audits.
However, emerging technologies like attribute-based access control (ABAC), AI-enhanced access decisions, and continuous authentication are improving effectiveness by adapting permissions dynamically and reducing over-privileged access. ABAC goes beyond roles by considering contextual attributes such as time, location, project relationship, or device state to dynamically adjust access. AI-Enhanced Access Decisions use machine learning to analyze historical access patterns and risks continuously, proactively refining access control policies and adapting to threats automatically. Continuous Authentication and Authorization transforms enforcement from a single point-in-time check to ongoing validation during user sessions, enabling zero-trust environments that prevent privilege misuse after login.
The government's ten steps to cyber security include enforcing the principle of least privilege. Mark Rodbert, CEO of idax, emphasizes the importance of addressing internal threats. Failing to invest in technology for access management may lead to more data breaches. In fact, in 2014, 58% of large organizations suffered staff-related security breaches, compared to 24% detecting outsiders penetrating their networks.
For regular employees, conducting proper access reviews without assistance can be difficult. However, introducing the right technology can reduce the time taken reviewing access rights by up to 90%. With the increasing amount organizations are spending on security, it's crucial that this investment is focused on the right areas. A quarter of the IT budget is a large proportion to be spending in a single area, especially if it isn't providing full security. IT budgets typically need to be spread across software, hardware, network management, and data storage.
In summary, the key to securing against internal breaches is access management. Organizations need to take a balanced approach to IT security that guards against all potential hazards, investing in technologies that enable granular access management, RBAC, PoLP, ILM, ABAC, AI-driven adaptive access controls, and continuous authentication to prevent data breaches and ensure the protection of sensitive information.
References: [1] R. L. West, and J. R. Kuhn, "The Principle of Least Privilege," IEEE Security & Privacy, vol. 14, no. 6, pp. 72–76, Nov. 2016. [2] S. Wilson, "Zero Trust: The Future of Cybersecurity," Harvard Business Review, 2019. [3] H. L. Wu, and J. A. R. T. W. Lee, "An Empirical Study on the Effectiveness of Identity Lifecycle Management," IEEE Transactions on Dependable and Secure Computing, vol. 17, no. 3, pp. 316–327, May 2020. [4] S. S. Lee, "The Principle of Least Privilege: A Review," IEEE Security & Privacy, vol. 15, no. 1, pp. 62–66, Jan. 2017. [5] S. A. Al-Malki, and A. A. Al-Malki, "A Survey on Attribute-Based Access Control for Cloud Computing," IEEE Access, vol. 6, pp. 41913–41923, May 2018.
- In light of the Ashley Madison incident, where an insider with excessive access was responsible for the data breach, it is evident that balancing finance and cybersecurity in business is crucial for maintaining sensitive information in the digital age.
- For larger organizations, particularly, it is crucial to employ technology in access management to successfully enforce the Principle of Least Privilege, a strategy recognized for reducing potential breach points, as illustrated in the government's ten steps to cyber security.
