teissTalk: Identity Governance in a hybrid work world

teissTalk: Identity Governance in a hybrid work world

teissTalk host Jenny Radcliffe was joined by Todd Wade, Chief Information Security Officer, Sokin; Matt Hardy, Chief Information Security Officer, OMNIO; and Ingo Schubert Global Cloud Identity Architect- CISSP-ISSAP, CCSP, SecurID, an RSA business.

Views on news

Almost one in three (32%) workers are being monitored at work by their employers, according to a new survey of 2424 UK workers by the union Prospect. It also found that four in five of workers believe the use of webcams to monitor remote workers should either be banned or heavily regulated.

Both panel and the audience had the view that monitoring employees web cameras and browsing history without their consent is wrong. Tracking employees for productivity can undermine trust and may trigger insider threat and, at the same time, has zero security value.

How to take a proactive approach to identity management

ID governance, a subset of ID Management is about establishing who has what access, as well as granting new privileges and monitoring them in a controlled fashion. It’s closely integrated with authentication and identity verification.  Giving the relevant privileges to new employees at onboarding is always easier than making sure you take away all of them at offboarding.  

In the recent breach of customer data from app-based broker Robinhood hackers gained access to disable MFA button, the function that shows devices logged into an account etc. A textbook example of excess privileges is when a sales representative had the right to carry out a data dump of the entire customer data base. Data access is often regarded as the IT department’s remit.

However, to achieve maximum security, every department of the business should own their data access. Identity governance is also a cultural and communication issue. For example, it’s key to its success that the IT department and HR communicate effectively regarding, for example, joiners, movers, leavers. It’s also important that physical ID and entitlement cards have identifier marks, so it can be seen whether they are the same as the ones assigned at onboarding.

Panellists’ advice

First of all, learn where your critical data sits.

A separation of duty policy should always be in place. No one should have the privilege to grant themselves further privileges. Make your C-suite aware of how financial loss inflicted by ransomware attacks has ramped up during the pandemic.

Exceptions are fine but they need to be well-defined, visible and approved by access managers. Roles shouldn’t serve as the basis of access privileges as they keep changing. Use processes instead.

Don’t wait for the perfect solution. Some baseline protection is better than nothing.

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]