When HR becomes the cyber police

HR has a big role to play when it comes to the prevention of data breaches.

Identity and Access Management

The author

Lennie Tan, Vice President and General Manager, One Identity, Asia Pacific & Japan

An area that tends to be overlooked in the recent spate of data breaches, such as the ION Orchard breach impacting nearly 25,000 loyalty program members, is Identity and Access Management (IAM). Lack of policies governing the administrator account created a hidden door to legitimately access ION’s servers leading to the breach.

IAM is all about ensuring that the right people have the right access, to the right resources, and that you can prove that all the access is right. Both HR and IT professionals have to work hand-in-hand to ensure a robust IAM framework.  

There’s a lot that goes into getting all those things “right.” First, IT must set up the accounts that enable a user to get to the right stuff – that is often called provisioning (and its dangerous sister, de-provisioning).

Second, in order for that account to grant the appropriate access, there has to be a concept of authorization which provides a definition for what is allowed and not allowed with that access.

And third, there should be some way to make sure that provisioning and de-provisioning are done securely (and ideally efficiently), and that the associated authorization is accurate – i.e. everyone has exactly the access they need, nothing more and nothing less. However, for IT to even embark on this process, HR needs to establish the levels of access for every employee.

In a recent research commissioned by One Identity, many compelling insights pertaining to the dangers of old-fashioned practices for provisioning and de-provisioning and authorization were revealed. Stated plainly, the practices and technologies that served HR and IT professionals so well in the past, simply are inadequate in today’s digitally transformed world.

One of the key insights from the research revealed that the risks of dormant accounts (accounts not de-provisioned after employee leaves, for example) is not that they exist, but more on what they could be used for. Most high-profile breaches are the result of a bad actor compromising a legitimate user account. That could be gaining access through phishing or social engineering or hunting for and finding a dormant account that the organisation doesn’t even know exists. Once in, a series of lateral moves and rights escalation activities can result in access to those systems and that data that you are trying to protect.

Insights from Singapore organisations

The research revealed other intriguing insights as well as on organisations’ perception on their IAM practices in Singapore:

  • Only one in four (22%) expressed that they were “very confident” that user rights and permissions are correct. That means that three-quarters of our respondents were unsure of the fundamental aspect of access control – authorization. Any user with excessive rights (rights that are more than necessary to do the job) is an easy path for bad actors to execute those lateral moves they are so good at.
  • Only 19% of respondents here are “very confident” that users are de-provisioned properly. By properly, we mean fully and immediately – only 7% of respondents reported that users were de-provisioned immediately upon a change in status. De-provisioning is the process of turning off accounts and revoking rights when they are no longer needed. Poor de-provisioning, either through outdated and cumbersome manual processes or limited tools, is the primary cause of dormant accounts.
  • In fact, 100% reported that while they have a process for de-provisioning, it requires IT intervention. In other words, someone has to put hands on a keyboard to make it happen. Any amount of time that an unneeded account remains “open” is an invitation for disaster as evidenced by so many of the high-visibility breaches over the past several years.

How can HR contribute to cybersecurity?

So how can HR and IT work together to circumvent breaches? There are many ways to modernise these processes and get IAM right. Here are a few suggestions:

1.   Determine a single source of the truth for authorization. HR must define business roles once and use them in all instances. And most importantly, let the line-of-business be the decision makers here. Many instances of inappropriate rights are simply the byproduct of IT doing the best they can with the knowledge they’ve been given. It’s all too common for the line-of-business to ask IT to “give Joe the same rights as Bill” when there was no oversight into what rights Bill has, how he got them, and whether they are still appropriate for the job he does. As such, HR needs to work with IT in this area to improve the IAM processes.

2.   De-provision immediately and completely. Tools exist that can update permissions at the instance status changes in an authoritative data source. For example, as soon as an employee’s status in the HR system switches from active to inactive, that user’s access rights across every system in the enterprise (including cloud-based services) can also be immediately terminated as well – effectively closing all those doors and eliminating dormant accounts. In this respect, HR has to ensure employee access levels are up-to-date.  

3.   Implement identity analytics. A new class of IAM solution called identity analytics will proactively and constantly evaluate your systems to find instances where user rights are out of alignment with what is “right.” These technologies quickly find dormant accounts, mis-provisioned accounts, and instances of rights elevation that are often the smoking gun in breach detection and prevention. 

The legal face of the contingent workforce
Yamini Chinnuswamy - 14 May 2018
As project-based, freelance, and gig work become increasingly de rigueur, the laws surrounding such arrangements have come under increasing scrutiny.
Serviced stays in the heart of Asian business
HRM Asia - 30 Apr 2018
Business in Asia-Pacific has become a regional exercise, with plenty of mobility for key staff between each market. Serviced apartments are an important enabling tool for all of that travel.
United Airlines' employee bonus debacle
HRM Asia - 26 Apr 2018
There are a few HR lessons from a recent United Airlines staff bonus lottery scheme that was subsequently rescinded.
Ninja Van CEO Lai Chang Wen's surprising take on the gig economy
Kelvin Ong - 18 Apr 2018
The founder of one of Southeast Asia's most widely-used delivery service is certainly not one to bite his tongue.
Workplace wellness worries
HRM Asia - 18 Apr 2018
A new study finds that wellness programmes in the US may not actually yield any company savings or produce healthier employees.
The vacation-deprived: Who these people are, and why they matter
HRM Asia - 22 Mar 2018
Asia-Pacific is the most vacation-deprived region in the world. Are companies here ensuring that their people are taking some much-needed time off?