Security Program Spring Cleaning - Part 2 of 3

Last week I kicked off a series of “Spring Cleaning” security tips to freshen up those dusty networks; we moved the furniture and vacuumed behind the couch. Now break out the steam cleaner! The boundaries between access to public/private cloud resources and internally hosted data are now blurred beyond recognition. Identity and Access management did not grow into a multi-billion dollar industry by accident. 

Deep Clean - System Access Review
When it comes to your organization’s highly-integrated and complex federated identity systems — with as many horizontal and diagonal domain linkages as spider webs in your rafters — access review requires breaking out the industrial grade cleaner. Managing identity has become the front lines in a cloud-first environment. How many systems of record do you have? Do you have a comprehensive streamlined on-boarding and off-boarding process? Which clouds hold data that you are responsible for?

Take the time to audit your current access polices and determine if they make sense. All organizations start of with very liberal access policies because they frankly do not know what each person needs to accomplish their job. Rather than be the blocker, IAM starts with allow all employees. But many times, access can be scaled back in various job functions. In the public/private cloud space this effort is comprised of evaluating both internal systems and cloud vendors alike. Without getting into an overly burdensome IAM discussion let’s take a look at your role and identity management system with a critical eye.

To-do To-day List:

• Review your organization’s API Key management strategy. What happens if one of your developers is out at the bar after work and has her laptop stolen out from under the table? Aside from the drive encryption questions, how do you revoke her API keys?  
• Assess your cloud vendor (AWS, Azure, ServiceNow, etc.) IAM groups and roles. If you’re not using defined roles with your PaaS/IaaS stop now. Do not pass ‘GO’. Do not collect $200.
• Audit your source code access. Can you confidently state who does and who does not have access?
• Review legacy internal systems’ role-based access control.  If your legacy system has inadequate RBAC, engineer a solution to instrument the limited logging and controls available so you know when there’s something out of the ordinary.
• Evaluate third-party access (vendor, partner etc.) for last login date. If you don’t have sensors that can give you this basic data, it’s time to start installing some.

Next week we’ll polish the balustrade and conclude our fun little program review with a look at our governance, documentation, and controls mapping. All you policy wonks and GRC folks get ready with those white gloves - we’re going to do the needful with a little fussy risk talk!