Companies could make corporate IT environments a lot safer from external threats if those pesky humans would stop clicking on so many sketchy links. Or sharing passwords. Or using bad passwords. Or finding loopholes in the corporate security policy.
Users tend to carry their fair share of blame for data loss and cyberattacks. Human error costs businesses an average of $3.5 million because of breaches that result from carelessness or simple mistakes. It’s also responsible for about 60 percent of cyberattacks in the UK. Even IT pros – presumably more knowledgeable about and less vulnerable to security threats – aren’t any better. Research shows 85 percent of IT and application development professionals share credentials to privileged IT accounts with their peers, even though 75 percent know it’s a security risk.
Maybe we’re wired to find the shortest route to any destination. We want to get work done quickly, so we do our best to remove roadblocks. No time to think of a good password? Just reuse an old one. Forgot your server credentials? Just ask a colleague to share theirs. On a strict project deadline? Just do what 52 percent of IT and app development professionals say they would consider doing: bypass corporate security controls.
Bad habits often arise out of necessity, and there’s a temptation on the part of IT security professionals to hammer the bad habits out of their users. If people are the problem, then security pros just need to set up as many speed bumps, booby traps and safety nets to limit their harm.
However, as the data shows, that’s not working. Users can still get around or ignore an over-architected corporate IT policy. If anything, restrictive policies that slow down work only encourage workers to find loopholes. They just want to get their work done.
What if we stopped fighting the current and went with the flow? Instead of asking why IT users just can’t follow security policy, we should ask why the users find it hard to follow the policy?
Simpler security increases convenience and safety. The easier the policy, the better the adherence. Here are five simple ways security pros can simplify security for IT users and decrease risk.
1. Reduce the number of decisions users make.
There’s a reason why single sign-on (SSO) has become more popular in recent years. They make it easy for users to automatically log in to all their required IT services with one click. In some cases, security pros can enable SSO on any SSH, RDP or HTTPS service. Fewer logins and fewer entry points mean less chance for bad habits to take root.
2. Grant access on a “need-to-have” basis.
At many companies, far too many people have too much access to too many parts of the infrastructure. If a hacker were to acquire an IT user account with excessive access privileges – because of phishing, social engineering or some other tactic – they could run roughshod over most, if not all of the IT infrastructure.
The clear answer: limit account access only to the specific resources each IT user needs to do his or her job. Do this through role-based access management – saying User X can only access Server X, and User Y can only access Server Y. That way, even if an IT user were to misplace or lose their credentials, IT limits the risk only to the resources the user can access.
3. Champion “just-in-time” security.
There’s an increasingly popular security concept called “just-in-time” provisioning, where security pros grant temporary access on-demand. In other words, an account with the right privileges gains temporary access to the server at the point of request, and then the access immediately terminates once the session finishes.
Just-in-time access runs counter to the risk of standing privileges, which describes IT user accounts that have broad, “always-on” access to IT resources. These are a hidden threat to organizational security because the IT person may never know that an account with standing privileges was even there in the first place, much less that it was compromised.
4. Remove credentials altogether.
Moving to a just-in-time access approach also means organizations can move away from permanent secure access credentials and instead toward temporary, automatically expiring tokens.
Permanent passwords are often forgotten, stolen, mismanaged, misconfigured and lost. On the other hand, if access gets granted only when it’s needed and immediately revoked at the end of the session, there’s nothing to lose. Emerging technologies like ephemeral certificates are making this sort of just-in-time access possible.
5. Trust automation.
All of these capabilities are achieved through automation, widely viewed as the easiest way to reduce human error. There are many opportunities to introduce automation into the way security teams manage, grant and revoke access.
For example, some centralized management tools include technical capabilities like auto-discovery to speed account setup. Auto-discovery instantly pulls all current user identities, roles, and access rights from existing corporate directories, like Active Directory or an Identity Access Management (IAM) system, making upfront deployment faster.
Easier setup means fewer configuration mistakes, and fewer problems that slip through the cracks, like inactive accounts for hackers to exploit. For example, some tools can automatically identify changes in user roles (including termination) and sunset inactive accounts, making it easier for administrators.
The cloud offers a great blueprint for how we should think about security across IT. Cloud users trust the management and security of those tools to the experts, without having to concern themselves with policy minutiae. We need to take the same approach to reduce the complexity of hybrid and on-premises IT environments, tools and processes. Take security out of the end user’s hands, and let them focus on what they’re really good at.
Jussi Mononen, chief commercial officer, SSH.COM