When developing cyber defense plans and strategies, most organizations focus on external threats. The traditional view of cybercrime and cyber attacks, where the hacker is sitting in a dark basement somewhere else, contributes to this bias.
However, many cybercrimes are performed or enabled by trusted insiders. When an employee leaves a company, they may take company data or a copy of their past work with them to their new employer, which is just as much a data breach as if the competitor stole it themselves. Alternatively, a completely benign employee could make a cyber attack possible through negligence, by losing a sensitive laptop or flash drive or by storing sensitive company data on an insecure cloud drive.
Protecting against these insider threats requires a zero-trust approach to security, where no-one is trusted by default and all access to systems and accounts is based upon strong authentication and authorization testing. This requires an understanding of what is IAM and how it can be implemented within an organization to address the insider threat.
Limitations of Perimeter-Focused Security
Traditionally, many organizations have taken a perimeter-focused approach to cybersecurity. An organization’s internal network, composed of “trusted” machines, has only a single point of connection with the public Internet, where cyber threats originate. By deploying a number of cybersecurity monitoring and threat detection systems at this single point of contact, these organizations are able to identify and block a great deal of malicious content before it reaches and has an impact on internal systems.
However, this approach to cybersecurity is becoming increasingly unusable. The modern organization has a much more mobile workforce than in the past, with telecommuters, work laptops, cloud resources, Internet of Things (IoT) devices, and mobile devices all operating outside of the organization’s local area network (LAN). These devices are often connecting directly to the public Internet, meaning that the organization’s perimeter protections do not cover them, and may carry malware or sensitive internal data past the firewall when moving from external to internal networks and vice versa.
Additionally, the assumption that everyone within the organization’s LAN is trusted is not a good one. If an attacker can bypass or overcome the perimeter-based defenses, then they could operate within the network with little chance of detection or response. Also, these perimeter-based defenses have little or no impact on threats that originate within the organization, such as malicious or negligent employees.
Inside the Insider Threat
Insider threats originate from a variety of sources and are responsible for a high percentage of data breaches. According to the 2019 Verizon Data Breach Investigation Report (DBIR), over a third of data breaches involve an insider in some way.
In some cases, these insiders are employees. An employee that has given notice or has been fired from a company may choose to bring sensitive material with them to their next job. Detection of this can be difficult since this material includes files that they are likely to have had legitimate access to as part of their role with the company.
Other data breaches that involve employees include incidents of employee negligence. Cloud-based data storage is a common source of data breaches as information is improperly secured in cloud storage. Lost or stolen devices can leak sensitive data as well as improperly disposed of physical copies acquired via dumpster diving. While the employee is not intentionally stealing data in these cases, their actions are integral to the true criminal’s success.
Finally, insider threats can originate with trusted individuals outside of the organization. As demonstrated in the Target breach, a cybercriminal may attack an organization’s supply chain in order to take advantage of their access to the organization’s network. Since 94% of organizations give these third parties access to their networks, and 72% provide admin-level accounts, these supply chain attacks represent a significant cyber threat.
Applying IAM Correctly
With the possibility that a cybercriminal, or malicious insider, has access to the organization’s network, the need to implement a zero-trust security model is growing. Under zero trust, individuals or devices within the organization’s internal network are no longer trusted by default. Gaining access to a particular resource requires proving identity, using strong mechanisms such as multi-factor authentication (MFA), and demonstrating a legitimate need to access the resource based upon job role.
Zero-trust access is built on top of strong user and device authentication and authorization, which is where identity and access management (IAM) comes into play. IAM is designed to define user identities and the levels of access that they are permitted on a certain network, system, or resource based upon their job responsibilities.
The use of IAM enables an organization to implement a “need to know” policy for all resources on their network. If an individual or device makes an unauthorized attempt to access data or tries to use it in an inappropriate fashion, then the attempt can be blocked and an alert raised to notify the security team that a threat has been detected.
This approach to security is essential to addressing the insider threat, where an attacker may already have access to internal systems or may be a malicious or negligent insider. Limiting access to sensitive data and valuable resources makes it more difficult for a cybercriminal to achieve their operational objectives, limiting the impact of a potential cyber incident and increasing the probability of detection before a breach occurs.