What are some tips for effective identity and access management to prevent insider data breaches?

Insider data breaches can be a real problem in businesses. One way to address this issue is by implementing an identity and access management solution. 

What tips do you have for ensuring that one's identity and access management solution is effective?

44 Answers

author avatar

The simplest and most common activity for every insider threat action is the logon. Nearly all threat actions require a logon using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.

Remember also that almost every external attack eventually looks like an insider. The use of compromised internal credentials is the most common threat action in data breaches.

To ensure the best out of any access management solution, think around five primary functions – all working in concert to maintain a secure environment. 

  • Two Factor Authentication – Regulating user access involves authentication to verify the identity of a user. But authentication using only a strong user name and password doesn’t cut it anymore. Two-factor authentication combines something you know (your password) with something you have (a token or authenticator application).

  • Access Restrictions – Policies can be added on who can logon when, from where, for how long, how often, and how frequent. It can also limit specific combinations of logon types (such as console- and RDP-based logons).

  • Access Monitoring – Awareness of every single logon as it occurs serves as the basis for the enforcing policy, alerting, reporting, and more.

  • Access Alerting – Notifying IT - and users themselves - of inappropriate logon activity and failed attempts helps alert on suspicious events involving credentials.

  • Access Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.

The potential insider threat scenarios that are now thwarted include:

  • It protects exploited users (from phishing attacks or malicious colleagues) with controls that make genuine but compromised employee logins useless to attackers.

  • It out-rightly restricts certain careless user behavior such as password sharing, shared workstations left unlocked, or logging into multiple computers.

  • Access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously, ensures a quick response to suspicious activity, offers evidence to address violations that do occur, and makes all users more careful with their actions.

author avatar
Top 10Real User

The premise of any effective Identity and Access Management solution is that 100% "Trust" exists.  Unfortunately, trusting someone to the "keys of the kingdom" is best left to Hollywood, while ensuring the business stays afloat in the real world requires that a robust zero trust mechanism be implemented.  New employees, whether experienced or fresh out of school,  do not have the luxury of developing the level of trust that can be deemed "100%".  

author avatar
Community Manager

Thanks for your input @JoeValero. So bearing in mind that 100% "trust" is impossible, do you have some suggestions for how to increase protection against insider breaches?

author avatar
Top 5LeaderboardReal User

Once you've selected the right solution for your business, you need to make the implementation a formal project and involve all key stakeholders, including those from the business, not just IT folks. Identify all of your information assets, classify them based on sensitivity and criticality (e.g. Public, Internal Use Only, Confidential, and Restricted), then create rules for the granting, revocation and modification of access to those assets. Once that is done and everyone is aware of the policies and procedures governing access, you can implement the solution accordingly. Post-implementation you will want to have a process in place for periodic review of access based on applicable regulatory, audit and security requirements. You may have to create custom reports if the canned reports are not sufficient. Data owners should be involved in the review since they are usually in a better position to determine if individual's access is still legitimate. 

author avatar
Community Manager

@Mark Adams ​this is really great advice - Thanks for sharing!

author avatar
Top 10Real User

Bearing in mind that 100% trust is impossible, it is best to get to zero trust as soon as possible within the confines of your company's risk appetite and with the best tools your company can afford.  There are many Identity and Access Management products and services out there - choose wisely and carefully. 

author avatar
Community Manager

@JoeValero ​Thanks! Any tips for making the selection process easier?

Find out what your peers are saying about One Identity, SailPoint, Microsoft and others in Identity Management (IM). Updated: August 2020.
437,208 professionals have used our research since 2012.