Improve your Identity and Access Governance (IAG) & Assess your Application Security Risk
With COVID-19 catching much of the world off-guard, there has been a scramble for organisations to make key applications, such as financial and HR applications, available to staff working remotely, thereby increasing the risks to these applications and ultimately to corporate information.
This shift has brought unanticipated challenges to many organisations and this has put a strain on risk management policies and resources.
“The control used to be that most critical applications were not available externally, outside of the company’s network, but only from within the company’s offices and thereby protected by the company’s network security,” says Amanda Hechter Senior Managing Consultant at Mobius Consulting.
“Very few applications were available externally before COVID-19. For example, nearly all payroll and finance applications were run by staff who were based at the office, and now, for the first time for many corporates, users have to log in remotely.”
Hackers aren’t sleeping, they are constantly monitoring which applications are exposed and the moment a loophole is identified, they use this information to hack an organisation, thereby creating the necessity for more stringent access control measures.
A full Identity and Access Governance (IAG) audit can take time, which is something that companies don’t have at the moment, but there are some quick solutions you can put in place to get immediate insights into your present risk exposure:
1. Identifying Key Applications
All companies make use of a variety of applications, many of which, the IT and security departments may not be aware of. It’s important that, as a starting point, a comprehensive list of company-wide applications is drawn up. Once this is done, you can identify the key applications where your risk is the highest as well as who is responsible for each application and the associated risk involved. For example:
- HR applications like payroll
- Accounting and financial management applications
- Enterprise Resource Management Systems like SAP
- Marketing applications
Of the key applications identified, it is important to understand and identify which applications are based on-premise and which are hosted in the cloud, and this changes the risk exposure.
On-premise applications are hosted behind a secure network that the organisation has full control over, for example many financial or HR systems. Even though these applications are likely to be more secure than cloud-based applications, when your entire staff compliment is required to suddenly work from home, companies and security teams are faced with having to quickly adapt systems that have not been built for remote user access. This has opened the floodgates to a variety of unforeseen risks.
Cloud-based applications are often only secured by one layer of identification and login: name and password. This poses a massive risk to the business because anyone that knows a user’s login information can then access that application. A key consideration should be around the appropriate way to manage this risk, possibly by introducing two-way authentication and by tightening up policies.
2. Managing User Access
During this period of uncertainty, the level of risk associated with the management of user access control has dramatically escalated, and drastic measures need to be taken to protect the company against fraudulent and malicious behaviour, whether intentional or accidental.
“Coronavirus is putting serious pressure on IT departments; users are creating a perfect storm for abuse and misuse and there has been a spike in access fraud which has further burdened identity management and security teams,” says Raymond du Plessis, Senior Managing Consultant at Mobius Consulting.
Below are a few questions that need to be answered regarding user access control to applications whether these are hosted on-premise or in the cloud:
- Can you identify all the users who are logging into company applications?
- Is there a secure and reliable method in place to authenticate users?
- Is there a mechanism in place for authorisation of users on applications?
- Is there a mechanism to monitor usage of the application?
- Are users accessing the application using a secure device and a secure network.
“We are faced with a massive shift in the status quo and a wave of unforeseen risks have come with trying to adapt internal applications with external user access,” says Lee Bristow, the Chief Technology Officer at Phinity Risk. “Applications like Procensus make remote application risk far easier to manage.”