Dear CISOs: is it time to review your IAM strategy?

20th September 2017 by Mauro Verderosa

The original article could be found here.

Another data breach led by the lack of a proper IAM strategy. How many other breaches will happen before IAM will finally enter into the business and technical mind set of the companies?

Each time that some news appears about a data breach into a company, I have to admit that I still find things that are able to surprise me.

On the 7th of September 2017 it was announced by Equifax, a company that manages data of more than 820 million people and more than 91 million companies, that more than 143 million records (30% of the US population) in their possessions, including US, Canadian and British citizens, were compromised 4 months before giving the official announcement.

Although the size of the data breach is only the third in terms of size, where in the first position we have Yahoo (read here and here) followed by MySpace, this could be the most harmful because it involves personal details including first and last names, emails, phone numbers, personal addresses, social security numbers, personal and company financial information, driving license information and credit card data.

We could agree that “bad-things happen”, but not exactly in this case, because the choices that brought us to this breach have precise responsibilities.

Just a few days after the scandal, the amount of information emerged could let us understand already that the leak of sensitive data has been managed in the worst way.

After the breach and prior to a public announcement, it was discovered that three managers sold their stock options for a value of $18 million between July and August 2017.

What is there behind these facts?

First of all, it was discovered that the CISO (Chief Information Security Officer) Susan Mauldin, a person hired directly by the CIO (Chief Information Officer) David Webb, was not skilled to prepare the security strategy for the company because she didn’t have any background in CyberSecurity nor in IT, but only some studies in music. The management of the company has now rightly asked to both of them to resign with immediate effect.

What happened exactly?

Apparently, some of the privileged corporate accesses were compromised due to the use of simple passwords. (Yes, these things still happen in 2017..)

Beyond the lack of some basic security protections, the lack of a proper IAM implementation created a domino effect that led to the breach. We could analyze together in a few simple points what happened:

• - Lack of a centralized password vault
• - Lack of enforcement for privileged accesses
• - Lack of a 2FA implementation
• - Lack of a global IAM strategy

Today too many organizations are not putting yet at the center of their strategy a solid IAM model.

IAM cannot be anymore considered as a tool, a “nice to have” stuff.

A proper IAM strategy enables companies to have a better understanding about their data, about their accesses, about their internal processes, about the entitlements, the propagation of information and the password updates.

Besides these factors, you should consider that IAM enforces auditing, monitoring of events, centralization of logs and it could enable a global reporting as well.

Moreover, a correct IAM strategy can support your company to be GDPR compliant (for more information read here).

About this last point, once GDPR comes into effect on 25th of May 2018, you have to be aware that you will be forced to announce any breach within 72 hours. The lack of the proper implementation of a similar solution could cost you fines up to the 4% of the yearly turnover of the company, requests for damages from customers and the possible damages in your company's reputation.

Technical people forget too much often that there are no IT patches to recover from reputation damages.

For any further information, do not hesitate to contact me: I will be happy to help you.