2019 SailPoint Identity Insider Magazine - Page 18

Managing Partner, VP Consulting,
Column Information Security
What’s the Key Enabler for
Security Incident Response?
A modern Security Incident Response
solution is a system of interconnected
components working together to
identify known and unknown threats
and to prevent or limit damage done
by those threats. The method for
addressing those threats loosely
follows the NIST Cybersecurity
Framework Functions – Identify,
Protect, Detect, Respond, and Recover.
For each function, identity and access
management (IAM) plays a key role
in keeping technology resources and
data secure.
Identify – As part of this function, applications and
resources need to be catalogued and prioritized,
and this information can be the basis for the
entitlement catalog in IAM. Risk Assessment
considers the business criticality of applications
and establishes how high-risk resources and
accounts will be managed. In IAM, access to highrisk resources may require additional approvals.
Privileged accounts may require enhanced
monitoring or more frequent certifications.
Protect – Access Control is a category of the
Protect function, and it aligns with core objectives
of IAM: manage identities and credentials, assure
that access is authorized and appropriate, grant
only the access necessary to perform one’s work
(least privileged access), and enforce separationof-duties to avoid conflicts of interest. The Data
Security category provides a compelling use case
for Data Access Governance, especially data at
rest, and sensitive data stored in files.
Detect – Modern detection solutions compare
observed activities against a collection of “normal”
activity for the affected endpoint or resource. IAM
data can be used to enrich observed data and
help determine what should be done. If an offsite
Admin, for example, is attempting to access a
financial application, the IAM platform can provide
data showing that the Admin is not authorized
for access, even in cases where the governing
directory service was altered to grant access.
In this case, a Security Incident Response ticket
would be raised immediately.
Respond – IAM enhances the Analysis category of
the response function by providing data about an
account or an individual related to a security event.
Does the account belong to an active user who
has authorized access to the resource in question?
What other accounts does that user have access
to, and what other data could be compromised?
Recover – The Improvements category for
the Recover function often calls for additional
checkpoints and approvals to ensure that all
access is authorized, appropriate, and is removed
when it is no longer needed. This is a core function
of IAM, and vital to the security posture of any


Powered by

Full screen Click to read
Paperturn flip book
Download as PDF
Shopping cart
Full screen
Exit full screen