In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.
Level 1 – Managed
This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:
- Access Control
- 2FA for admins
- No developer access to production data
- No program-lead access to production
- Data Protection
- No insecure data transfers
- No insecure data staging
- Data encrypted in transit
- Audit
- Audit all admin system configuration changes
- Audit user access to systems
Some of things to note… 2FA for admins is just good practice in every setting, especially if you do not have a privileged account management procedure in place. We often hear about “no developer access to production” but in an era of DevOps, you want your developers in production… but that doesn’t mean they need to access to production data, just the production systems themselves. Similarly, while developers get a lot of attention, one constituency that doesn’t are program leads. People like me should not have access to production. If you oversee an IAM program, you should not have any sort of administrative access to your production systems. Sure, you are an end-user of those systems, like everyone else, but you should not have any other privileges.
Probably not a lot of surprises in the Data Protection section, but we still see people getting tripped up by staging data insecurely.
Audit too comes with little surprise. Know what admins are doing to your systems and know who it using your systems. Continue reading A Maturity Model for De-Weaponizing Identity Systems – Part 3