eBooks & Reports

O'Reilly's Automating Security in the Cloud

Issue link: https://resources.threatstack.com/i/872576

Contents of this Issue


Page 8 of 32

Accountability Act (HIPAA), Canada's Personal Information Protection and Elec‐ tronic Documents Act (PIPEDA), and numerous other federal, state, and industry regulations, become a key security task to manage access to applications, services and data by employees and partners from multiple devices and locations, without com‐ promising security. Identity and access Management in cloud Organizations should recognize their existing identity capabilities may not be work‐ ing due to the perverse use of mobile technologies as well as the increase in mobile workers. Today's identity management processes need to enable access anywhere, support business innovations, but be a security enhancement verse a security nui‐ sance or service work around which a lot of organizational users tend to compromise to be more efficient in their jobs, but forget they are adding risk to the business. The remote enterprise employees as well as business partners in an organization should be based on action roles verses human access permissions. An action role is simple way to create an activity capability which allows a user complete a specific task (e.g. Patch a Server or updated a configuration). The result of an action role is no one within an organization will have direct access to privileged actions (e.g. Administra‐ tive functions) as an individual. The key security benefit is no one within the organi‐ zation can tie their privileged identity to their mobile device (e.g. Phone, Laptop, etc.) which can be stolen, lost or compromised. Per our previous example the HITECH Act, requires the Health & Human Services Secretary to post a list of breaches of unsecured protected health information affect‐ ing 500 or more individuals. Within the first 2 months of 2017 their where 122,706 individual record breaches through loss of Portable Electronic Device (PDE), theft of a laptop or desktop and/or transmission of electronic protected health information (ePHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations. The reality is these breaches are a direct result of too much access to protected organizational data. Organization need to develop and implement a least privilege access strategy which encompasses their on-premise, cloud computing and mobile capabilities across all organization users, partners and customers. Least privilege access The principle of least privilege is also known as the principle of minimal privilege or the principle of least authority. It requires that in a particular abstraction layer of a computing environment, every module such as a process, a user, or a program depending on the subject must be able to access only the information and resources that are necessary for its legitimate purpose. The principle means giving a user account only those privileges, which are essential to that user's work. When applied to Identity & Access Management (IAM) | 7

Articles in this issue

view archives of eBooks & Reports - O'Reilly's Automating Security in the Cloud