This post stems from a recent major breach at U.S.-based credit card processor Global Payments. Personally I was affected by this breach as well: One of my credit card issuer sent me a new card even though it’s neither expiring soon nor I reported a stolen card. (A good practise however and thumb up to my card issuer).
According to Avivah Litan from Gartner, “the crime was perpetrated … broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently.” If it’s true, apparently an administrative account was comprised by KBA. IT folks at Global Payments have a big hole to patch and a lot of explanation to make. Now let’s think a step further: Should IAM solution even manage admin accounts of applications at all?
Obviously IdM would manage identities and Access Management would manage access to applications/systems, the whole things is called IAM (Identity and Access Management). But should IAM also manage the administrative accounts for apps/systems? even including root account for those apps/systems. To be flexibly, usually the IAM passes an identity (user name) and a list of roles to the app and let the app/system decides what privileges in the app/system this identity should have rather than let the IAM dictates the privileges. If IAM does manage admin accounts for the apps/systems, how should the risks like the KBA compromise being mitigated? There are a few options that we can explore:
- not allow regular user to have admin privilege at all
- separate the admin function from the regular function in the system and make it not accessible outside the intranet
- add multi factor authentication, especially for highly sensitive apps/systems and privileged accounts
Option 1 is easy to implement but less convenient to end users. Option 2 is hard to implement and varies from app to app, for some app, it maybe impossible to implement. Option 3 is a more sensible approach. Multi factor authentication is picking up steam and is flexible. It’s not only applicable for accounts that has admin privileges, but also applicable for sensitive applications, for example, Finance or HR apps. However, devil is in the details, it is important to have a versatile Single Sign On solution that support multi factor authentication.