Managing the insider threat

Access & Identity Management Handbook 2020 Access Control & Identity Management

The insider threat is so immense it now even has a month dedicated to it.

Gerard King.

With the mission-critical role played by today’s mainframes it is essential to pay close attention to the insider threat and the management of privileged users. I think we can safely say that there is little argument from any research house that the biggest security risk organisations face today is the insider threat.

However, that is not to say that the majority of insiders are malicious. Insider threats come from many sources. Certainly, malevolent insiders pose a threat, but often the threat originates from employee mistakes rather than malice, or a valid system account being compromised by an external attacker.

Faced with these significant threats, we must focus our security management practices at effectively mitigating the risks in this area. This is easier said than done as there are hurdles to overcome first.

The following are four best practices essential to the management of insider threat:

Assess and secure.

Govern and control.

Record and review.


Assess and secure

It is important to assess your existing security posture and, based on the results, implement the necessary controls to mitigate key risks. This involves identifying your privileged users and determining which of these users truly need this level of access. It is extremely likely you will find that you have too many privileged users.

You must also understand your data landscape. Make use of scanning and classification tools to gain an understanding of where your sensitive data resides, including financial, personally identifiable information, private health material and other information that is confidential to your business. Understanding your data landscape, and determining the risks of each classification of data that you own, will provide you with the necessary information to implement good risk mitigation capabilities. Restrict access to this data as much as possible and, in many cases, limit this access to only your privileged users.

Govern and control

The use of a privileged access management tool that allows privileges to be elevated only when needed will be important to ensuring you adhere to the principles of least access and therefore mitigate risks in this area. Also, the use of multi-factor authentication for privileged users is important to prevent these high-risk accounts from falling into the wrong hands.

Monitoring these accounts to ensure compliance with access policies is essential. This will involve understanding who has access to critical applications and data as well as being informed of who has been accessing these resources. Logging and alerting around this area will help mitigate many critical risks. It is also important to identify who has not accessed sensitive resources in several months or even years. These are the users that need their permissions reduced, which will in turn reduce your overall risk and is consistent with the principles of least access.

Record and review

It is crucial to monitor the activity of all users, especially privileged users. The use of tools that can monitor activity against security policies, and send alerts when these policies are violated, is essential.

Many organisations use Security Information and Event Management (SIEM) platforms within their Security Operations Centre (SOC). A best practice involves sending mainframe security events to these SIEM platforms. This allows the SOC to identify security issues on the mainframe and react quickly to reduce the risk to the business. But, it is important to filter and enrich the event information coming from the mainframe to the SIEM platform. This ensures that these events are clearly understood and don’t overwhelm the platform.

Operationalise – strengthen that risk posture

Now that you have the necessary steps and controls in place, you need to operationalise each area to ensure you maintain a good risk posture. This includes the ongoing use of clean-up tools to review if users need their level of access control adjusted, which will be necessary when employees change jobs or leave the company. Don’t forget to continuously scan for sensitive data, as data is always changing. Understanding when and where new copies of sensitive data enter your systems helps you adjust your access policies, reduce risk and pass audits.

Adaptation is key to survival

Remember, our environments are continuously changing and we need to continuously monitor these changes and adjust. With this approach we stand the best chance of keeping our risks at the lowest possible levels.

For more information contact CA Southern Africa, +27 11 417 8594, [email protected]



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Powder coating provides durable finish
Turnstar Systems Access Control & Identity Management Industrial (Industry)
Turnstar’s powder coating line provides corrosion resistance, high-quality surface finishing and a long-term environment-friendly impact for all access control components the company manufactures.

Local makes lekker parking bay management technology
Access Control & Identity Management
South African born-and-bred technology platform Parket builds a seamless bridge between supply and the ever-increasing, but fluid – and often temporary – demand for parking bays.

Local innovation continues
BoomGate Systems Access Control & Identity Management
While having local manufacturing facilities presents its own set challenges in South Africa, Boomgate Systems makes full use of its in-house local manufacturing and R&D.

CathexisVision integrated with Suprema’s BioStar2
Technews Publishing News Access Control & Identity Management Integrated Solutions
This integration uses BioStar2 access control events to trigger automated actions on the CathexisVision system, including alerts, recording a camera and commands such as locking and unlocking doors, and clearing an alarm.

Maximise parking lot security
Hikvision South Africa Access Control & Identity Management
Hikvision has created its range of TandemVu PTZ cameras which provide wide-angle and close-up visibility of incidents, real-time alerts for security teams, and sound and light alarm deterrents in commercial parking spaces.

Linux-based biometric access control
ZKTeco Products Access Control & Identity Management
The SpeedFace M4 is a Linux-based multi-biometric access control and time attendance terminal with visible light facial recognition and palm verification.

Hospitality in the post-pandemic world
Salto Systems Africa Access Control & Identity Management
COVID-19 has forced the hospitality industry into reconfiguring hotel operations, but it has also provided a new opportunity to transform them for the better.

ACaaS: The future of access control systems
Suprema Access Control & Identity Management
As many SaaS-based cloud services in other industries have shown, ACaaS will improve quality, making it more convenient, safe and quick to responding to user feedback.

Advantages of palm vein biometrics
Fulcrum Biometrics Access Control & Identity Management
Fulcrum Biometrics Southern Africa offers five key differentiators when comparing the reliability and accuracy of palm vein biometrics with other modalities.

Identity and access management spend to reach $26 billion
Access Control & Identity Management News
A new study from Juniper Research has found that global spend on identity and access management solutions will rise from $16 billion in 2022 to $26 billion by 2027.