p0temkin - Fotolia
CMS managers need to consider an IAM strategy that strikes a balance between ease of use and security. Make use...
too easy, and it may leave content vulnerable to outside attacks. Add too much security, and internal users won't access the content they need -- or worse yet, they'll cobble together workarounds that introduce new vulnerabilities.
Content repository access management plans should be governed by a set of key performance indicators relating to ease of use, ease of management and security posture. Ease of use can be measured with user help desk calls. Ease of management can be measured with the time required to set up and manage content management users. Security posture can be measured with an analysis of potential security breaches.
The main security challenges for today's enterprises include supporting access to a growing number of devices and opening access to a variety of cloud services and legacy enterprise apps. Identity management for the CMS needs to work in concert with these services to provide the best balance of security and ease of access.
A good IAM strategy for a CMS needs to be implemented in coordination with identity lifecycle management processes across all enterprise applications; otherwise, creating an identity management silo for the CMS can add administrative burden and create barriers for content creators. As a result, overburdened CMS managers are likely to take shortcuts that introduce new problems.
Start with management buy-in
Adopting a good identity governance strategy needs to start with top-level management. This can attract the appropriate investment and support from stakeholders across the enterprise. This can also lead to the creation of a planning team charged with implementing an identity management architecture that supports multiple CMS systems, as well as internal applications and cloud services.
One good starting point for selling C-level leadership on investing in ID management is showing the costs of a poor IAM strategy. The most obvious cost is the number of help desk calls related to logging in to the CMS system. This places a burden on the help desk team, reduces the productivity of employees and can impact the user experience of students and customers.
Surveys of enterprises and institutions have found that, in some cases, 50% of all help desk calls are related to access challenges. Granting content management users access can be a challenge when they are logging in across multiple devices. Some security techniques, like multifactor authentication, can add new problems if a user does not have access to a smartphone. A good consideration when adopting IAM tools is support for artificial intelligence (AI) features that automate password recovery processes for a legitimate content management user, which can lessen the burden on employees of addressing tickets for these basic tasks.
Another good strategy is to identify the impact of breaches in the enterprise's industry. Breaches of CMS security have led to loss of data and loss of access. High profile examples of data loss include the Sony breach, which resulted in the loss of scripts and movies.
Loss of data access has also made recent headlines, most notably with the recent spate of ransomware attacks against various hospitals, whose patient records systems were encrypted against them. In addition to the direct costs of these breaches, enterprises in regulated industries may be subject to fines and sanctions related to compliance with Health Insurance Portability and Accountability Act, Payment Card Industry and Sarbanes-Oxley Act requirements.
Plan for user fatigue
The rise of consumer web applications is placing a tremendous burden on content management users to manage multiple passwords at work and at home. This can lead to password reuse across services, adoption of common phrases and poor password management policies.
Password reuse can be a problem, since the compromise of a user's credentials on one service can lead to the breach of an enterprise CMS system. Analysis of breached public password files have found that as many as 10% of all passwords are common phrases, like 12345 or password. Enterprises can mitigate this risk by using IAM solutions that prohibit these common passwords.
Another good strategy is to enable single sign-on across all enterprise applications. This can be more complex when services span multiple cloud and enterprise systems. CMS managers should consider taking advantage of federated identity services that can help bridge Active Directory, Lightweight Directory Access Protocol and various cloud identity services.
It can be difficult to enforce policies against password reuse, since administrators lack visibility into what passwords a user maintains for other services. The use of multifactor authentication can help reduce this risk by requiring users to confirm messages sent to a smartphone or other device.
For highly sensitive information and privileged users, enterprises should also consider requiring users to change passwords on a scheduled basis. However, this adds an extra burden, and it is likely to lead to more help desk calls.
Plan for administrator fatigue
A good IAM strategy for CMS systems should minimize the burden on administrators with identity management processes. One good practice is to assign privileges to roles or classes of users rather than individuals. If a user requires new privileges, they can be assigned a new role.
Another good strategy to consider is adopting lifecycle management into the assignment of privileges. If an employee leaves or is terminated, their CMS privileges should automatically be rescinded via some HR process rather than requiring manual work by the CMS administrator.
Likewise, permissions should automatically be set to terminate on a specific date for users with a particular life span. For example, contract workers should have their credentials automatically revoked at the end of their contracts.
Enterprises also need a policy in place to automatically change passwords when laptops, smartphones or tablets are reported as lost or stolen.
Expect to be breached
The best thing CMS administrators can do to reduce the burden on content management users and administrators is to take advantage of IAM tools that identify patterns of suspicious behavior. This can include multiple login attempts, logins from new IP addresses, new times of usage and significant upticks in reads or writes to the CMS system.
However, simply sending out a flood of security alerts can overwhelm security administrators overseeing CMS systems. A much better practice is to look for IAM tools and services that support some level of analysis, aggregation and escalation. This will enable security teams to focus their attention on the most likely threats.
It's also important to encrypt password database files at rest using technologies like Transparent Data Encryption (TDE). Even though a CMS system secures access to the password database at the application level, the data itself might be stored on a server as plain text. If hackers find a way to directly access this file outside of the CMS API, they can retrieve the entire CMS password file. TDE makes it harder for hackers to get the password data by encrypting the password file itself, while the CMS might just restrict access to it.
Implementing a good architecture for identity management for a CMS is a true balancing act. Better security is likely to lead to more user access problems and reduced productivity. A pragmatic approach lies in quantifying real and potential costs. This can help an administrator formulate a strategy for evaluating IAM tools that work with the CMS to yield the greatest net benefit with the least investment.
AI tools bring content to the forefront
IAM technology protects unstructured content
IAM tools boost cloud security