Skip to main content

NEWS

Ensuring Security and High Business Value With RBAC

In the era of digital transformation the tight privacy laws have imposed new levels of confidentiality on health care, insurance companies and financial institutions. As the number of their electronic systems increases along with the number of interfaces, identity management has become a critical component in ensuring information security and access control. Access control plays an essential role in safeguarding both physical security and electronic information security. Role-based access control could be simply explained as the security process of assigning specific rules or policies to individual users, or groups of users, that are connecting to your network. It simplifies the process in assigning user’s access based on their job function.

It has become a critical component in ensuring information security and access control. Access control plays an essential role in safeguarding both physical security and electronic information security. Role-based access control could be simply explained as the security process of assigning specific rules or policies to individual users, or groups of users, that are connecting to your network. It simplifies the process in assigning user’s access based on their job function.

Developing and using a role-based access control system in conjunction with an identity management solution makes it possible for organizations to ensure that accounts for new employees are always created with proper access rights. That means that there is a control defining which users have access to resources based on the role of the user. Access rights are grouped by role name, and access to resources is restricted to users who have been authorized to assume the associated role. For example, if a RBAC system is used in a hospital, each person that is allowed access to the hospital’s network has a predefined role (doctor, nurse, lab technician, administrator, etc.). If someone is defined as possessing the role of doctor, than that user can access only resources on the network that the role of doctor has been allowed access to. 

Four steps for providing data security

There are four steps which are of a great importance for providing proper data security. The first phase is to ensure that new employee access and accounts are created properly when the employee is on boarded. Second phase refers to giving those access rights remaining accurate and up-to-date during each of the company’s employee’s tenures. The third, and most essential step in this process, is revocation of access rights when individual employees leave the organization.

The fourth step is performing Information audits. The sooner you get used to them, the better. They are required to successfully manage the information and the access of rights. Our advice is to periodically review your roles, the employees assigned to them, and the access permitted for each. Once an audit of access rights is performed, it can be compared against the baseline template for each employee role initially established. If needed, the managers and systems owners could make for verification or revocation of the rights.

What are the benefits of RBAC?

Ideally, the RBAC system is clearly defined and agile, making the addition of new applications, roles and employees as efficient as possible. One of the greatest advantages of RBAC is the ability of giving you granular visibility, which is necessary to securely support your mobility in today’s digital environment. Another benefit of RBAC refers to maximized operational performance. Thus, companies could streamline and automate many transactions and business processes and provide users with the resources to perform their jobs better, faster and with greater personal responsibility. With RBAC system in place, organizations are better positioned to meet their own statutory and regulatory requirements for privacy and confidentiality, which is crucial for health care organizations and financial institutions.

Organizations should implement necessary security measures to provide that access to data, groups and applications are right for an employee during their tenure. They also should bear in mind that quite critical is the revocation of all account access when they depart. Failure to respond these criteria can lead to data theft and costly access to external applications.

If you are interested to read PATECCO White paper for Privileged Access Management, click the image below:

White paper for Privileged Access Management, click the image below:

6 Steps for Higher Security and Compliance in the Cloud

Nowadays the cloud industry is growing more due to its widespread adoption. But the more it’s growing, the more questions arise whether the cloud is secure. People are thinking about risks such as financial losses, lawsuits or losing the company’s reputation and even future progress. That’s why managing compliance has always been a challenge for IT companies. Today’s business environment requires cloud providers who are proficient in ensuring high level of security and who offer comprehensive cloud services at a much lower cost.

But let’s go back to the question – is cloud more secure? No doubt, yes! Almost all data stored in the cloud is encrypted, so the users need a key to decrypt the information. Business should take care more of the question how the data is accessed than – where it is stored.

As a cloud service provider PATECCO shares its best practices in six steps, ensuring better security and compliance:

1. Create an end-to-end security and compliance framework 

It’s important to create compliance framework, allowing to view, assess and manage all risks, security, and compliance for the cloud environment. Thanks to the instant access to a compliance infrastructure you can download all the certifications and audit reports you need to demonstrate compliance to your own stakeholders.

2. Create Authentication tools

Authentication, also called identity and access control, gives people permission to access different systems and documents according to their role. With cloud providers, implement multi-factor authentication which is more secure process than single sign-on. It requires a verification code that is texted to the users’ phone, or a link in an email that they have to click.

3. Ensure Encryption

Encryption means systematically scrambling of data so that nobody can read it unless having the code key to unscramble it. What needs to be done is to set up virtual networks which are not accessible to anyone within your company and all the traffic between machines in the cloud is securely encrypted. Let’s take for example Office 365’s service encryption. Office 365 offers customer-managed encryption capabilities, allowing you to have greater control over the protection of your sensitive data.

 4. Enforce privacy policies

Privacy and protection of personally identifiable information (PII) is gaining importance across the globe, often involving laws and regulations relating to the acquisition, storage, and use of PII. It is critical that privacy requirements be adequately addressed in the cloud service agreement. If not, the cloud service customer should consider seeking a different provider or not placing sensitive data in the cloud service. For example, customers that wish to place health information subject to the United States HIPAA regulation into a cloud service, must find a cloud service provider that will sign a HIPAA business associate agreement.

Step 5: Assess the security provisions for cloud applications

Companies should proactively protect their business-critical applications from external and internal threats throughout their entire life cycle, from design to implementation to production. Clearly defined security policies and processes are essential to ensure the applications are enabling the business rather than introducing additional risk. In order to protect an application from various types of breaches it is important to understand the application security policy considerations based on the different cloud deployment models.

When developing and deploying applications in a cloud environment, it is critical that customers realize they may forfeit some control and should design their cloud applications with these considerations in mind.

6. Audit and ensure proper reporting of operational and business processes

Offering tools for monitoring what’s going on with your infrastructure and application is quite useful. You can look at relevant log data from your applications or systems to see who’s doing what or if there were any threats. With the cloud, you can go in any time and pull down any number of pre-configured reports.

It’s essential that security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers. Incident Reporting and Incident Handling process that meets the needs of the customer should also be available in the Cloud System.

PATECCO has a new White Paper about Privileged Access Management Services

The new PATECCO White Paper in Privileged Access Management has already been issued by the German Analyst company – Kuppingercole, with the valuable support of Matthias Reinwarth. The report consists of 16 pages describing main points about PATECCO PAM solutions – Functionalities, Capabilities, Deployments, Landscapes, Implementation.

PATECCO Privileged Account Management (PAM) focuses on the specific requirements of privileged user accounts in a company’s IT infrastructure. PAM is used as an information security and governance tool to support companies in complying with legal and regulatory compliance regulations. It also helps to prevent internal data misuse through the use of privileged accounts.

For the past several years, PATECCO developed high skills in implementing PAM
solutions, describing and designing necessary processes, and connecting systems
to these solutions. The white paper presents in details PATECCO best practices in implementing PAM solutions in the following function subsets:

  • Identity Consolidation
  • Privileged Access Request
  • Super User Privilege Management (SUPM)
  • Shared Account Password Management (SAPM)
  • Application to Application Password Management (AAPM)

The report presents PATECCO’s projects as a good example of demonstrating PAM capabilities allowing privileged users to have efficient andsecure access to the systems they manage. They also ensure that audit and compliance requirements are met, provide secure and streamlined way to authorize and monitor all privileged users forall relevant systems.

More about Patecco Services for PAM implementation, check out in the report below:

PATECCO PAM Services

How PATECCO Identity and Access Governance System Secures Digital Identities?

The major concern of today’s business communities relates to the security breaches attacks which are constantly increasing. This could be a critical obstacle for the success and even for the existence of a company on the market. That’s why a great challenge for the enterprises is to manage properly the numerous digital identities and to know who has access to what information and managing what they can do with that access. All that process is possible by regulation and control of access in an efficient, systematic, and continuous manner.

Why does your company need Identity Governance?

IAG systems play a crucial role for effectively provisioning, and managing access to company resources. A priority need is effieciency. Turning the processes from repetitive and routine into automated, the companies can save time and money. Let’s take for example the process to set up a new hire which can be determined by the role of the new employee. Once systems are in place, HR staff can initiate new employee profiles with appropriate access, based on the jobs they will perform. If an employee leaves, HR will be able to invoke the automated access process to ensure orphan accounts are eliminated.

Identity an Access Governance

The other need for Identity Governance results in compliance with regulatory requirements. The regulations, a company faces, vary depending upon the industry, country, and other factors. In order to govern identity and access, a set of measures should be created against which performance can be judged. It is important that the performance at the IT process level can be related back to the strategic business requirements. For example, if a strategic goal of an organization is to comply with EU privacy legislation, then it needs to process the personally identifiable data that it holds within legally defined parameters. The identity and access processes, necessary to meet these requirements, include:

  • The organization needs to know what relevant data it holds and to classify this data accordingly.
  • Identity management processes need to correctly manage the user’s lifecycle in a timely manner.
  • The access management process needs to control which users have access to information. It also needs to ensure that users with privileged access do not make unauthorized access to data.
  • Processes must be in place to monitor and review which users have access rights to the personal data and which users have actually made access

Capabilities of PATECCO’s Identity & Access Governance System

PATECCO’s IAG system provides a comprehensive view of roles and privileges within each department of the organization, so there is a deep insight into how access is used across the organization by different users. The access governance system offers user-friendly dashboards allowing the business managers a high-level overview, facilitating quick customer response.

One of the advantages are that every part of an employee’s history can be tracked, organized and managed. Via Active Directory, for example, access governance means that managers can view all accounts from a single vantage point. IT managers can pull together and organization’s information, such as who has accounts on what systems, when those accounts were last used, what the accounts enable the account holders to do, and who has responsibility for approving the access provided, all while making it accessible and viewable from one place. PATECCO Access Governance technology allows tracking accounts on all kinds of systems: databases, shared file systems, data centers, access control, backups, passwords, network devices and printers.

Validation of Access Rights

Your internal Information System consists of a number of applications, some of them are in the cloud, while new external accesses are opening up – such as remote work, mobile applications. Therefore, it is crucial to establish a detailed map of the rights of your organization from identities to granted rights.

Usually the audit inquiry starts with questions that are hard to answer. Typical questions asked by nontechnical individuals such as auditors or compliance officers might include “How do you know and control the appropriateness of the access right distribution of an individual?” Many regulations require validation of access rights by all users. The IT-Security officer can quickly get only a partial answer from the application owners: “We can tell what a user has, but are not supposed to know about appropriateness. We suggest you to ask the users’ “manager”. The line-of-business manager can indeed tell whether a certain permission is appropriate for an employee, but only if the information is presented in a readable and reasonable compact way.

Business benefits of implementing IAG system:

Deploying an Identity and Access Governance system offers a number of benefits. It provides a comprehensive view of roles and privileges within each department of the organization. This results in deep insight into how access is used across the organization by different users. Identity and Access Governance system leads to improved productivity of managers by simplifying identity and access certification processes, as well we increased general level of security, reduced costs of managing users and their identities, attributes and credentials. Companies benefit from reduced vulnerabilities and limited risk of data breaches or loss of customer and employee information. That means that the confidentiality is enhanced, so data can be accessed only by authorized individuals.

PATECCO Takes Part in European Identity & Cloud Conference 2019 as a Gold Sponsor

The German IAM company PATECCO will be a Gold Sponsor, for a second time, at European Identity & Cloud Conference 2019. The event is organised by the analyst comany – Kuppingercole – and will take place from May 13-17, 2019, at INFINITY Ballhaus Forum Munich, Germany. EIC 2019 is known as Europe’s leading event for Identity and Access Management (IAM), Customer Identity and Access Management, and Cloud Security. Its audience includes hundreds of end users, executives, worldwide leading vendors, thought leaders, principal analysts and international top-speakers.

PATECCO Management team is taking part in practice discussions concerning Cloud Access Control and Internet of Things. Its professionals will share thoughts about the best practices for providing secure access with modern, multi-factor authentication and enabling interactions and interoperability in the Digital Ecosystem.

Photo Source: Kuppingercole

Being a Gold Sponsor gives PATECCO the opportunity to standout from competitors and to show its proficiency in Identity and Access Management as enabler of innovation and security in the Digital Age. The company also provides unique skills in IAM specific agile software development methods, based on latest technologies.Its long-term partnership with Microsoft and IBM supports the success in a number of international consulting projects from pharma, finance, insurance and utility sector.

PATECCO is a frequent exhibitor at Kuppingercole conferences and well-known with its competences in IAM, Public Key Infrastructure, Privileged Account Management, Role Based Access Control, and Identity Governance. The company is famous for its global capability – designing, deployment, and management and monitoring for clients of all sizes and industries around the world, long-term customer retention, security, compliance and flexibility.

What’s the Difference between PAM and IAM tools?

Identity & Access Management (IAM) and Privileged Access Management (PAM) are often misunderstood having similar features – both dealing with users, access and roles. They also refer to safeguarding data by protecting who has access to the systems, and what they are allowed to do on sensitive systems.

Despite these fact, they are actually quite different…

The role of PAM is to protect users with privileged access to sensitive data. IAM takes care of business’ everyday users or customers, controlling the access and experience that those users are granted within an application.

Usually it is recommended PAM solution to be primarily implemented, followed by a complimentary IAM solution. The reason is that PAM solutions take security and compliance a step further and help IT teams to get control over privileged users and accounts. Of course, there are organizations that implement Privileged Access Management and Identity and Access Management independently. In this way they miss some key values that could come from their integration such as getting control over user access, permissions and rights to address a security, and compliance.

Let’s now go back to the differences between PAM and IAM:  For example, IAM allows you to provide a salesperson with access to their email account, and provides higher level access for certain individuals to log into sensitive systems such as finance and HR.

In contrast, PAM tools are able to manage passwords and authentication and enable servers and databases to securely communicate. These privileged accounts are defined as highly sensitive because they give access to administrative capabilities such as network and server settings. 

IAM systems are great at establishing and removing the access to accounts but they lack the visibility and reporting when privileged access is performed on applications and databases. The ability to audit and monitor the actions of system administrators is a critical security capability required by regulations and reviewed periodically by auditors. And this is what PAM does – provides auditing and monitoring what a system administrator is doing in a specific system, a visibility on how identities are being used, and logging session reports.

IAM and PAM could be integrated and that process provides multiple benefits: PAM delivers data to IAM regarding who can have access to which role-based accounts and then IAM delivers data to PAM defining who should have access to privileged tasks.

How to Detect and Protect the Sensitive Data in the Cloud

As already mentioned in the previous article, Cloud computing has transformed the way organizations approach IT, enabling them to adopt new business models, to provide more services and productivity, and reduce IT costs. Cloud computing technologies can be implemented in different kinds of architectures, under different service and deployment models. At the same time they can also coexist with other technologies and software design approaches. Looking at the broad cloud computing landscape continuing to grow rapidly, it becomes obvious that access to sensitive data in the cloud should be properly monitored and controlled.

Cloud services facilitates data management and applications across a network linked through mobile devices, computers or tablets. But these networks can pose significant challenges for front-end security in the cloud computing environment. For overcoming any threats, there is a need of multiple levels of user-enforced security safeguards which are able to restrict access, authenticate user identity, preserve data integrity and protect the privacy of individual data. When implementing appropriate safeguards, policies and procedures, private data can be securely stored and accessed in third-party cloud servers by a network of users.

Best practices for monitoring access to sensitive data in the cloud

If compared to on premise data centres, cloud-based infrastructures are actually not that easy to monitor and manage. For providing high-quality data protection in the cloud, there is a number of measures which must be undertaken

1. Provide end-to-end visibility

The lack of visibility across the infrastructure is one of the little disadvantages of the cloud-based solutions. Consequently, there is a need of ensuring end-to-end visibility into the infrastructure, data, and applications. The implementation of an efficient identity and access management system can help limiting the access to critical data. It also makes it clear to understand who exactly accesses and works with your business’s critical data. A high-level granularity of access management allows granting elevated privileges only to users that actually need it.

2. Implement Privileged Access Management to Secure access to valuable information

Privileged Account Management (PAM) systems are designed to control access to highly critical systems. PAM security and governance tools support companies in complying with legal and regulatory compliance. Their capabilities allow privileged users to have efficient and secure access to the systems they manage. Besides it offers secure and streamlined way to authorize and monitor all privileged users for all relevant systems.


3. Monitor implementation and audit access to sensitive data

It is necessary to conduct periodic audits to identify security vulnerabilities and monitor compliance. Continuous monitoring and auditing of the cloud infrastructure allows detecting possible attacks and data breaches at an early stage. PAM capabilities will also help you to successfully monitor sensitive data and manage access to it.

4. Use RBAC to Control what users have access to.

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that doesn’t pertain to them. An employee’s role in an organization determines the permissions that individual is granted and ensures that lower-level employees can’t access sensitive information or perform high-level tasks.

5. Use SIEM Technology

SIEM technology supports threat detection and security incident response through the real-time event collection and historical analysis of security events, from a wide variety of event and contextual data sources. SIEM also helps enterprises manage the increasing volumes of logs coming from disparate online sources. Storing the logs from different sources in a central secured database make the process of consolidation and analysis easy.

SIEM supports compliance reporting and incident investigation through analysis of historical data from these sources, as well.

6. Build an efficient incident-response strategy.

It is recommended to make a plan which would help you react immediately to a possible security incident in an adequate manner. It should include several important steps such as determining authority to call an incident, establishing clearly defined team roles and responsibilities, establishing communications procedures and responsibilities, increasing end user awareness and deploying the Right Tools.

All the above mentioned points, concerning implementing appropriate safeguards, policies and procedures, are a good prerequisite for keeping private data securely stored and a protected.

How Cloud Access Control Enhances Security in Financial Sector

When talking about cloud computing, we usually relate it to the use of online software tools or mobile apps for interacting with Internet resources. It is no longer necessary to keep a physical server or local storage source on site, because when the client has access to the internet, the software for running a particular program can be accessed.

The popularity of cloud access control is growing and now a lot of businesses are planning or already use cloud access control systems, also known as managed access control. That gives the great opportunity for employees to store and retrieve files on remote servers via the internet and at the same time provides compatibility, convenience, flexibility and higher security.

For strengthening security in the corporate information systems of companies from financial sector, PATECCO developed effective cloud access control tools. Delivering greater flexibility whilst maintaining the levels of security essential to their business, is only one of the numerous advantages provided by PATECCO. Highly scalable, access control allows banking to react to meet increasing demands and is simple to administer. Given the flexibility of the cloud, it could help with data mining and provide richer data analytics insights.

Cloud access control provides secure deployment options that can help banks develop new customer experiences, enable effective collaboration and improve speed to market – all while increasing IT efficiency. As a technology, PATECCO cloud systems can help banks and financial institutions transform themselves into a digital business, enhance their enterprise security and compliance, and introduce automation for improved efficiency. Cloud computing helps banks reduce fixed IT costs, as well. The expenses can be shift from capital to operational costs. With cloud applications, there is no longer necessary to build hardware, it just pays for what it needs when it needs it.

PATECCO Cloud Access tools allows banks to provide a more consistent, digital experience across all customer-facing channels. It fundamentally changes the way in which customers interact with data and their banking providers. By extending cloud services to clients, banks can empower clients to update data and documentation to support ongoing maintenance of an accurate client risk profile for lifecycle compliance. This not only delivers greater efficiency for the bank and more convenience for the customer, but also builds up a deeper, closer relationship between them through enhanced digital communications.

By using cloud computing, banks can create a flexible and agile banking environment that can quickly respond to new business needs. A lot of examples prove that banks, trusting cloud systems, are better in responding to economic uncertainties, interconnected global financial systems and demanding customers. PATECCO even makes it easier for the employees to access risk and analytics reports while they are on the move. They see the benefits of accessing the internet on their smart phones and tablets, instantly even in remote locations.

How Much Identity and Access Management is Important for Keeping a Strong Data Security?

When we talk about identity, we should consider that it is a key factor in the context that defines today’s access policies. The trend of people working from hotel rooms, trains, cafés and homes increases day by day and IAM has become the primary element for ensuring that only authorised people from authorised locations access authorised resources.

Most security professionals know that there is no simple solution for protecting companies. It refers to a coordinated defence involving people, processes and tools that span anti-malware, application, server, and network access control, intrusion detection and prevention, security event monitoring, and more. But what about identity and access management (IAM) – our particular focus at PATECCO?

Actually IAM provides information about how employees and customers have accessed applications – who logged in when and what data they accessed. Corporations can use this information for security and forensics purposes and for understanding typical patterns of interaction, as well. For example: How employees work and how customers buy products and conduct transactions on the company’s website and mobile apps.

In our practice we always use the right IAM preventive and detective controls that help our customers to prevent, detect or mitigate the attack. It all starts with getting visibility and control over user access privileges for highly sensitive data or applications. This means putting in place IAM tools to ensure the right access controls are in place and that user access privileges conform to policy. We also ensure that a centralised directory is put in place. Those with admin access must be able to access this instantly, to view and modify access rights as and when needed. The other step is the creation of unique user accounts, so that every staff member has their unique ID and password. In this way, specific users can be traced via their credentials.

Automated workflows are also useful as they enable access request and approval to be managed with the option of several different levels of reviews and approval. Our IAM Professionals enforce a strong password policy which helps for preventing unauthorised access of this data.

Enforce the principle of least privilege is of a great importance because nobody should have access to any data other than data that is strictly needed for them to do their jobs. Furthermore, privileged users should have additional security controls placed on them. For example, multi-factor authentication can be useful.

The overall IAM process refers to co-operation between processes, people and technology. Implementing the right IAM controls can help you mitigate risks and more effectively protect critical resources and customers’ data. IAM systems prevent hackers from escalating privileges and gaining access to sensitive applications and data once they have compromised an employee’s credentials. IAM also helps to satisfy compliance mandates around separation of duties, enforcing and auditing access policies to sensitive accounts and data, and making sure users do not have excessive privileges. It also ensures maintenance of strong vigilance and prevention of threats that can be identified.

PATECCO Prosperously Rings Out 2018

The end of 2018 is getting closer and this is the perfect period to make an assessment of what we have achieved. For the last 12 months PATECCO reports great professional results due to the excellent collaboration between both teams in Germany and Bulgaria. They make PATECCO a recognised and respected leader in IAM industry providing value-added services to its clients’ requirements. That’s a good prerequisite for the thriving future of the company and its progress.

PATECCO’s partnership with Microsoft and IBM contributed for the success in a number of international consulting projects in the fields of pharma, energy, and insurance and education. The portfolio of the IAM company also extended to delivering comprehensive solutions such as Managed Services, Cloud Access Control, Privileged Account Management, Access Governance, Role Based Access Control, Security Information and Event Management, Public Key Infrastructure and Password Management.

PATECCO’s year-end performance review:

  • Hiring new employees due to the growing number of projects
  • Signing contract with new clients
  • Developing MIM Query Service, integrated with CA API Management tool with a goal to accelerate the changes in the digital transformation
  • Taking part as a Golden Sponsor in one of the biggest Kuppingercole conferences: European Identity Conference 2018 in Munich
  • Participating in Cyber Access Summit in Berlin
  • Ensuring its customers global capability (management and monitoring for clients of all sizes and industries around the world), security, compliance, flexibility, industry expertise, trust, productivity and engagement;

In 2019 PATECCO’s goals are to ride the waves of technology innovations in the era of digital transformation, to maintain profitability and to deliver great customer service.