Connected and protected: Identity management for enterprises in an era of zero trust

With millions of people working from home at present, and likely into the future, the enterprise perimeter has all but dissolved. In the process, organizations are struggling to ensure security in this "zero-trust" and remote era. The concept of zero trust was introduced by Forrester in 2014, demonstrating that forward-thinking organizations shifed to a zero-trust framework well before the pandemic. Now, with vulnerabilities laid bare for nearly every business with a dispersed workforce, operating under the assumption that one’s network is already comprised is imperative. And it's understandable considering the increase in BOTs, fake social media accounts and the impersonation of privilege accounts, not to mention the fact that employee access and connections have become increasingly dynamic.

Today's enterprise touchpoints include a wide range of SaaS and cloud services, all of which provide opportunities for nefarious actors to take advantage of the network. That's why a holistic strategy should include a "never trust, always verify" approach that requires validation of devices, users, apps and networks, as well as a process for detecting and remediates threats—before access is granted.

At EPAM, where more than 36,000 employees work across 30 countries, our identification strategy includes well-defined policies spanning network and computer security, access and separation control, archiving, awareness and training and sensitive information protection. At the border, for example, a firewall protects local area networks (LANs) and various demilitarized zones (DMZs) such as Wi-Fi access and project VLANs, etc., with policies on the firewall restricting access to internal resources. Further, an intrusion detection system (IDS) is used in each EPAM office, and all network devices are configured to mirror internal and external traffic to IDS servers.

Sensitive data is transmitted via secure protocols (HTTPS, SFTP, IPSec), with a classification framework defining the appropriate security levels and protection controls applied to sensitive information access during the following:

Handling
Storing
Accessing
Transmitting
Speaking
Screen monitoring
Archiving
Destroying
Physical securement

For event management, we use a centralized log management center. The IT security team is dedicated to continuous monitoring of the IDS logs and applies the following industry best practices and recommendations for enhancing the protection of its systems:

Standard software images are implemented by local IT
To ensure only authorized software is installed, OS patching is performed in a managed fashion
Software is scanned regularly
Windows firewall is enabled
Centrally managed antivirus software is installed on all Windows-based workstations and servers. When a newer version is available, the scanning engine and virus definition files are updated immediately
Virus scanning is performed in real time, with new updates forced to all computers
Session time-out is 10 minutes
The computer names are generated according to company resource naming convention

To ensure separation control, every project has its own repository in the version control system (SVN, Git) to store and control program sources, documents and such. With this arrangement, the data of each project is separated, qne only the project team possesses access to the repository. This feature is based on an internal system granting data access according to project participation. EPAM also has an active IT Security Awareness Training Program, which each employee must complete on an annual basis. It is the responsibility of management to continuously follow up on the status of such training.

When it comes to physical access control, EPAM takes stringent measures to prevent unauthorized access to data processing systems. For instance, our data center is accessible only to authorized persons, according to their job duties, with multi-factor authentication (MFA), such as a proxy card and PIN code, required before access is granted. These access rights are reviewed by the management on a monthly basis and are revoked immediately if an employee is dismissed or his/her position changes. Information access is shared with users on the "minimum necessary" and "need-to-know" basis.

Today, enterprises must think across an entire ecosystem, including employees, customers, partners, vendors and supply chains. Deploying MFA is an important component to securing and managing identities, but it's essential to make the process user friendly. Help employees understand its value, to them and the enterprise. As much as possible, simplify and modernize systems and applications to unify them rather than just layer and abstract and assume everything will work out in the long term. Finally, nothing replaces a well-defined governance program, one that’s flexible enough to evolve with the enterprise, as well as challenges of the day. Above all, ensure that your employees are educated and supported. Many are under the impression they’re operating on their own. When they feel both connected and protected, it's a win or everyone—except the bad actors.

Sam Rehman is SVP and Chief Information Security Officer for EPAM Systems. Rehman has more than 30 years of experience in software product engineering and security. Prior to becoming EPAM’s CISO, Rehman held a number of leadership roles in the industry, including Cognizant’s Head of Digital Engineering Business, CTO of Arxan, and several engineering executive roles at Oracle’s Server Technology Group. His first tenure at EPAM was as Chief Technology Officer and Co-Head of Global Delivery. Rehman is a serial entrepreneur, technology expert and evangelist with patented inventions in software security, cloud computing, storage systems and distributed computing. He has served as a strategic advisor to multiple security and cloud companies, and is a regular contributor in a number of security industry publications.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.