Theshan Mudaly, Solutions Engineer – MEA, BeyondTrust
As the United Arab Emirates (UAE) has become more and more enmeshed in the cloud and its attendant platforms and services, much has changed. Infrastructure has changed. User experiences and expectations have changed. Costs have changed. And the way IT is delivered has changed. So much now is “aaS”, and IT service management (ITSM) reflects this. The helpdesk has changed, as have ticketing systems. Modern ITSM is a slick, automated hum of quick responses and self-service options built around AI and ML, capable of adapting to the changing needs of users inside and outside the enterprise.
Modern ITSM delivers quicker identification of faults, better turnaround times, smoother change management, and lower costs, but also tighter collaboration between teams and shorter release cycles. ITSM in the post-COVID era has given UAE users “Bring Your Own Cloud” (BYOC), multi-cloud environments, and remote work. Modern ITSM can give us more of the things all businesses shoot for — productivity, collaboration, and innovation.
But the UAE did not get to where it is today without due care of the potholes on the road to success. The nation is a prime target for threat actors, intent on exploiting its young, Web-connected population and high average net worth. Modern ITSM must step up and meet these challenges, securing service delivery by focusing on four main areas.
- Social engineering
Helpdesk technicians receive more emails than almost anyone else in the organization. As such, they are low-hanging fruit to attackers, who will waste no time in deploying social-engineering tactics such as pretending to be a user in distress looking for a password reset. Helpdesks have recently even become the targets of MFA fatigue attacks — where legitimate users are spammed with second-factor confirmation requests in the hope they will get frustrated and confirm. The best countermeasure against social engineering is a combination of well-trained users and the right technologies. Identity management and privileged-access management (PAM) are ideal for this purpose.
- Vulnerable remote access
To support UAE organizations’ mass adoption of remote-work and remote-access tools, technologies such as VPN and RDP have (for the sake of expediency) found their way into use cases where they do not belong. VPNs, for example, lack auditing capabilities or granular control over sessions, so they are inappropriate for BYOD or third-party remote access. In all remote sessions, level and duration of access must be tightly controlled.
- Poor credential hygiene
Helpdesks need to be quick — resolve the issue in front of you and move on to the next. Often, this requires using admin accounts. Shortcuts like storing credentials in plain text for quick and easy access can lead to disaster. The prevalence of such practices is of great concern to security professionals, as is the frequency with which they are found to be the root cause of an attack. It is also disturbingly common for the same password to be used across many high-privilege accounts.
- Excess privileges
The cloud environments in which we all now operate have necessitated an authentication explosion that encourages password reuse and over-provisioning of entitlements. To combat this, we must enforce the principle of least privilege. This will not only secure ITSM processes but reduce errors and strengthen regulatory compliance. Each user, from the helpdesk to HR, should receive only those permissions necessary to do their job. No more; no less.
Take your medicine
Modern IT that works to a modern ITSM model, must have modern cybersecurity to match. If it does not, the whole stack will lapse into poor health. Security has to be woven into ITSM. Unfortunately, this often requires the unravelling of current protections to make way for a unified security suite that is free of silos. A tools glut means a lot of running around trying to visualize a problem or validate a red flag. IT admins and security analysts will burn out and may leave the organization, exacerbating the problem.
But with security baked into ITSM, the helpdesk, SOC, and others get security capabilities that apply the right policies automatically and frictionlessly. When procuring a platform that can weave itself neatly into your unique ecosystem, look for broad platform support (Windows, Linux, iOS, Android, and the rest) and a system that can offer non-disruptive access to endpoints and applications from a single pane. Teams should be able to centralize, manage, and track privileges without end users being required to hop from application to application just to do their job. Any required credentials should be available securely to the service desk from within the ITSM solution while abiding by all best practices.
Just as modern ITSM leaves nobody behind, its integrated security should look after all parties — remote users, employees, and third parties. And they should all be able to gain access through the remote device of their choice while protecting all authorized ITSM approval flows — Incident, Change Request, Problem, and Request. And privileged actions such as configuration or change management should be done directly from a change request, thereby securing sessions but also enforcing change management to adhere to current authorized processes. This interwoven ITSM security provides end-to-end tracking and a documented history of access and workflow approvals. With each record tied to the relevant assets and privileged accounts, organizations will find auditing is much easier.
Engine of change
Just as MLOps and DevOps are now advised to consult the security team early and often, ITSM teams and helpdesks must recognize that their domain needs protecting too. This is especially true since across the Gulf and beyond, ITSM is now seen as the best and most practical way to deliver the IT function. And just as ITSM is a departure from old, siloed thinking, so must its security be integrated to ensure efficiency and adequate collaboration between stakeholders. When done well, an integrated ITSM security solution can reduce risk and be part of the engine of change.