Security Recommendations for Homegrown Identity Management System
Question
A university issues badges through a homegrown identity management system to all staff and students.
Each week during the summer, temporary summer school students arrive and need to be issued a badge to access minimal campus resources.
The security team received a report from an outside auditor indicating the homegrown system is not consistent with best practices in the security field and leaves the institution vulnerable.
Which of the following should the security team recommend FIRST?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The security team received a report from an outside auditor indicating that the university's homegrown identity management system is not consistent with best practices in the security field and leaves the institution vulnerable. Therefore, the security team needs to take immediate action to address the issue and mitigate the risks associated with the current system.
Out of the given options, the security team should FIRST recommend working with procurement and creating a requirements document to select a new IAM system/vendor. This is because the outside auditor has already identified the existing system as being vulnerable, which means that the risks associated with the system are too high to justify a delay in addressing them. The security team needs to focus on finding a solution that can provide better security and is consistent with best practices in the security field.
Investigating a potential threat identified in logs related to the identity management system is not the first step the security team should take because it assumes that there is a specific threat that has already been identified. The auditor's report suggests that the entire identity management system is vulnerable, so addressing the system's weaknesses as a whole is more important than investigating specific threats that may or may not be present.
Updating the identity management system to use discretionary access control (DAC) is also not the first step the security team should take. While DAC is a security mechanism that can be used to provide more granular control over access to resources, it does not address the overall vulnerability of the existing system. Therefore, implementing DAC is not the best first step to take.
Beginning research on two-factor authentication (2FA) to later introduce into the identity management system is a good step, but it is not the first step the security team should take. 2FA is a security mechanism that can be used to add an extra layer of security to the identity management system, but it does not address the underlying vulnerabilities of the current system. Therefore, the security team should focus on finding a more comprehensive solution that addresses the system's vulnerabilities before implementing 2FA.
In conclusion, the security team should FIRST recommend working with procurement and creating a requirements document to select a new IAM system/vendor to address the identified vulnerabilities in the current homegrown identity management system. This will help the university to improve the security of its identity management system and protect its resources from potential threats.
