Identity security breach
In some cases, it may be necessary to lock out one or more identities from using any type of system connected to Omada Identity, typically in the case of a security breach or other system irregularities.
Omada Identity provides the emergency lockout feature to handle such types of incidents as well as a REST API to trigger incident response from outside of Omada Identity like, for example, an UEBA (User and Entity Behavior Analytics) system.
Identity Security Breach covers the Suspend or reactivate access process.
Suspend or reactivate access
Suspending access to an identity can happen for many reasons such as cybercrime or a similar event. However, in case of a false alarm it's important for a user to have their access rights reactivated by revoking the lockout.
Emergency lockout
The goal of the emergency lockout is to lock an identity, disabling all assignments.
In case of cybercrime suspicion or similar criminal events, it might be necessary for a manager, Operation Administrator, or Compliance/Security to be able to set an identity to locked. When this happens, RoPE calculation as well as deprovisioning tasks are handled with priority.
As a result of the lockout, all assignments are disabled, however, they can be restored.
Process flow
A suspicion of cybercrime by an identity requires immediate action.
- In the case of an emergency or breach, a manager, Operation Administrator, or Compliance/Security can the process by using the appropriate menu item in Omada Identity.
- A manager can block their managed identities and give a reason.
- Operation Administrators can block all Identities and give a reason.
- An identity is set to locked, while accounts and assignment are set to disabled.
- An identity is calculated, and provisioning is started.
- When an identity has the locked status, the status cannot be overwritten by any external interface.
- Only users who are members of the Operation Administrators group have permissions to overwrite the identity with the locked status.
- Ensure that the company/organization has a formal written policy for the Emergency lockout process.
- The My lockout and revocations view contains an entry for each lockout and revocation that the active user has made. The Type column displays either Lockout or Revocation depending on the type of process that the user has run for that specific identity.
Revoke emergency lockout
The goal of revoking emergency lockout is to reactivate identities that have been previously locked out due to an emergency.
- Only Operation Administrators can reactivate all locked identities.
- Managers can only reactivate identities managed by them.
When the revocation is performed, the existing access rights are reinstated in the target systems. As a result of revoking the lockout, all assignments are enabled.
Process flow
The following actions take place when a cybercrime suspicion has not been confirmed.
- A manager or Operation Administrator starts the process in Omada Identity.
- A manager can unblock their managed identities, and give a reason.
- Operation Administrators can unblock all identities, and give a reason.
- Identity, accounts, and assignments are set to Active.
- Identity is calculated and provisioning is started.
- Ensure that the company/organization has a formal written policy for this process.
- The My lockout and revocations view contains an entry for each lockout and revocation that the active user has made. The Type column displays either Lockout or Revocation depending on the type of process that the user has run for that specific identity.
Incident Response
Emergency lockouts and revocation can also be triggered from external systems such as SIEM, UEBA, or Threat Analytics Systems, through the Omada Identity OData REST API.
Omada Identity is then used as part of the Incident Response process.