Privilege Security for the New Perimeter
October 2018 by Morey Haber, chief technology officer, BeyondTrust
For all of information technology’s benefits, most organizations are well acquainted with the by-product of rapid IT advances and expansion―increased cybersecurity risk. Indeed, growing cybersecurity concerns correlate directly with your organization’s expanding digital universe and the number of people given some level of authority to operate within it.
A swiftly expanding digital perimeter—both physical and logical—inevitably makes organizations more vulnerable to the so-called cyberattack chain, regardless of how far the perimeter has extended. The attack process starts with a successful perimeter breach or insider malfeasance, followed by the theft of “privileged” user credentials through either poor privilege security management or exploitation of a vulnerability. With privileged user IDs and passwords in hand, an attacker can then move laterally throughout an organization, seeking its most valuable digital resources.
As the IT perimeter continues to evolve, threats and risks become increasingly difficult for IT and security teams to manage as they try to connect the dots between privileged accounts, vulnerabilities, exploits, and successful data and system breaches. This barrier is a big reason why compromised privileged credentials are such a dominant source of successful attacks, accounting for 80% of all cyber breaches, Forrester Research estimates.
Not all of these breaches involve cyberthieves or other outsiders stealing and then exploiting privileged credentials. In many cases, privileged users cause problems on their own, usually inadvertently through poor security practices but sometimes malevolently. Whether intentional or accidental, privilege-related breaches can bring devastating consequences.
Regardless of the perpetrators and their intentions, it’s clear that organizations generally haven’t done enough to understand and manage their privileged accounts. That’s a big problem because the need for privileged account access—and management—will only become more pressing as IT and communications environments continue to expand beyond traditional firewalls.
The Expanding IT Perimeter
The days of computer users sitting only within the four walls of a secure and digitally isolated building are a distant memory. The adoption of mobile devices and cloud computing dramatically expanded the digital footprint of companies. The more recent emergence of Internet of Things (IoT) devices is accelerating this expansion, and the spread of new processes and technologies, from DevOps to artificial intelligence, is adding ever more complexity across the digital landscape.
This emergence of next-generation technologies (NGTs) makes it hard for IT and security teams to keep up. According to our 2018 study of NGT trends and issues , 78% of the participating IT professionals said security was a challenge associated with NGT adoption. 20% said they had experienced five or more breaches related to NGTs over the prior 24 months, resulting in data loss, IT outages, or compliance alerts. What was more revealing was that the cause of 85% of all NGT-related breaches involved privileged access—either authorized users unintentionally or intentionally doing inappropriate things or outsiders gaining privileged access to steal credentials.
Further complicating matters, an organization’s connected community now extends well beyond employees to include vendors, contractors, cloud services providers, and others who have various levels of authority to access digital resources.
Adopting a Privilege-Centric Approach
There’s no turning back the clock when it comes to our expanding and increasingly complex digital footprint. It’s time for organizations to get serious about placing their privileged accounts under tight control, regardless of their digital presence. To this end, a partial or piecemeal solution won’t do. Organizations require a comprehensive approach to privileged access management (PAM) that encompasses not just the full community of credentialed users but also the many technologies and systems—existing and emerging—that they can access.
As with almost any other cybersecurity solution, the first step to a successful PAM deployment is to perform a comprehensive inventory of your organization’s digital assets, processes, and—in this case—privileged accounts. Only after completing this initial discovery process can you perform a detailed risk analysis that identifies the most valuable or most sensitive data and systems, along with the most likely threats to their security.
Another major element of a successful PAM strategy is controlling user and application access rights as securely as possible. Often that means rescinding existing privileged credentials if a user’s or application’s need to access sensitive resources should be limited. By enforcing least privilege and appropriate credential usage and providing the lowest level of actual privileges needed to perform a task, some PAM solutions can help control mushrooming numbers of privileged accounts.
PAM solutions can also block access on the fly, by inspecting scripts; verifying commands; and, in some cases, performing dynamic vulnerability management. The goal is to reduce an asset’s risk, whether targeted via a privileged attack vector or through a vulnerability and exploit combination. With 80% of attacks traced to privileged credentials, deploying a comprehensive PAM solution is among the most effective ways to greatly reduce the risk of cyber breaches, regardless of the attack vector.
Lastly, organizations need to take a risk-based approach to planning, prioritizing, and implementing PAM solutions. Organizations new to PAM may consider applying a PAM layer to their traditional business infrastructure and processes, or they may opt to prioritize deployment for the NGTs that pose the greatest risk. In either case, it’s crucial to select a PAM solution that provides the flexibility and capability to not only address current challenges but also grow and mature in step with evolving business needs.
The answer—A sophisticated solution
To provide these and other advanced PAM functions, organizations should consider a fully integrated and comprehensive PAM platform that provides one set of interfaces for password and session management, privilege management, vulnerability management. The solution should also be able to be deployed in any format: as software; as a virtual or physical appliance; or as a cloud service on Amazon Web Services, Microsoft Azure, or Google Cloud.
By deploying multiple platform components as software or appliances, organizations can scale their solution to accommodate any environment by using a simple, role-based model for features, functions, and secure architecture. Such an extensible-platform approach can provide best-of-breed capabilities to protect privileges across traditional, emerging, and next-generation technologies.