As part of the first-ever IAM Insight Jam, we’re having identity and access management experts share their expertise, knowledge, and more in guest blog posts! For this post, we had five cybersecurity leaders from privileged access management provider Centrify share their opinions on modern privileged access.
Here’s what they had to say!
5 Truths About Modern Privileged Access from Centrify Leaders
In an era where we see an increasing amount of data breaches making headlines, clearly something is broken. Organizations either do not know the top threats they are facing, or they are ill-prepared to protect themselves from cyber-attacks. We asked five of our leaders to each draw from their expertise to share one truth about modern privileged access.
1. Cyber-Attackers No Longer “Hack” In – They Log In
Dr. Torsten George, Cybersecurity Evangelist
The word “hacker” is almost obsolete. Nowadays they simply look for the easiest way into a corporate network using weak, default, stolen, or otherwise compromised passwords.
We know that 74% of data breaches involve privileged access abuse. Those “keys to the kingdom” are what the cyber-attackers are after, so they can access critical systems for profitable data to sell on the Dark Web. So what do they do?
First, they get into the corporate network. That was easy. All it takes is one person using a weak password or, worse, giving it over to the attacker via a phishing scheme.
Second, they hunker down and fan out. It’s easy to be patient when you look like a legitimate user. They scan the network, move laterally, and hunt for privileged accounts and their credentials. They take their time doing this, so they do not raise alerts, but in many instances, this can take just a few days, if not hours.
Finally, they elevate their privilege, access a sensitive host, or worse, compromise a high-value target like a domain controller. Then they extract the data and cover their tracks.
This is the new reality of “hacking.”
2. Cloud Security is a SHARED Responsibility
Tony Goulding, Sr. Director – Technical Marketing
As they move workloads to the cloud, many organizations are under the impression that the security of these workloads and data will be covered by Infrastructure-as-a-Service (IaaS) providers. Well, it doesn’t quite work that way.
Yes, the cloud service provider — like AWS, Microsoft Azure, and Google Cloud Platform — is typically going to embed a certain amount of security for the core infrastructure and services. But the reality is that cloud security is a shared responsibility between the organization and the IaaS provider. Securing operating systems, platforms, and data remains the responsibility of the customer, and so does securing access to those cloud workloads.
Most IaaS providers will also include some Identity & Access Management (IAM) tools to control access to workloads in their environment. But this stops at the virtual machine level. I.e., it doesn’t extend to the instance operating system to help control login and privilege elevation. It also introduces another silo of identities for the customer to manage.
Even if you find a balancing act, that line will change over time. If your organization is using a hybrid or multi-cloud strategy, those standalone access management tools won’t be of much use to you on other cloud platforms.
Your best option is to accept the shared responsibility model and invest in a modern, cloud-ready Privileged Access Management solution that can span across all of your resources, whether they are on-premises, in public clouds, or any mix in between.
3. DevSecOps and MSA: Built-In Security as You Run
David McNeely, Chief Strategy Officer
Everyone knows that DevOps is all about agility – go fast, keep obstacles out of the way, let developers innovate.
By now, however, most people know that no matter how fast you’re trying to get out of the way for innovation, you can’t leave security behind. It has to be built into the DevOps process. That not only means securing hundreds or even thousands of containers and microservices, but also securing the tools used by cloud ops such as Chef, Puppet, and Ansible as well as your IaaS provider. That’s what puts the “Sec” in DevSecOps.
The mistake we most often see is that people think these solutions are more contained than they are, and don’t bring forward best practices because of the assumption they have more boundaries than they actually do.
Each of these potential exposure points can be exploited by cyber-attackers. All it takes is one unsecured credential to a container and bad actors are in, and potentially have the ability to get out of the DevOps environment and into more sensitive areas of the corporate network. They need to be treated no differently than any other credential and properly controlled with privileged access.
4. The 80/20 Rule is Backwards in PAM
Jeremy Stieglitz, VP Product Management
We’re coming up on 20 years of tools that help administrators vault shared accounts, and in some ways, it has become the de facto 80% of Privileged Access Management is to vault away shared accounts.
We’re also seeing the stresses, strains, and breakings of that security approach to privilege. Workloads that get started and stopped within an hour. Sessions that need to be securely managed from a jump host (or bastion host). Resources that require credential tiering and alternative accounts. These are all scenarios that would be better served with an identity-centric approach to least privilege – Zero Trust Privilege.
Sometimes people end up in an 80/20 situation because it’s easier, but it doesn’t set you up for success going forward. For any direction you want to go – multi-cloud, DevOps and automation, secure remote access – identity-centric least privilege gives you the flexibility, accountability, and policy and risk control for the future.
5. Customers Know the Challenges They’re Facing…or Not?
Dean Thompson, Sr. VP – Customer Experience
When we talk to customers, we generally get the sense that they understand the urgency and the challenges ahead of them when it comes to enterprise security. How could they not? It seems like there is a data breach reported in the news every day.
But do they really know the actual risks or the expanding breadth of the threatscape before them, or do they know how difficult it can be to get executive buy-in to secure the perimeter-less enterprise?
When I speak to our customers, I hear any range of understanding about threats, where the actual risks lie, how to address them, and how much it’s going to cost. And that’s fine – it opens the door for conversation, and opportunities to educate, and hopefully to help guide them down the path to a stronger security posture.
We have the ability to not only educate our customers about the need for Privileged Access Management of their most critical systems but also about taking a Zero Trust approach to cybersecurity generally.
How to Learn More
Thanks to the leaders from Centrify for their time and expertise! You can see more insights like this in the IAM Insight Jam by following the #IAMInsightJam Hashtag on Twitter and LinkedIn. Also, check out our updated Privileged Access Management and Identity Management Buyer’s Guides.
Latest posts by Ben Canner (see all)
- 5 Critical Business Identity Governance Use Cases - January 24, 2020
- The 7 Best LinkedIn Identity Management Groups You Should Join - January 23, 2020
- The Benefits of Identity Management for Healthcare Businesses - January 21, 2020