As enterprise technology infrastructure and services continue to grow in complexity, the addition of a wider choice of innovative technologies — ranging from the cloud and big data to DevOps, IoT and automation — is significantly adding to the security burden for organizations everywhere. Despite the many compelling technical and business advantages these solutions and services offer, they have also made the challenge of securing networks and data more difficult than ever.
As a result, networks the world over are under sustained attack. From critical national infrastructure and services to businesses seemingly selected at random, cyberattacks are placing a huge financial and operational burden on public and private sector organizations. Indeed, the situation has recently become so serious that the U.S. Dept of Justice is giving ransomware attacks a similar priority to terrorism offenses.
In particular, concerns over identity and access management (IAM) are growing, and with both workloads and data volumes increasingly residing in the cloud, there has been an exponential increase in the number of human and machine identities. This fragmentation has provided cybercriminals with far greater opportunities to exploit infrastructure vulnerabilities, poor design, or out of date security solutions.
This situation often comes about when an application or system is not, or cannot, be integrated with an organization’s existing central directory service. To get around the problem, another set of user identities is typically created and managed to support access to that application or system.
This not only results in increased administrative overhead and associated costs, but often makes it significantly more difficult to enforce consistent security and compliance policies. In addition, this ‘identity sprawl’ also increases the likelihood that users will reuse their passwords across different services, leaving organizations even more vulnerable to credential spying, while also undermining their efforts to focus on best practices.
Privileged user accounts are of particular interest to attackers as they act as a gateway to the most valuable resources and data. These privileged accounts can often allow cybercriminals to operate undetected under the guise of a trusted user, potentially going undetected for months. Perhaps the most notorious recent example of this kind of attack is the SolarWinds breach, where attackers were able to access and impersonate users and accounts across a huge number of victim organizations.
While this may eventually be viewed as a watershed moment in the protection of vital government networks - and by definition, everywhere else - it remains clear that organizations the world over remain extremely vulnerable to potential identity-based attacks.
In response, organizations need a comprehensive approach to privileged access management (PAM) that meets the needs of both infrastructure and security teams. By focusing on identity consolidation and implementing Zero Trust principles with a centralized approach, for instance, organizations can protect their cloud-centric, hybrid enterprise networks and, in the process, deliver a consistent security model for privileged access that mitigates the risk of identity sprawl.
In doing so, there are five key priorities to consider:
1. Create a single source of truth by centralizing all identities
With a range of privileged access management solutions available, organizations should be looking for an option that offers the greatest degree of flexibility in the identity directory they use. They should, for instance, be able to connect UNIX and/or Linux systems to Active Directory using AD Bridging, but also be offered consolidation capabilities for IaaS environments that may form part of their extended cloud infrastructure. Ultimately, it shouldn’t matter which identity directory (e.g. Active Directory, Okta, Ping, etc.) they use, with the best PAM solutions offering a multi- directory brokering capability that allows users to be authenticated against any user directory.
2. Ensure all privileges are bound to identities
By binding all entitlements, permissions, and privileges to identities in an organization’s preferred directory, IT teams will not only see a reduction in administrative overhead, but also simplify the enforcement of consistent security and compliance policies. In contrast to using shared accounts, this also links individual accountability to each identity.
3. Provide federated access to resources
Federated access to resources, such as servers, databases, or cloud workloads allows
users to log in as themselves and always receive the appropriate permissions based on their roles. No more, no less. This ensures efficient workflows and promotes employee productivity.
4. Establish granular controls to ensure precise access rights
Implementing a least privilege approach should go hand-in-hand with privilege elevation to enforce granular access controls. In practice, this can mean temporarily granting extra roles and privileges so users can complete a task appropriate to their job function, but only providing just enough privileges for the exact amount of time it takes to complete the job in hand.
For example, it may be necessary to provide a Web administrator with access to systems running Web servers and related management tools, but these access rights should not extend to logging into machines that control other sensitive services, such as credit card transactions.
5. Disable permanent permissions after a task is completed
It’s vital that IT teams do not allow identities to have permanent or standing privileges beyond the requirement to provide elevated privileges for a set period of time to complete a task. Once the session is over, access rights should be immediately revoked, but with the option to easily re-enable access again if required. When implemented as part of a disciplined access management strategy, this also closes the window of opportunity for potential attackers if a user account has been compromised.
With identity sprawl currently an almost inevitable consequence of today’s complex hybrid and highly connected networks, organizations that lack comprehensive access controls are at much greater risk of falling victim to an attack that compromises their sensitive resources and data. Without more effective protection, there remains a very real risk that cybercriminals will continue to focus on the vulnerabilities caused by the explosion in the volume of machine and human identities.
But by addressing these issues, organizations can more confidently restrict access to authorized people at the right time and at the appropriate level. In doing so, they can effectively close down many of the potential avenues of attack that have become so effective for cybercriminals, aggressive foreign powers and highly motivated activists.
Kamel Heus, VP EMEA, ThycoticCentrify