Goodbye perimeter, hello privileged access
Over the past few years, there have been drastic changes to how we perceive and define the perimeter – and how we secure the perimeter, users and identities.
Way back in 2008, identity was identified as the new perimeter, held forth by those who saw what the future held: that cloud was a disruptive force that would forever change the nature of IT security. The controls that organisations had invested in to secure their data centres would no longer be effective; they had to look to identity. Here we are, 13 years later, and there is no more perimeter
Christiaan Swanepoel, Identity Director at Secured Identity Technologies, says: “Identity is your best line of defence. It touches every individual, every application, every system, every platform and every piece of data. When someone asks why identity projects are so costly, it’s because of their reach, but this is still far less costly than a breach or the mass exfiltration of your data.”
As organisations seek to redefine the perimeter in today’s work-from-anywhere world, the nature of risk has been completely redefined. It’s no longer possible to protect the organisation and its IP using fixed security measures and processes; instead, organisations require a security approach that secures everyone and everything at the same time. “The simplest solution is to secure the identities within an organisation,” says Swanepoel.
The term identity management has grown to encompass everything from privileged account management, secure access management and data governance to identity life cycle management. All of these are connected to securing identities. Today, more than ever, organisations find themselves not fully covering their cyber security risks for all users in the organisation. Yet all of this should be part of the IAG programme.
Driving a planned IAG programme in any organisation can be a big task for IT teams to embark on, and Swanepoel advises that instead of trying to tackle everything at once, it be broken down into bite-sized chunks. “Look at the risk associated with privileged accounts and apply access methodologies to them. Focus on securing those accounts. Identify the privileged activities that employees are conducting using these accounts. Privileged accounts have always been on the back burner of IT. Typically, passwords aren’t changed on system administrator accounts, for instance, but if that password is exposed, it poses far more risk to the organisation than if an individual user’s password is exposed. If organisations can focus on protecting privileged user accounts, they can secure a lot of risk. They can expand to all other users and identities at a later stage.”
Swanepoel says: “It’s common knowledge that insider threat actors use privileged accounts that are rogue or dormant to gain access to intellectual property. An article in Forbes quotes an IBM study as finding that nearly three-quarters (74%) of the breaches happening in the world right now are owing to privileged access.
“It’s key to secure those identities first, not just monitoring them, but applying good governance, ie, determine if the access is relevant and revoke access where needed to ensure that valid informational accounts and system administrator accounts exist on separate systems. Securing privileged accounts starts with defining who should have access, but also paying attention to who requires access to data that’s covered by the POPI Act.”
Often this is the last hurdle to be tackled as part of an IAG programme, but it should be the first step. The organisation also needs to be able to prove that it’s reviewing access on a regular basis. “Users generally want access to as much as possible, which results in access sprawl. As employees move through the company, over time they’re bound to gather access to a lot of sensitive information, but it’s never reviewed and/or revoked as the person moves along. The access accumulates over the years, which becomes a risk as the passwords are probably written down somewhere. If you deploy access methodologies, access becomes automated and most users don’t even realise that their additional accesses have been revoked.”
Zero trust and just in time access are the latest buzz words used to define how an organisation should be handling privileged access identities within the IT ecosystem, but they don’t tell you how to get to that point. Both terms mean that you simply shouldn’t have access unless you need it. However, the user will be impacted if they can’t access something that they need, and that they always used to be able to access, and the terms don’t tell you how to solve for this challenge.
Read more about how the next generation of technologies make zero trust easier to attain by downloading this white paper on the subject.