Recently, CyberArk’s Impact 2019 conference was held in Amsterdam, attended by some 1,000 security practitioners with an active focus on the privileged account security space. The event also afforded analysts the opportunity to quiz the company’s executives as well as some of its customers.
Insufficient attention paid to identity management
Privileged account security fits into the identity and access management technology stack. Managing identities and associated entitlements is essential since hacking identities is an increasingly common tactic used by adversaries who are looking for entry into an organisation’s network. Most threats seen are to do with identity.
Published recently, the 2019 edition of the Data Breach Investigations Report confirms this. It found that 80% of breaches related to hacking involve the use of compromised or weak credentials and 29% of all breaches, regardless of the type of attack, involve the use of stolen credentials. Yet Gartner has found that spend on identity and access management accounts for just 8.5% of overall spend on IT security in 2019.
Guarding the crown jewels
Credentials govern the ability of a user to access certain resources to which they are entitled to fulfil their roles. The higher the level of entitlement, the greater the risk to an organisation should those credentials be compromised. As entitlement levels are notched up, greater access is granted to critical and high value assets of an organisation, including its sensitive and proprietary data—the crown jewels of the organisation. This is what is termed privileged access. Privileged access is the most targeted since it gives access to the most valuable information.
Once, privileged access was considered to be the preserve of administrators, charged with keeping the systems running. Today, technology innovations mean that privileged access is everywhere. As the technology landscape has expanded to encompass cloud, mobile devices, virtualisation, containers and DevOps environments, so have the volumes of privileged credentials to guard access, secrets and communications. Privileged access security technologies must work across all these environments, as well as traditional on-premise applications.
Privileged access security technologies have become mission critical as they protect the underlying infrastructure of any organisation. They are foundational in terms of any information security programme, but work best when tightly integrated with other security controls such as SIEM systems, firewalls and intrusion prevention systems. Whilst data protection and privacy regulations are driving greater interest in these technologies, including the need for public disclosure of breaches of personal data, achieving higher levels of overall security is a must for any organisation.
Advice from the trenches
According to CyberArk’s customers, any security technology implementation must be an enabler, not a road block. And this is certainly true of privileged account security deployments, where users must adopt certain new ways of doing things. The user experience must be as intuitive as possible so that users are not put off. To encourage take up, one of the customers stated that whitelabelling the technology under its own brand was key to engaging users. Speaking frankly, he said that most users are not au fait with the benefits of many individual technologies, nor of the particular vendor that offers them. By positioning the implementation as a service being offered by the employer, more are likely to buy into it.
Another necessity for a successful rollout is to provide self-service capabilities. When first implementing CyberArk, one customer found that a request for a credential could take up to two days, which is a far too dictatorial approach. By taking a user-first approach, acceptance improved rapidly.
Another important factor in implementation is to get users to move away from the mindset that, once they have been granted a credential, it is theirs and they should keep it. With a self-service approach, everyone can be given their own personal safe, from which they can check out credentials as and when needed. In this way, they will not need to be provided with privileged credentials that are hard to maintain as entitlements change. Rather, they are provided with access to pooled generic accounts that can be rotated as frequently as required, even so that credentials can only be used once.
One other thing to consider in any implementation is to combine the use of secure credentials with multifactor authentication, which will prevent an attacker using stolen credentials accessing sensitive resources. The additional authentication factor acts as proof of a person’s identity and should be used especially for all attempted access to systems containing critical assets.
Give privileged account security the attention that it deserves
For any privileged account security programme, change management is required. It is not a plug-and-play implementation, but rather needs to be carefully managed. It must be pervasive throughout the organisation so that there are no blindspots and all in the organisation must be made aware of its importance. In most organisations, a security executive will be an advocate, but it is best to ensure that the programme is signed off at board level via the chief technical, information or risk officer if the security executive does not have that power. This will not only ensure that adequate budget is available, but will help to give the programme the visibility that is required.
As networks continue to expand, the need for privileged account management is growing and will continue to do so for the foreseeable future. As the penalties for data breaches soar, especially for those involving personal data, privileged account security is a vital part of any organisation’s security arsenal.