Establishing PAM in a post-COVID perimeter
Privileged access management is one of the most crucial elements of network security but can often become a time-consuming exercise if the supporting procedures are not in place. Security professionals are already wiped off their feet by the sheer number of responsibilities on their plates, but when the traditional network perimeter is dissolving around them, establishing resilient security for user accounts with access to high-value assets has to be the priority.
If we apply the same concept to a more common scenario, its critical nature becomes glaringly obvious. How many people have a key to your house? You, a partner, a relative, maybe even a trusted neighbour? And would you ever feel comfortable giving unknown people unlimited access to your home? If you’re suddenly feeling far more reserved about how trusting you would be in this situation, then apply this to the network. Handing out privileged permissions as a standard to all user accounts, granting access to the most confidential areas of the network, is like handing out keys to a house.
The past year and the shift to a hybrid working model has shown us that traditional access management solutions are no longer effective, so it’s time for businesses to re-evaluate.
What are the ongoing risks?
A threat actor’s primary goal is to gain access and acquire more privileges by taking over low-level user accounts and working their way up – by any means necessary. Weak security measures only make their job easier. Even though these risks are well known, millions of data files are left vulnerable due to password reuse and unrestricted privilege allocation. Whilst passwords are usually appropriate for securing email accounts, a far higher level of authorisation should be placed in front of confidential critical infrastructure or customer data, for example. And it’s this authorisation that must be carefully monitored and continuously verified.
Over the past year, we have witnessed some of the most damaging cyberattacks, most of which stemmed from stolen credentials. This access can grant criminals privileged access to sensitive areas of a company network, all because access permissions are not limited to those employees who genuinely need it. Managing these permissions has only grown in importance, especially given the changes around what we now consider the network boundary.
How do we define this new perimeter?
Digital transformation and remote working models have disbanded what we once considered a network perimeter. One of the biggest challenges for organisations is understanding where their new network and security perimeter starts and stops. Firewalls and endpoints are often still seen as the boundary, but this outdated perception omits the user’s social sphere – the society around us. With a large majority of employers opting for a hybrid working model indefinitely, the security offered within the four walls of an office is no longer applicable, and identity and authorisation now become the boundary line.
Additionally, in order to ensure each employee remains secure in their home office, companies must also address their respective social environments. Deploying antivirus software on each company device, for example, will only go so far to reducing the risks. If this device is connected to a home network, along with several other less protected devices, then the company is still at risk and visibility over the evolving threats is significantly lower. Employees have essentially become their own corporate office, so they must be supplied with the necessary tools to reduce the risks.
When it comes to re-establishing control over the entire network, security teams should revisit the permissions granted to different applications and ensure all future authorisations are completed based on that of the principle of least privilege. Identity is the new perimeter and access has become the main security control, so the security procedures must be measured against the new environment.
Re-establishing your strategy
The key to launching a comprehensive security framework that works symbiotically with user productivity and experience lies with three components: interoperability, automation and orchestration. When it comes to managing privilege access, teams cannot afford to cut corners.
All three components are crucial when establishing an effective PAM model. Managing privileged accounts is a huge undertaking, with some businesses holding thousands of credentials across their network and very few existing processes in place to help. Every company is different so there isn’t a one size fits all solution – teams must evaluate the integration and interoperability of the multiple layers of their defence before beginning.
Automation plays an important role in access management, especially in a modern world where machine identities are communicating with each other faster than humans can blink. Considering the sheer volume of privilege credentials that need assessing, it would take huge amounts of time to manually complete the task. Any security approach that impedes user productivity is working against the overall business objective. Managing authentications and other secure access processes can be guided by automated policies that run 24/7 in the background, and in conjunction with other layers of the security stack.
Establishing a least privilege approach to access management is the best way for businesses to reduce the risk of compromised credentials. If one single login can cause the collapse of business networks, then it’s important to make sure that all credentials are as controlled as possible. If we use the house analogy again, developing one key that can unlock every single door and window is a major security risk. So, in the same way that you wouldn’t have one master key to your home – or share those keys with anyone and everyone – all permissions should be tightly controlled and restricted. Limit access based on time and scope, reduce the risk. Removing persistent privileges to on-demand privileged access that continuously verifies access can reduce the risks from cyberattacks significantly.