In the second article of our five-part series on the Zero Trust Organization, “Identity and Authentication in the Zero Trust Environment,” we discussed how organizations can create a repository of trusted identities, and authenticate them when granting access to data, applications, and the network. A Zero Trust environment is built on a never-trust/always-verify approach to all entities and transactions in the enterprise. Protections must be applied at four levels: user, application, data, and network. In this article, we describe the critical role of securing, protecting, and managing privileged access.
Privileged Access is Essential but Ripe for Abuse
Today, it has become too easy for attackers to steal identities and gain account credentials that allow them to access applications, data, servers, operating systems, databases, and physical devices (laptops, smartphones, and sensors in IoT networks). Even applications in the cloud are not safe. When the account an attacker steals has privileged access, the potential for damage is even greater.
Privileged access encompasses access to systems and applications via all non-human service accounts, shared accounts, and administrative accounts. Privileged access is a double-edged sword: it is an essential tool for system administrators to keep their organizations’ engines running, perform upgrades, and enforce security measures; however, by providing direct access to business-critical and sensitive data, intellectual property, and other valuable assets, these accounts can be used to breach networks and applications, and compromise servers.
Indeed, privileged accounts are themselves some of an organization’s most valuable assets. When compromised, privileged access can expose sensitive data to theft, allow malware to be installed on critical hosts and do considerable harm to an organization’s operations, financials, and brand value. And, according to Forrester’s 2016 Q3 report on privileged identity management, 80% of security breaches involve privileged credentials.
Today, privileged access abuse from insiders and malicious actors is happening more frequently and causing increasing damage. For example:
- Famously, a systems administrator contracted to the National Security Agency used his access in 2013 to release thousands of documents revealing classified U.S. intelligence programs and secrets.
- In 2016, Yahoo revealed that breaches in 2013 and 2014 exposed the accounts of 1 billion users, and the FBI suggested that the breach began with a phishing attack that used stolen privileged credentials to install malware on an employee’s work station.
The common thread running through these high-profile and damaging breaches is privileged access. They would not have been possible without the use or theft of legitimate privileged credentials.
The Critical Role of Privileged Access Management (PAM)
In today’s cyber environment, stolen and misused privileged accounts – and the access they afford to sensitive and critical data and hosts – can be used to inflict tremendous damage. Accordingly, a Zero Trust Organization ensures effective governance to secure privileged access.
Effective PAM is made possible through a two-phase approach:
- Deploy foundational PAM capabilities. Lay the foundation for your PAM program with a detailed assessment, roadmap, product selection, and a functional baseline implementation. This foundation should also include a formal, documented strategy that details the business’s processes and technologies and includes information that can account for typical user behaviors. The basic implementation should also cover password management, account rotation, and access remediation for targeted systems and platforms.
- Extend PAM through tailored integrations. Deliver tailored initiatives and integrations based on the organization’s PAM program priorities and designed as part of a defense-in-depth strategy. This would include service account management, session/keystroke logging, fine-grained access policies, DevOps secrets management, and enterprise-level privileged access monitoring.
In a Zero Trust Organization, all administrative traffic is funneled through a PAM tool, ensuring the effective implementation of an organization’s cybersecurity policies. A PAM tool represents a chokepoint of trust and, when properly implemented, immediately adds significant value in improving the organization’s security posture.
Implementing a PAM tool reduces the likelihood of privileged credentials being compromised or misused in both external breaches and insider attacks. Such tools also help reduce the impact of an attack when it occurs by radically shortening the time during which the organization is unaware that it is under attack or being subverted. Cloud security, anomaly detection, and securing the software development lifecycle also can be addressed with a PAM tool, as can regulatory compliance and operational efficiency.
A successful PAM tool implementation results in:
- Centralized privileged account authentication: Privileged account authentication and privileged identity assurance are centralized in the PAM tool, decreasing the need to add multifactor authentication (MFA) independently, or other advanced authentication capabilities to every system. This enhances operational efficiency, improves employee morale, removes friction from business processes, and reduces costs.
- The end of anonymity: When even shared and built-in accounts (both local and global) are no longer anonymous, all activity associated with those accounts can be tied to a trusted identity. This provides a more accurate baseline of normal vs. anomalous behavior for that identity – a powerful behavioral weapon against fraud and malfeasance. (See “Identity and Authentication in the Zero Trust Environment.”)
- Real-time preventive controls: The PAM tool blocks commands or activities that violate the organization’s policies and rules, and then sounds an alert, as necessary. For example, if a system administrator with access to a server’s root account executes a command that violates the organization’s security policies, that account can be blocked and locked automatically. Furthermore, back-end and administrative access to applications and data are monitored and inappropriate access attempts flagged and prevented, in line with the organization’s policies.
- Improved threat analytics: Analytics within the PAM tool identify anomalous activity and alert security personnel. Real-time activity and log data from a PAM tool can be integrated with cross-platform security analytics platforms to support the organization’s threat detection and security operations.
The Verizon 2018 Data Breach Investigations Report ranked privileged account access misuse behind only denial-of-service attacks as the most prevalent cause of cybersecurity breaches and incidents. PAM tools are critically important in a Zero Trust Organization, but they are not sufficient in themselves. They must work together with identity governance, authentication, application security, network security, and cloud security. When they do, they ensure an effective, secure Zero Trust Organization.
Our next article takes a close look at application and data security in the Zero Trust Organization.