Security risk from identity sprawl. As companies increasingly use new technologies such as the cloud, big data, DevOps, containers or microservices, this growing complexity also poses new challenges for identity and access management.
With these emerging technologies, workloads and data volumes grow and increasingly reside in the cloud. This increases the number of human and machine identities exponentially. In order to contain these new attack surfaces, it is therefore essential to centralize fragmented identities across a hybrid company infrastructure and to enforce a consistent security model for privileged access.
Identity Sprawl: The Dangers of Identity Sprawl
With Identity Sprawl, the identity of a user is managed by several isolated systems or directories that are not synchronized with one another, which leads to multiple identities for each user and thus to possible unsecured attack surfaces. This situation often arises when an application or system is not or cannot be integrated into the company's central directory service. This requires another set of user identities to be maintained to support access to this application or system. This leads to increased administrative effort and associated costs and can make the enforcement of uniform security and compliance guidelines considerably more difficult. Identity Sprawl also harbors the risk that users will reuse their passwords for different services, making companies vulnerable to spying on access data.
Privileged user accounts in the crosshairs
Privileged user accounts with extensive authorizations are particularly in the crosshairs of attackers. Because these accounts provide the key to valuable data and company resources and enable cyber criminals to act under the guise of a trustworthy user and possibly remain undetected for months. However, limiting the number of these privileged accounts in an organization can also reduce the attack surface and the risk of abuse by malicious insiders or outside threat actors.
In order to meet today's requirements of infrastructure and security teams, a comprehensive approach to the management of privileged access, which focuses on the consolidation of identities and is based on zero trust principles, is therefore required. Here are five best practices that organizations can use to implement a robust identity consolidation and privilege elevation security strategy.
Five Identity Consolidation and Privilege Elevation Best Practices
1. Centralization of all identities in an Identity Directory as a single source of truth
The selected Privilege Access Management solution (PAM) should offer the greatest possible flexibility with regard to the identity directory used in the company. This means that it does not matter which identity directory (e.g. Active Directory, Okta, Ping, etc.) an organization uses. The technology should be able to connect UNIX and Linux systems to Active Directory using AD bridging, for example, but also offer consolidation capabilities for IaaS environments in the course of cloud transformation. Modern PAM solutions with multi-directory brokering capability make it possible to authenticate users against any user directory, centralize identity management and minimize identity sprawl.
2. Binding of all privileges to the identities in the preferred directory
The binding of all authorizations, authorizations and privileges to identities in the preferred directory of a company not only reduces the administrative effort, but also simplifies the enforcement of uniform security and compliance guidelines. Because in contrast to the use of shared accounts, individual responsibility is linked to the respective identity.
3. Federated access to resources from the preferred directory
With federated access to resources (e.g. servers, databases or cloud workloads), employees can simply log in as themselves and always receive appropriate permissions. This ensures efficient work processes and promotes employee productivity.
4. Granular controls for just sufficient, time-limited access
Özkan Topal, Sales Director at ThycoticCentrify
Because of their high access rights, privileged accounts pose a serious threat to businesses if they fall into the hands of an attacker. Therefore, a least privilege approach should be followed in conjunction with privilege elevation in order to enforce granular access controls. Privilege elevation means temporarily granting the user additional roles and rights so that they can do a task that corresponds to their job function - with just enough privileges for exactly the time it takes to complete the work. For example, it may be legitimate to allow a web administrator to access systems running web servers and associated management tools. However, logging into machines that process credit card transactions is illegitimate and remains blocked.
5. No permanent permissions after a task is done
Companies should ensure that identities do not have permanent authorizations (zero standing privileges), but that the privileges are always increased just-in-time in order to perform the respective tasks within a limited period of time. For example, an employee may only access a specific server during business hours or for a specific time. After the session has ended, the access rights are withdrawn (however, a modern PAM solution should also be able to simply grant access again if necessary). This also closes the time window for possible attackers if a user account has been compromised.
Due to the increasing complexity of corporate infrastructures, comprehensive controls are required today as to who has access to sensitive resources and data, to what extent and for what period of time. Identity consolidation and privilege elevation ensure centralization of identities and granular control and monitoring of authorizations. This reduces the identity sprawl and the associated security risks, reduces the administrative effort and increases the productivity of the employees. With this approach, organizations can ensure that only authorized people, machines, or services have access to the right resources at the right time and for the right reasons.
More at Centrify.com
About ThycoticCentrify ThycoticCentrify is a leading provider of cloud identity security solutions that enable digital transformation on a large scale. ThycoticCentrify's industry-leading Privileged Access Management (PAM) solutions reduce risk, complexity and cost while protecting enterprise data, devices and code in cloud, on-premises and hybrid environments. More than 14.000 leading companies around the world, including more than half of the Fortune 100, trust ThycoticCentrify. Customers include the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Whether human or machine, in the cloud or on-premises - with ThycoticCentrify, privileged access is secure.