Due to increased remote work, IT administrators, security teams and regular employees are currently heavily dependent on remote access to corporate systems, DevOps environments and applications. This gives threat actors a much larger area to attack: identity fraud.
Digital identities have proven to be the weapon of choice for cyber criminals. If privileged users of a company routinely use shared privileged accounts for access - especially remotely via a VPN - any attacker who compromises these credentials has extensive access to business-critical data and resources in the worst case. Moreover, not only privileged users are at risk. Many cyberattacks target regular employee accounts in order to use them as a starting point for scouting the network.
With this in mind, companies should review the impact of a decentralized workforce, external contractors, and the growing attack surface from a highly distributed IT infrastructure, and consider implementing new zero trust strategies to better respond to these new dynamics.
Zero trust strategy for human and machine identities
With the zero trust model, no actor who requests access to sensitive data, applications or infrastructures of the company is trusted from the outset. However, security measures shouldn't stop at identities of human users. Non-human identities and service accounts for machines, applications and other workloads are increasingly the majority of the “users” in many companies. This is especially true in cloud and DevOps environments, in which developer tools, containerized applications, microservices and elastic workloads - all of which require identities to communicate with one another - play a dominant role. In order to improve their identity-based security position, companies should therefore concentrate on the management of privileged access rights based on a zero trust approach.
Zero trust security through Privilege Access Management (PAM)
The traditional network perimeter is disappearing as users and IT resources become more and more geographically dispersed. As a result, it is no longer practical to base access decisions on simple concepts such as “trusted users are inside the perimeter and untrustworthy users outside” and using IP addresses to make this distinction. Organizations need to assume that threat actors are already inside their systems. The outdated “trust but check” approach has to become “never trust, always check”.
“Never trust” means that legitimate administrators no longer have carte blanche to access privileged accounts. This means that instead of using shared privileged accounts such as root and local administrator at will, admins use their company account, which has been checked by the HR department and has basic rights. This prevents fatal errors and reduces the impact if an attacker compromised this account. The PAM security controls can then selectively grant elevated privileges as the situation requires, based on centralized roles and policies. Rather than letting identities have full permissions all the time, this least privilege approach reduces security risk while still allowing legitimate administrators to get their jobs done by requesting just enough privileges, just-in-time and for a limited period of time. To ensure effective protection, companies must consistently apply this approach to all IT resources, whether in the data center, in the demilitarized zone (DMZ), the virtual private cloud or in multi-cloud environments.
By implementing this zero trust approach for PAM using least privilege access controls, companies minimize their attack surface, improve audit and compliance transparency and reduce risks, complexity and costs.
Important steps on the way to a good zero trust
PAM is a multi-layered technology, but companies can achieve significant security advances with just a few basics and continuously improve their zero trust maturity level by gradually implementing more advanced functions. First important steps are improved password hygiene, securing shared privileged accounts and enforcing multi-factor authentication (MFA) for administrators.
1. Good password hygiene for human and machine identities
A single compromised password can potentially damage the entire company. High entropy passwords that are difficult to crack are therefore essential. Frequent password rotations also reduce the time window for potential attackers. This is also important for the non-human accounts. They are rarely changed for fear of damaging an application or service. PAM can be used to centrally manage these accounts and apply a common rotation policy. These solutions can use a multiplexed account function to ensure that the password is synchronized on all dependent computers before rotation, in order to reduce the risk of application failure.
Since humans are still the weakest link in the security chain and are therefore one of the main targets for attackers, ongoing security training should be mandatory for all users, not just administrators.
2. Multi-factor authentication for administrators
Another concrete step to strengthen identity security is the implementation of multi-factor authentication for all administrators. Even for attackers, time is money. Hence, additional security hurdles like MFA can lead an attacker to simply move on to the next potential victim.
The use of a physical authenticator (e.g. YubiKey, push notification or integrated biometric data such as Apple Touch ID) as a second factor represents a very high hurdle for attackers. This measure also stops bots or malware. Consistent use of MFA at multiple access points is essential.
3. Password vaulting
Identities with permanent permissions pose a significant security risk. Linux systems in particular are a great source of local privileged accounts. The best method is to eliminate as many of these accounts as possible. The accounts that a company cannot eliminate should be kept in a password vault and access to them should only be restricted to emergencies. These two measures already reduce the attack surface considerably. In the next step, administrators should only be given the permissions they need, just-in-time, when they need them.
The increasing number of successful cyber attacks shows that traditional perimeter-based security concepts are no longer sufficient. Because once this protective wall has been overcome, criminals usually have an easy time of it. Companies must assume that attackers are already on their networks and base their security measures on this assumption. This is the only way to protect all of a company's assets and sensitive data and minimize damage from external attacks and insider threats.
More at Sophos.com
About ThycoticCentrify ThycoticCentrify is a leading provider of cloud identity security solutions that enable digital transformation on a large scale. ThycoticCentrify's industry-leading Privileged Access Management (PAM) solutions reduce risk, complexity and cost while protecting enterprise data, devices and code in cloud, on-premises and hybrid environments. More than 14.000 leading companies around the world, including more than half of the Fortune 100, trust ThycoticCentrify. Customers include the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Whether human or machine, in the cloud or on-premises - with ThycoticCentrify, privileged access is secure.