- Security TWENTY
- Women in Security Awards
Rich Turner, SVP EMEA at the cyber firm CyberArk, considers what nightclubs can teach you about protecting your organisation, digitally speaking.
Over the last 18 months, it has become clear that we are very much living in the age of the mass-impact cyberattack. Ransomware, in particular, is on the rise. Coupled with the fact that many organisations are continuing to rapidly transform their business by investing in new cloud technologies and adopting new forms of communication and delivering services to customers in innovative ways, this means protecting against cybersecurity risk has taken on a greater sense of urgency.
This is especially true for identity-related risk. Cybercriminals are increasingly adept at stealing credentials – whether IT admins, business users, or even machines – to access sensitive areas of the business, and organisations need to keep up with the tempo of attacker innovation.
Our new ways of working have made protecting all identities, and their high levels of privileged access and related credentials, more important than ever. But how can we represent this risk in a way that businesses can best understand? We’re going to use nightclubbing as a proxy as we show you how to protect what’s most valuable to your organisation.
Getting past the door
Getting into a nightclub is all about showing that you’re going to be an acceptable part of the environment. A wannabee partygoer might struggle to get past nightclub door staff for any number of reasons, including wearing the ‘wrong’ clothing, exhibiting bad behaviour in the queue, or lacking sufficient/valid credentials. Sometimes underage revellers will bring a fake ID, duping bouncers into allowing them entry.
Think of technologies like privileged access management (PAM) as the ultimate ‘gate keeper’ for who gets access to what, where and for how long. For example, there are minimum requirements for users to gain initial access; often a username/password at the most basic level. These first-level credentials are not particularly secure and can be bypassed, much like some revellers who successfully bypass doormen with fake IDs. This fallibility makes further authentication a must to properly defend the organisation’s key information and resources.
Access all areas
A night out at a club wouldn’t go so well without bar staff. These employees need access to staff-only areas such as the area behind the bar, the staff room and storage areas to pour drinks, mix signature cocktails, replenish bottles, and review stock lists. Some of these areas will require some form of access key to enter. Only trusted staff should be provided access to these areas to prevent any pilfering.
Certain areas of IT infrastructures operate on a similar model, with these access keys allowing system admins to make changes to system or applications, add or remove users, or delete data. Sometimes these ‘super users’ will be domain admins; people that have extensive access rights across the network. These are super critical to secure. Unsurprisingly, gaining access to the credentials of these users represents the highlight of a cybercriminal’s night out…and it’s game over for the organisation if this happens.
Whether it is from legitimate employees posing a threat or an external threat actor, PAM helps manage and secure network access and, using the principle of least privilege, only grants admin-level access to those who need to use it to perform their role.
Are you really a VIP?
Nightclubs often have VIP areas that clubbers access either by paying extra to enter, or having sufficient (‘celebrity’) status as an individual. Extra security staff often guard VIP areas to retain their prestige and prevent the less-exalted amongst us from entering. Essentially, only those with legitimate access are welcome.
‘VIP areas’ for organisations equate to those resources that are typically extremely limited in terms of who is allowed access to them. Your ‘normal’ user will not be allowed to interface with a company’s sensitive IP, HR information, or non-public financial results. Only those users with escalated privileges – VIPs, in other words – should have access to them, and even then this should be tightly controlled. Attackers routinely seek to escalate privileges in order to access critical assets and data.
Who stays…who gets kicked out?
Things don’t always go as planned during a night out. People try to get to where they shouldn’t, crashing other peoples’ reserved tables, or trying to blag their way into the VIP lounge. The staff may ask some partygoers to leave the club because of their undesirable behaviour. They may even be barred from ever returning to the club.
Compare this to a third-party contract ending, a consultant’s project finishing, or simply those who try and access a part of the network or an asset that they shouldn’t have access to. Once this happens, their privileged access becomes a potential security risk. Retaining it is undesirable and unnecessary; it should be de-provisioned immediately to shut off any chance of an attacker exploiting unused credentials or access. In the case of someone trying to get to where they shouldn’t be, that’s something that needs shutting down immediately.
Surveying the scene
So how do organisations know where privileged access exists, and in turn, secure it?
In a nightclub, the manager and their team are tasked with observing everything that’s going on. Security cameras and staff scan the dancefloor and restricted areas, watching for incidents and ensuring that all is running seamlessly. In business, this is the IT security team. PAM allows full visibility of access to critical data and assets, and can monitor, grant and revoke that access when needed. Adopting appropriate cybersecurity measures to secure credential-based access is essential for organisations wanting to protect their business from disruption or loss.
It used to be easy to take a night out for granted. You don’t necessarily consider the sheer number of resources that it takes to help make this a reality, from the bouncers that keep the obvious trouble out, the bar staff and DJs to keep you fed, watered and entertained, and the club staff that ensure that if you’re on that table or in that VIP room, it’s because you’ve paid to do so. Who’s going to kick out the people having a fight on the dancefloor? You? Probably not. And that’s not even considering the behind-the-scenes efforts to keep you safe, secure and entertained.
So, as the number one control for managing, monitoring and protecting identities across your organisation, consider what PAM could do for you. Now get back onto that dance floor!