In IT security, all roads lead to identity, says David Higgins, EMEA Technical Director, at the identity security product company CyberArk.
Gartner predicts worldwide public end-user cloud spending to grow 18 per cent this year. Along with that, the increasing use of automation solutions and prevalence of remote work policies mean the network perimeter is becoming less important for security. The new perimeter lies in the identities with privileged access rights – permissions that allow accounts to access specific information or assets. As a result, organisations now need a full identity security strategy to respond to today’s threats.
A few years ago, only small groups of users – mostly administrators – had privileged rights in IT. Since then, however, any identity, whether customer, remote employee, or third-party provider, as well as any device or application, can have such rights. Privileged rights are indispensable for identities in many cases, for example, to provide developers with access to source code, applications to databases, or third-party providers to company resources. As a result, the dangers for the IT security of companies have increased dramatically. But how can we ensure their efficacy?
The new threats to businesses exist on various levels. They are particularly evident in the increasing use of cloud services and remote work. In a cloud environment, in principle, any human or machine identity can be configured with thousands of authorisations – different for each cloud. For example, it is possible to assign authorisations to users, groups, and roles depending on the respective task profile. However, many companies unintentionally configure the various identities with access rights within the cloud services that they do not need. Numerous studies show that accounts and roles with too many authorisations are among the most common misconfigurations of cloud services. In addition, most cyber-attacks on cloud applications and services in the last twelve months can be traced back to the misuse of these unnecessary privileges.
IT teams must also account for employees when designing security strategies. After all, the end device of the individual employee is an important first point of entry into the company network. Not only the privileged access options of those remote employees who have access to the central systems and resources of a company must be secured. Establishing procedures such as multi-factor authentication, single sign-on or rights management for all employees working from home is just as important. This means the classic privileged access management for privileged users must be expanded to include the entire user community of a company.
Regarding the cloud and remote work, there is one important thing in common: the traditional network perimeter has dissolved to a great extent. Identity has emerged as a new perimeter. This makes it the most important line of defence for companies. A comprehensive identity security approach based on privileged access management must focus on securing individual identities – regardless of whether it is a person or a machine.
Securing identities – human and machine
The specific tasks of an identity security solution include securely authenticating an identity, authorising it with the correct permissions, and granting this identity access to critical resources in a structured manner. In other words, a zero-trust principle should apply. It provides for the review of all actors and processes that want to establish a connection to critical systems. Every identity that wants to access company resources is verified with several factors – the more critical the access, the stronger the authentication.
Every identity-based security strategy should contain two essential components: the assignment of context-related rights and access for non-human access. On the one hand, companies have to give users appropriate rights depending on the activity to be performed. This least privilege and just-in-time approach avoids permanent accumulation of rights and thus makes it much more difficult for attackers to get to their target. On the other hand, a company should not only see the term identity in the context of human activities. In hybrid cloud environments in particular, it is essential that applications or their programs and automatisms also have a suitable structure of rights and that access is secured and controlled in the same way as that of people. A good example of this are Robotic Process Automation (RPA) projects in the business environment or automation tools such as Ansible in the IT sector.
Companies’ relative attack surface is increasing in size as the number and types of identities in business applications and cloud workloads increase. Since both human and non-human identities can have access privileges, new security strategies are required. While organisations must focus on privileged access management, they must also expand their strategies to include comprehensive identity security.
