15 Feb Feature: Action on access management
Timothy Compston spotlights the access management issues that are leaving businesses vulnerable to cyberattacks and potential remedies to shore-up their defences
The last year has certainly been a turbulent one across the globe thanks to the COVID-19 pandemic and, not surprisingly, this has had a profound impact on the way that businesses operate, including the need to cope with a surge in remote home working to keep their employees safe from the coronavirus.
Given this fast-track change in working practices it is even more critical now that organisations here in the Middle East, and elsewhere, have a good handle on the way they manage access to their IT systems, networks, and cloud-based applications, especially if more of this is being done through their worker’s own devices. Any measure put in place also, of course, needs to be user-friendly so it does not have a detrimental impact on the ability of workers to do their jobs.
The reality is that bad actors are all too happy to take advantage of any weak link in security to gain access to an organisation’s systems and data. Throughout the current pandemic INTERPOL – the international police body – has warned of the heightened danger from cybercriminals to computer networks and systems at a time when cyber-defences might be lowered due to a shift of focus to the health crisis.
Back in April, as part of a call-to-action, INTERPOL launched a #WashYourCyberHands awareness campaign to reinforce this message. Serving as a stark reminder of the dangers that are out there, the UK recently witnessed a high-profile attack on the Scottish Environment Protection Agency (SEPA) by hackers who demanded a ransom to unlock its systems and return the stolen data. When this was not forthcoming the culprits published the information gathered from the SEPA hack on the dark web.
A new analysis by Positive Technologies – a specialist in enterprise security solutions – serves to shed light on what the cyber threat landscape looked like in Q3 of 2020 at the height of the pandemic. Positive Technologies says that, due to COVID-19 triggering a shift to remote working, many companies were compelled to make services available on their network perimeter for the first time. The upshot of this, according to Positive Technologies, is that attackers have had ample opportunities to strike at companies that have not taken the proper security precautions. Putting some figures on the threat dynamics here, the authors of the report found that the exploitation of vulnerabilities – the method for attacking organisations – grew by a worrying 30 per cent, 12 percentage points higher than the previous quarter, as attackers sought to target flaws in remote access systems.
Access management survey
Crossing the Atlantic to take the temperature of access management security, Thales – which has expertise in digital identity and security – surveyed 300 IT professionals in the US and Brazil for its 2020 Access Management Index. This effort sought to explore access management practices within businesses and the use and importance of two-factor authentication, smart SSO (Single Sign On), and cloud access management tools. Key findings outlined in the Access Management Index included: 41 per cent of respondents believing that usernames and passwords are one of the most effective access management tools despite known weaknesses; 65 per cent saying that unprotected infrastructure presents the biggest target for cyberattacks and, crucially, that data breaches in the last 12 months have influenced their organisation’s security and access management policies.
In terms of specific solutions, Thales offers Safenet Trusted Access which it says allows cloud SSO (Single Sign On) to be applied intelligently and is designed to enhance security by providing a single audit trail of cloud access events. According to Thales, each time a user seeks to access a cloud application Safenet Trusted Access examines the login request taking account of previous authentications in the same SSO session and the policy requirements specific to the user’s role, the application’s sensitivity, and contextual information. In practice this means that users may only have to authenticate once to access all their cloud applications or, if required by the policy, step-up their authentication.
Privileged access concerns
Moving on to focus specifically on privileged access management, IBM points to The Forrester Wave figures that show at least 80 per cent of all data breaches were the result of compromised privileged credentials. The danger here, says IBM, is when such accounts are compromised there is the potential for cyber criminals to obtain unfettered access to an organisation’s IT infrastructure, often gaining administrative control through a single endpoint. IBM reveals that many high-profile breaches have resulted from unmanaged and unmonitored privileged accounts. Consequently, IBM stresses that Privileged Access Management (PAM) is very much a critical element of a broader identity governance and administration strategy. Implementing PAM, according to IBM, helps to secure passwords, protect endpoints, and to keep privileged accounts safe and out of the hands of imposters.
Staying on this topic, commenting after the supply chain attack involving SolarWinds Orion business software which could, potentially, have impacted 16,000 organisations, Udi Mokady, founder and ceo at CyberArk – a global leader in privileged access management – said: “The SolarWinds breach is yet another example of how attacks are becoming hyper targeted with widespread impact. It is critical that organisations always ‘assume breach’ and that access to their sensitive data and systems is secured.” Mokady believes that, with the adoption of modern infrastructure and digital transformation, privilege is everywhere from critical applications and IoT [Internet of Things] devices to robotic process automation and DevOps tools: “Attackers know this, which is why nearly all advanced attacks today rely on the exploitation of privileged credentials.” At the end of December, in response to the SolarWinds Orion situation, CyberArk announced the launch of a free assessment offer to help SolarWinds Orion customers identify privilege access-related risk and, significantly, to implement steps to mitigate future exposure to potential cyberattack.
So, what else can be done to ramp up security for access management to systems? Well, the UK’s National Cyber Security Centre (NCSC) has issued valuable guidance in the context of identity and access management. Key steps highlighted by the NCSC to consider include: ensuring that a new user is who they say they are and that the level of trust and access is commensurate with their personal and professional background; binding an identified user to an identity within your system with an appropriate method of authentication; ensuring that the authentication method gives confidence that when an identity is used it is being used by the member of staff whose identity you have previously validated, and, finally, applying the principle of least privilege to limit the access or functionality that different users have.
Beyond this, the NCSC outlined key steps that can be adopted to prevent Privileged Access to an organisation’s IT systems being misused. For instance, it suggests issuing separate user accounts and credentials to users who have a need to perform both privileged and typical day-to-day functions. Another piece of advice centres on avoiding users performing privileged actions from untrusted devices. In addition, the NCSC suggests that when working across network boundaries or zones it is preferrable to ‘browse down’ from the more trusted environment to the less trusted environment rather than to ‘browse up’.
Zero Trust for 2021
Looking ahead, Trend Micro’s ‘Turning the Tide’ report which outlines its cyber security predictions for 2021 makes for interesting reading. The enterprise security and cyber security vendor reckons that zero trust models will gain momentum in 2021 as an effective approach to empowering distributed workforces. Trend Micro adds that by eliminating implicit trust – on anything inside or outside the network – everything is verified. Crucially, the report points out that through micro-segmentation a zero-trust architecture gives users access to only the specific resources they need, within certain parameters. Moving forward, such enforcement can, says Trend Micro, ensure a robust security posture by making it more difficult for threat actors to penetrate an organisation’s network.
A zero-trust approach was also to the fore when Paul Carlstrom, content marketing manager at Palo Alto Networks – the cybersecurity specialist, touched on the subject in a recent blog. In the view of Carlstrom, a Zero Trust approach of ‘never trust, always verify’ is most effective when it spans all locations and environments where workloads power and run an organisation’s applications and data. In this context he believes that the sort of firewall platform offered by Palo Alto Networks can significantly bolster a Zero Trust architecture by moving network security as close to these workloads as possible.