It is now well accepted that identity is the new perimeter in this multi-cloud world and is representing the largest security vulnerability for any enterprise. The Verizon Data Breach Investigation Report 2021 establishes that 61% of data breaches involved credential data and instances of misrepresentation increased by 15 times compared to last year. As enterprises are increasingly adopting IoT, AI, and robotics, and other emerging technologies the cyberthreat landscape is becoming increasingly complex. The recent spate of cyberattacks is a prominent reminder to establish processes and procedures on the management of privileges and address the problem of granting unlimited access to applications, services, or individuals.
By Kumar MSSRRM, Associate Vice President and Delivery Head, Cybersecurity, Infosys
With the diminishing control over physical and network controls, accelerated adoption of remote working, and the rise in dispersed workforce, any identity can become a privileged identity. This renders traditional cybersecurity practices as inadequate. Organizations must strategize on building robust cybersecurity capabilities and access management systems. They must carry out employee awareness programs to address the threat landscape.
Few commonly observed scenarios wherein privileged access are devolved to identities include:
- Enterprise workforce requiring elevated permissions on a workstation (laptop) to execute business processes or access critical data
- Third-party vendors requiring access to corporate resources to perform their tasks
- Application developers or DevOps engineers requiring access to source code
- Applications or RPA bots requiring access to enterprise resources to perform the workflow tasks
Enterprises face additional risks in the above-mentioned cases, necessitating the adoption of security controls and a culture for responsible and managed use of privileged access. The following principles may be considered to prevent the exploitation of privileged access.
- Understand the privileged access footprint: Enterprises should be aware of where privileged accounts exist within their landscape (on-premises and beyond, cloud infrastructure, SaaS applications, hardcoded in legacy/bots). Not knowing this can lead to allowing users to bypass controls and gain elevated access without authorization. Policies should be defined for initial identification and ongoing automated discovery of privileged accounts across the enterprise landscape.
- Define policy for rotation of passwords: Enterprises should define password protection and password rotation policy for privileged accounts. As a best practice, it is recommended that all privileged account passwords are updated automatically, and periodically as per the compliance regulations and on a need basis for reasons such as a change in owner or detection of a threat. Further, it must be ensured that the default passwords setup on privileged accounts are changed and the risk of exposure with default passwords is minimized.
- Management of credentials for shared and service accounts: Shared accounts typically lack defined ownership and accountability in an enterprise. Privileged access management (PAM) solution is essential to manage such accounts with appropriate auditing of the access and usage of such shared accounts. Service accounts are created with the approach to facilitate the smooth execution of applications and service jobs. Unlawful access to such accounts can allow unauthorized users to move laterally across the network by getting access through a single password. Thus, due care should be taken to make service accounts non-interactive and manage credentials through the PAM solution for controlled usage.
- Privileged access governance: Appropriate access governance ensures that privileged access is properly managed and controlled through defined policies, rules, and processes. Enterprises shall invest in extending the access governance solutions to the lifecycle management of privileged accounts including periodic governance of permissions on them.
- Zero standing privileges: Finally, in the journey of zero-trust, enterprises must embrace the principles of zero standing privileges, grant of temporary access, and apply the least privilege model for all access credentials. The adoption of context-based decision-making for privileged access will ensure that the enterprise landscape (on-premise, cloud, SaaS, and others) is incrementally protected against the threats of privilege misuse.
In conclusion, the adoption of controls for responsible use of privileged access helps secure the digital transformation journey for enterprises. By incrementally reducing risks and vulnerabilities related to credential theft, lateral and vertical movement, and abuse through privilege escalation, one can safeguard the enterprise data.
About the Author
Kumar MSSRRM is an Associate Vice President and Delivery Head for Cybersecurity at Infosys. Kumar has over 23 years of experience as an Information Technology professional with demonstrated expertise across various technologies and industries. He has been instrumental in nurturing niche units to high-performing units, leading transformational initiatives, and driving innovation. He is an authority in project and program management practices. He participates very actively in designing collaborative programs with national and international academia. He is a regular speaker at universities and conferences such as the Information Security Forum.
Kumar holds an MTech in machine design and a management degree from the Indian School of Business.
Views expressed in this article are personal. The facts, opinions, and language in the article do not necessarily reflect the views of CISO MAG.