The increasing use of cloud services and automation solutions or even the switch to remote work has made identity the new perimeter security. With the ever-expanding attack surface, identity management has become critical for maintaining a robust security posture. Beyond privileged access management (PAM), an identity security strategy is the next logical step to protect the company against cyberthreats.
By Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan at CyberArk
In today’s environment, any identity – whether it is a customer, an employee working remotely, a third-party vendor, or just any device or application connected to the network can become privileged and create an attack path to an organization’s most valuable assets.
Privileged access is intertwined with identities. For instance, developers need access to the company’s source code to implement changes on applications or databases. Consultants or third-party providers will need access to company resources while working on projects.
The recent SolarWinds digital supply chain attack involved the compromise of identity and manipulation of privileged access. Due to this attack, PWC Hong Kong recommended that businesses implement a zero-trust network architecture through identity identification and access controls.
With the growing adoption of cloud services and the shift to remote work, the use of privileged access as an attack vector is particularly evident. In a cloud environment, in principle, any human or machine identity can be configured with thousands of authorizations unique to each cloud, which means it is possible to assign authorization to users, groups, and roles depending on the respective task profile. However, many companies unintentionally grant access rights within their cloud services that identities do not actually need or use.
Studies show that accounts and roles with too many authorizations are among the most common misconfigurations of cloud services. According to CyberArk’s CISO View survey, end-users are reported to be the most targeted group – including business users with access to sensitive data. 56% of respondents reported being targets of cyberattacks.
Companies also need to give more focus to employees working remotely when designing security strategies. End devices of individual employees are an important first point of entry into the company network. Privileged access options for remote employees must be secured by implementing security procedures such as multi-factor authentication, single sign-on (SSO), and access rights management. This means that the access management for privileged users must be expanded to include the company’s entire user community.
In Singapore, work from home orders were lifted since April 5 and up to 75% of employees can return to the office. Many businesses are making the transition in phases to manage access to information and assets from both within and outside the corporate networks. IT teams can manage the transition by taking an identity-driven approach to security, which applies the right level of authentication and security controls based on the user’s role.
Cloud and remote work have one thing in common. Both scenarios have made the traditional network perimeter de facto worthless. Thus, a comprehensive identity security approach based on privileged access management must focus on securing individual identities – regardless of whether it is a person or a machine.
Mitigating the risks through identity management
Identity security solutions help mitigate risks through secure identity authentication, well-defined access permissions, and a structured process in granting access to critical resources. In other words, a zero-trust principle should apply. With identity security solutions in place, all attempts to establish a connection to critical systems or access company resources go through rigorous identity checks and multi-factor authentication. The more critical the access, the stronger the verification process.
Every identity-based security strategy should contain two essential components: the assignment of context-related user access rights and the tracking and monitoring of non-human access. Security teams must consider the roles and activities each user needs to perform to grant the appropriate access levels. By granting the least privilege and using a just-in-time approach, security teams can prevent the permanent accumulation of rights, thus making it much more difficult for attackers to identify and approach their target.
On the other hand, identity management needs to expand beyond human activities and include devices, applications, programs, and automation. In hybrid cloud environments, non-human access must also be assigned to a secured and controlled structure of rights and permissions. A good example of this is Robotic Process Automation (RPA) that supports automation projects in a business environment. While RPA offers benefits to the business such as improving work efficiency and simplifying compliance, RPA technology introduces a new cyberattack surface for both humans and non-human identities. By taking steps such as removing privileged credentials from scripts or limiting the bot’s access, IT teams can prevent unauthorized access and misuse of the privileged credentials used in RPA.
With the increasing number of cyberattacks, companies need a security strategy that responds to the changing needs of the business. As the company network expands and the number of business applications and cloud workloads increases, implementing comprehensive identity security management can bolster the company’s security defenses.
About the Author
Jeffrey Kok is Vice President of Solution Engineers, Asia Pacific and Japan at CyberArk. Kok is responsible for working with various internal teams at CyberArk to qualify leads, identify business issues and drivers in any particular sales opportunity, and managing the entire presales and solution process of the business cycle.
Prior to joining CyberArk, Kok was Technical Consultant Director, Asia Pacific and Japan for RSA, managing a team of senior pre-sales engineers and technicians. While in this role he built a strong and high-performing cross-regional pre-sales practice.
Kok has more than 17 years of experience in the cybersecurity industry, serving in companies and institutions including RSA, Cisco Systems, Nera Telecommunications, and the National University of Singapore (NUS).
Kok holds a Bachelor of Applied Science in Computer Engineering from the Nanyang Technological University and CISSP certification.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.