Rajesh Ganesan, Vice President, ManageEngine has been associated with Zoho Corporation for over 22 years and is currently is the Vice President for ManageEngine, the IT management division of Zoho Corporation. He brings in more than two decades of experience in building products in the areas of telecommunication, enterprise IT management, and enterprise IT security. At ManageEngine, he is responsible for all business operations for Products – Defining, Developing, Delivering, Marketing, and Selling software products for identified viable markets.
In an exclusive email interaction with Brian Pereira of CISO MAG, Rajesh talks about the security challenges in managing endpoints and the right strategies to counter these challenges.
What is the challenge that CISOs and CIOs face today when it comes to managing endpoints? Is the challenge primarily about the visibility of the endpoints? How can they counter the challenges?
The variety of endpoints that the businesses have at their disposal to bring about productivity benefits presents great challenges at many levels. First, as the endpoints freely move across the corporate-governed network boundary, they become a primary vector for external attacks that are targeting access to critical internal resources. An endpoint used by a privileged but unassuming user can get infected with malware, which could then become the vector for external attacks when the users get back into the company network. Attackers can then execute command and control attacks leveraging the privileges of the user.
Second, is the case of dealing with the far greater menace of insider attacks, as endpoints tend to be the easiest medium to leak critical data. An attack like data exfiltration can be camouflaged as a normal activity, by leaking small amounts of information through multiple endpoints and assembling them later to get the entire data set. Or it could be simple cases of doing a print screen of sensitive data or downloading an attachment into a cloud service.
While the IT and IS leadership must build multiple layers of protection for securing endpoints, a common thread across many security incidents is how the privileges are defined and handled. This is strictly defining, enforcing, and monitoring the privileges for users to access the endpoints and the resources within, and also for the applications that run on those endpoints. For example, the privileges of a user could dynamically change depending on their location. They could have the highest privileges while in the office, moderate privileges while working from home, fewer privileges within the city of work, and minimum privilege outside the user’s usual region. Hence, privileged access management, which is “governing who has what kind of access to what resources for what reason and who approved the access” is fast becoming a top priority area for IT and Infosec leaders.
How does the PAM360 solution address this challenge?
Securing endpoints has to be done at many layers and PAM360 focusses on the privileged access management part. This is basically providing a holistic way for governing and managing “who has access to what endpoints for doing what operations, and who approved the access, and what do they do with the access.” While this sounds simple at the surface level, a lot goes inside to implement and run an effective privileged access management program. Each aspect mentioned needs a thoughtful definition of policies, processes, procedures, and controls implemented through a tool.
For example, to ascertain all the information access a user has, there must be a defined list, which includes systems and applications, types of roles, types of access, duration of access, and mechanisms to grant and revoke access. The same goes for controlling what actions a user can perform after getting access.
And speaking of users, they are not just employees within the organization. They could also be customers, partners, contractors, temporary workers, or others whose access to information needs to be managed. A contractor may not even need full-time access to all systems but just for a period of 30 minutes to get her job done. Yet, that access needs to be managed and monitored. Different tools exist to focus on specific aspects of privileged access, but PAM360 unified them all and provides one complete solution with which enterprises can implement a holistic program, regardless of the type of the endpoints.
What are the risks faced today, with regard to privileged accounts?
A primary risk with privileged accounts is they come with very high privileges but very little accountability. Most privileged accounts are system defaults like “administrator” and “root” without any explicit association with a human user. This leads to privileged accounts getting shared with whoever requires privileges for a certain period of time, but that poses a risk of anyone getting hold of the credentials to immediately inherit the privileges.
Because they are system defaults and are shared, often the credentials are not randomized periodically. This presents a huge risk of brute force attacks succeeding against these accounts and breaking one could open the floodgates.
When there is no proper monitoring of who has access to the credentials, there is a huge risk of the enterprise never being able to reconcile who performed a particular operation, especially malicious ones. And even when the access is controlled and monitored, unless the privileged actions performed are continuously monitored, malicious users can plant malware or logic bombs in software that manifest much later, obscuring all association of that particular user.
In the age of cloud and DevOps and IoT, many system and software components talk to each other and invoke actions across the network, and this access needs credentials. Often, the credentials are loosely stored or hardcoded in scripts and programs, leaving them open to anyone with access.
Why are legacy solutions inadequate to address today’s risks?
An effective privileged access management solution is not standalone but one that integrates with every component in the infrastructure. Legacy solutions often lack this support, especially when it comes to cloud, DevOps, RPA, and IoT. When it comes to cloud for instance, the requirements are elasticity and scalability as the number of managed endpoints could be large and dynamically changing. For DevOps, the requirements would be agile and velocity, in terms of how many operations per second the solution can perform. The rapidly changing requirements present lots of challenges, and the legacy solutions simply are not architected for today’s technologies and infrastructure.
Brian Pereira is the Principal Editor of CISO MAG. Apart from his editorial responsibilities, he enjoys writing features, interviews and technical articles.