Securing privileged access can reduce the risk of data breach [Q&A]
Accounts that have privileged access are a problem when it comes to data breaches, so securing them effectively is essential.
But things are complicated by the fact that where privileged access was once designated only for system administrators it has now been expanded to HR, finance, legal and many more parts of the organization, as well as to non-human users like machines and applications.
We spoke to David Higgins, global technical director at CyberArk to find out why privilege is expanding across organizations, where enterprises start when securing privileged access, and how they can prioritize who and what needs access.
BN: What is privileged access and how has that definition changed?
DH: Privileged access refers to special access to systems, or abilities that go beyond that of a standard user. Privileged access can often provide the user with full control of business-critical systems and applications.
Historically, privileged access was the domain of systems administrators or referred to the powerful, shared accounts used to manage IT infrastructure. However, in today’s connected environment, every identity can gain privileged access under certain conditions. Traditional business users, including HR, finance, sales, and marketing have permissions and provisioned access to data and applications -- like SAP, Workday or similar -- that quickly transform these users into privileged users.
In addition to the increasing number of human users that are accessing these systems, non-human privileged access is also exploding at a dramatic rate. Machines and, applications often require privileged access to properly function.
Combine all of this with the rapid move to the cloud and push for greater automation, and the result is a fragmented landscape of privileged access that organizations need to be able to identify, manage and secure.
BN: Can protecting privileged access reduce the occurrence of data breaches? How?
DH: Privileged access is everywhere -- in the cloud, on the endpoint, in applications, automated processes and throughout the DevOps pipeline.
The vast majority of attacks follow a similar pattern: attackers find and target privileged accounts with broad and powerful access. Attackers exploit this access to move laterally across a network, conduct reconnaissance, establish persistence, and gain access to an organization’s most critical and sensitive assets.
The recent cyber attack on Twitter provides a good example of why attackers covet privileged access. It was reported that more than 1,000 Twitter employees had privileged access to the admin tool that was used to, 'change user account settings and hand control over to others.' Attackers targeted these employees with a social engineering attack to steal and exploit this privileged access. Once compromised, they were able take control of high profile accounts like Barack Obama, Elon Musk and more.
Securing privileged access shrinks the attack surface by blocking critical steps in the attack cycle and stopping the progression of an attack before the business can be impacted. According to the recently released Gartner Magic Quadrant for Privileged Access Management, 'By 2024, 50 percent of organizations will have implemented a just in time (JIT) privileged access model, which eliminates standing privileges, experiencing 80 percent fewer privileged breaches than those that don't.'
This is a big reason why privileged access management has become a top cyber security and business priority.
BN: Why is managing privileged access a challenge for organizations?
DH: The biggest challenge for many organizations is a lack of visibility into where exactly privileged accounts and credentials exist. Privileged accounts are created and privileged access is granted with every new cloud environment, every business application, every supplier connection, and so on. The velocity of change in IT environments exacerbates the issue.
Discovery of the privileged landscape is critical to securing the enterprise. A lot of customers are often surprised by the hidden privileges that exist across their infrastructure. This can be former employees with access that was never remediated, contractors with privileged access to specific systems, or even supply chain partners and vendors that have systems connected via privileged access rights.
In addition to simply identifying where privilege exists, there is also a people and process issue to consider. Attackers regularly look to exploit the lack of controls around how privileged users like administrators and developers have and utilize their access. In order to secure the process, we need to secure the way that they work. Since this will entail some element of change on the human side -- which can be hard to enforce -- it's imperative that security teams gain executive sponsorship around securing privileged access.
BN: Are the current dynamics including remote work and digital transformation impacting how organizations should look at their overall security strategy?
DH: These trends are absolutely impacting how organizations are looking at their security strategies. The shift to remote work for many came on suddenly, and without the time needed to understand the broader impacts on enterprise security.
We recently conducted a survey of 3,000 remote office workers and IT professionals and found that common work-from-home habits like password re-use using corporate devices for personal activities is putting critical business systems and sensitive data at risk.
The survey showed that 77 percent of remote employees are using unmanaged, insecure bring-your-own-device (BYOD) products to access corporate systems. In addition, a large majority of home workers (93 percent) have reused passwords across applications and devices, shared corporate devices with a family member (29 percent), or insecurely save passwords in browsers on their corporate devices (37 percent).
Furthermore, and often overlooked, is the role privileged plays in Endpoint attacks, specifically Ransomware. In the new remote work environment, there is an increase in the number of users who have been granted privileged rights on their corporate device to help with operational ease (i.e. allowing them to install what they need to get their jobs done), but it also means that there are more opportunity for attackers to target these accounts, and facilitate the propagation and deployment of ransomware.
These poor security habits and the expanding threat landscape align with the attacker modus operandi of finding and stealing privileged access. Attackers will identify and target an organization's weakest points and use those as a foothold to continue to elevate privileges to ultimately get where they want to be. Attackers are taking advantage of the disruption -- targeting remote employees at an alarming rate.
BN: How does an organization begin a privileged access management program? How do you prioritize the most critical accounts to protect?
DH: For many organizations, the privileged-related attack surface is much broader than they know. This is why understanding and prioritizing risk is the best way to get started. To do this, an organization has to identify the types of privileged accounts and credentials that exist within their environment. Organizations may have thousands or even hundreds of thousands of privileged credentials in their environment -- across on-prem, in the cloud, on the endpoint and in DevOps processes. Understanding the scope of risk is critical.
As part of this process, organizations should start classifying the types of privileged access by risk. This should include identifying the organization's most critical systems -- systems that contain data and needs secured due to regulatory requirements, systems with intellectual property, and systems with known vulnerabilities.
By identifying all critical systems, organizations can start protecting the riskiest accounts and credentials first to avoid network compromise or a breach of sensitive data.
BN: How do you measure the effectiveness of a privileged access management program on the business? Is this something that the board and C-Suite should be paying attention to?
DH: Privileged access management has become a C-level priority. Board members and executives concerned about the security of their business, data and critical assets should know what their privileged-related risk is and how they’re managing it, as privilege exploitation will continue to be a key stage of a data breach.
By taking a phased approach to implementing a modern privileged access management program, security teams can align implementation with milestones on risk reduction that provides a tangible business ROI. Prioritizing a plan focused on the privileged-related threats that pose the greatest risk enable organizations to demonstrate progress in their ongoing battle with attackers.
BN: Why should a company prioritize privileged access management?
DH: What and how to prioritize security projects can be a difficult question for most companies these days. With resources (people and budgets) low and demand high, knowing when and where to invest can be a real challenge. Privileged Access Management is a base pillar of security with nearly every solution, application and service -- including those focused on security -- requiring admin access and likely needing privileged credentials in order to function.
Having the right foundations in place -- like Privileged Access Management -- at the start helps ensure the success of other security programs.