The 2021 Verizon Data Breach Investigations Report (DBIR) revealed that 85% of breaches involved a human element, and 61% involved credentials. Those numbers are too high and further emphasize the importance of managing and monitoring privileged accounts. The remote workforce and hybrid workplace, for that matter, have changed the way that many businesses operate. Data is no longer centrally located within the confines of an office building. It’s dispersed in the cloud, at employees’ homes, the local coffee shop; it’s everywhere. The threat landscape has widened and given threat actors a whole new playing field. Just as we attempt to secure our workplaces and assets, the hacker is set on destroying them.
If Okta’s recent security breach has taught us anything, it’s that no one is 100% safe or exempt from a cyberattack — not even companies that specialize in identity and privileged access management (PAM). The unfortunate irony here is that we are all vulnerable, and we’re all targets; we can’t let our guard down. We’re in the business of helping other businesses protect their customers; we should do all we can to protect ours as well.
For Okta, it was actually a third-party customer support engineer’s laptop that got hacked via remote access. At first, it was estimated that the breach could have impacted up to 366 enterprise accounts — 2.5% of Okta’s client base. However, the team later concluded that only two active customers’ accounts were breached. While the latter may seem low in comparison to Okta’s huge customer base, it’s significant to Okta, the customers affected, and to the rest of their customer base. It’s also significant to the rest of the world because it’s another breach in the long list of breaches — such as T-Mobile, Microsoft and MailChimp — that are affecting customers and their personally identifiable information (PII). The potential for Russian cyberattacks further escalates the problem.
I’m not here to point fingers. I’m just saying that we have a serious problem on our hands — and, the solution is easier said than done.
PAM is vital for enterprise security
It’s common for large corporations to use outside resources, such as the one Okta uses to help provide services to their customers. The breach of a third-party vendor does not mean that we should stop using third-party services. The evolving security landscape along with expanded cloud technologies reinforces our reliance on third-party services. However, we need to be extra vigilant when it comes to vetting and utilizing these services.
We also need to be more vigilant when it comes to PAM, as most of today’s attacks rely on or exploit PAM in some form or fashion. PAM is vital for enterprise security and encompasses privileged password management, secure remote access and endpoint privilege management. Without it, every account connected to a company has access to all data — even financial and PII — meaning that if a threat actor gains access to a company’s network via a user account, they too have access to the company’s financial information and PII.
With proper PAM tools, procedures and processes in place, only a privileged account user(s) has access to the company’s most sensitive data. This makes managing, monitoring and controlling access much more effective and efficient. Of course, a breach can still happen even with PAM tools in place as evidenced by the Okta, T-Mobile, Microsoft and MailChimp breaches, but restricting and limiting access condenses the playing field and makes it harder for the bad guys to get in.
Not without challenges
The so-called “Great Resignation and Great Reshuffling” due to the COVID-19 pandemic and shifts from traditional office settings to hybrid or remote workplace environments have only added to companies’ PAM issues. These obstacles further emphasize the importance of having proper procedures in place. In a recent identity governance and administration (IGA) survey, 34% of respondents rated PAM as the most difficult operational task — created by unique challenges that businesses face when implementing PAM in the cloud. One of those challenges is the lack of visibility and control on PAM processes, which sometimes force IT personnel to manually implement identity processes in the cloud. The manual process can be error-prone and leave holes in the network that threat actors can then access. Having an automated process for provisioning and deprovisioning employees is the solution here.
Now, this should go without saying, but it’s important that employees that leave an organization are stripped of any and all access upon their departure. Don’t give hackers easy access to data through a door that should have been closed, but wasn’t.
The cybersecurity labor shortage also isn’t helping as many organizations lack the personnel to properly implement PAM. What can be done? Train the people you have; plain and simple. Also, implement the principle of least privilege — a security maxim stating that users should be granted access to the data and resources they require to perform their job.
PAM supports the principle of least privilege
The principle applies not only to individuals but also to networks, devices, programs, processes, and services. When your company practices the principle of least privilege, you grant users the bare minimum of privileges needed to execute their assigned duties. The principle of least privilege:
Reduces cyberattack surface and improves security: Digital transformation has increased the attack surface as companies move operations to hybrid IT environments and collaborate with contractors and third-party users. Least privilege is intended to keep the surface as small as possible by restricting access and privileges to only those who need them, limiting the threat actor’s potential attack vectors.
Helps stop the spread of malware: Malware can cripple an organization. Implementing the principle of least privilege can thwart such attacks before they take place or lessen the impact if one gets through the cracks. For example, if an employee clicks a link in a phishing email the attack is limited to the accounts and permissions of that employee and won’t spread too far laterally.
Improves performance for users and systems: Granting users only the permissions they need leads to improved productivity, less troubleshooting requests and narrows the blast radius of affected applications. This, in and of itself, can improve the stability of an organization’s systems in the event of an attack.
Streamlines compliance and audits: If your organization collects, stores and uses sensitive data, you must comply with regulations for handling it properly. And, those regulations more than likely require that you enforce least-privilege access policies. Limiting access makes compliance more attainable and makes audits for privileged activity easier.
Thinking beyond least privilege
In the grand scheme of things, implementing the principle of least privilege drastically reduces security risks and the overall attack surface. It reduces the risk of attackers gaining access to critical systems and sensitive data by compromising a standard user’s account, device or application. Privileged Access Management, on the other hand, deals with security processes and technologies required to protect privileged accounts — those beyond the standard user that pose a significant risk if compromised. Cybercriminals target privileged accounts as they have a greater reach and can do far more damage.
A PAM strategy is only as effective as its implementation, and organizations should consider the following best practices:
Implement the Principle of Least Privilege. You cannot manage privileged accounts without first implementing the principle of least privilege. Know who is accessing what within the organization, and verify that employees, contractors, devices and applications have only the access needed to do their job.
Keep track of all privileged accounts. You cannot manage a privileged account if it is not part of your PAM solution.
Consider temporary privilege escalation. Instead of granting a user perpetual privileged access, consider temporarily granting elevated permissions on an as-needed basis, perhaps through one-time-use credentials or session privileges with timed expiration.
Use Role-Based Access Control. PAM only works on a system if you have differing role-based access levels. Granting everyone administrator rights is not only more challenging to secure and manage, but it’s also bad practice.
Automate. Automation reduces the risk of human error and increases the efficiency of your information security environment.
Monitor, Log and Audit. Continuous monitoring and actively logging all privileged account activity is vital in ensuring an organization has the insights it needs to protect its environment. It is also crucial to regularly audit the logs to identify potential risks and implement mitigation measures.
The numbers don’t lie. Cyberattacks are on the rise, and cybercriminals have a clear advantage when ineffective PAM strategies are in place. While not every attack or breach is preventable, there are measures enterprises should put in place to lessen the blow. If the recent slew of data breaches has taught us anything, it’s that organizations should immediately reduce rights and access for each account to the bare minimum, make sure security teams know where privileged accounts exist and who uses them and teach users and admins the value of their identity and credentials.