Q&A: Savvy companies discover why locking down ‘privileged access’ boosts security

By Byron V. Acohido

Now is a terrific time for organizations to begin getting a much better grip on who has what level of access to sensitive nooks and crannies of the company network.

Wider, deeper use of Internet-centric systems has boosted corporate productivity to remarkable levels. Yet the rapidly growing complexity of corporate networks has also opened more opportunities for hacking – and threat actors continue to take full advantage. Breach attempts—and successful hacks—continue to rise steadily, despite billions spent by the corporate sector on the latest, greatest security systems.

That said, there is one area where savvy companies are making giant leaps in improving their security postures: getting incrementally smarter about identity and access management, or IAM.

IAM refers to the policies and technologies that ensure the proper people have access to an organization’s technology resources. Sounds simple and logical. However, the overall  state of IAM in the corporate world is still not very good. This is because not nearly enough attention was paid to monitoring and managing access rights as company networks got cobbled together, and then piggybacked onto the Internet, over the past 20 years.

The flip side is that many businesses are waking up to the fact that there are big gains to be made by addressing IAM in a forthright manner; smarter policies and procedures can be supplemented by innovative technologies brought to the table by IAM security vendors. I recently had a chance to discuss this with Corey Williams, senior director of products and marketing at Centrify, a leading IAM platform supplier.  Some excerpts of our conversation:

LW: How did identity and access management get so out of whack?

Williams: A series of events landed us in this identity crisis. For one thing, scams for tricking folks into giving up logon credentials have become much more sophisticated. It’s become hard to tell a legitimate communication from a non-legitimate one, and even the most vigilant users are succumbing to phishing scams.

Another issue is that our best practices for password usage just got too cumbersome. Requiring people to have a complex password, and to have to change that complex password every 90 days —  for every account that you owned —  just did not fly. People started breaking the rules, and using the same password for multiple accounts. In addition, some of our mitigation methods, like having a second factor of authentication got very fragmented; you had to use a different one for your bank account than you did for a trading account or a healthcare account.

LW: How did the casual disbursement of privileged accounts factor into this?


Williams: Privileged accounts added to the perfect storm. Super user accounts that have the power to do any number of things were handed out freely, and became the prized target of attackers. Once they gain a foot hold in the network through a compromised device, they begin to listen for that user accessing a system with a privileged log in,  and then they hijack it from there. Privileged accounts, according to Forrester, are involved in 80 percent of all attacks. Privileged accounts often are the ultimate target of attackers  because they can use them to move laterally through the network.

LW: If I’m a company decision maker, how would I begin to wrap my mind around this exposure?

Williams: Think about the fact that all of your users, including privileged users, have a ton of usernames and passwords giving them access to the resources you’re trying to protect. Then think about the fact that with all the breaches that are going on, it’s safe to  assume that all of your passwords are published somewhere publicly.

So the first thing your organization needs to do is to establish better identity assurance. That means you’ll need to layer on some additional capabilities or best practices, such as multi-factor authentication, that will allow you to know who that user is with a higher degree of certainty.

LW: What about the hassle factor that you cited?

Williams: Multi-factor authentication used to be very cumbersome for users, but a lot of innovation has happened in the last three years. Multi-factor authentication has become much more palatable. The end user can use their smartphone to get notification pushed to them and authenticate with a single button press; it’s much, much easier than it was even few years ago.

LW: What else can a company do?

Williams: Going along with multi-factor authentication, you can now leverage machine learning and artificial intelligence to do what we call ‘risk-based access.’ This is similar to what the payment card industry has been doing for a long time. If I use my credit card to fill up my car near my hometown, and then it gets used a half hour later a thousand miles away in Alberta, Canada, that represents a risky transaction.

It’s now possible to do the same thing when accessing corporate resources. You can create a risk profile for individual users based on their behaviors using the company’s network. That gives you the ability to identify if someone is trying access a system at the wrong time of day or under odd circumstances. You can then make a judgment as to whether that might be a fraudulent access attempt.

You can also look into automating the provisioning and de-provisioning of access. So if a technician needs a certain level of access to install a patch, he should be given that access only for the time period he needs to complete the task, and then it should be taken away. Likewise, if someone’s job role changes, or if someone leaves the company, access should be taken away in an automated, steady-state, fashion.

LW: So what about the determined hacker who still gets through? How else can you limit his lateral movement?

Williams: This has to do with moving away from using shared accounts, especially ones that have broad access privileges. There’s a trend today toward using more of a ‘least privilege’ model. Privileges tend to accumulate over time and expose more and more sensitive data. You can mitigate this and move to a ‘least privilege’ approach using  privilege identity management solutions, also known as privileged access management products.

The idea should be to limit lateral movement by enforcing least privilege. These tools allow you to get much more granular in assigning access rights to individual users; you are able to strictly limit those who can log in with privileged access rights, and even control individual commands or access to specific files.

(Editor’s note: Last Watchdog has provided consulting services to Centrify.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone