GUEST ESSAY: The case for an identity-first approach ‘Zero Trust’ privileged access management

By Raj Dodhiawala

Today’s enterprises are facing more complexities and challenges than ever before.

Related: Replacing VPNs with ZTNA

Thanks to the emergence of today’s hybrid and multi-cloud environments and factors like remote work, ransomware attacks continue to permeate each industry. In fact, the 2022 Verizon Data Breach Investigation Report revealed an alarming 13 percent increase in ransomware attacks overall – greater than past five years combined – and the inability to properly manage identities and privileges across the enterprise is often the root cause.

As enterprises continue to fall victim to increasingly complex attacks, there’s one topic that cybersecurity professionals and vendors can agree on: the importance of Zero Trust. Still, ways to properly identify and tackle this strategy often remains one of the biggest challenges to overcome.

A ‘Zero Trust’ core

The Zero Trust buzzword has exploded in use over the last few years. Through endless redefinitions, it’s difficult to find a reliable one. While this continuous pivot can be tough to track, it does not diminish the need for a real, executable strategy for tackling its core tenants.  One helpful perspective is to view Zero Trust as a three-legged tripod:

•The first leg of this tripod is the network protecting the perimeter and ensuring organizations are safeguarded from the outside in, as well as inside out.

•The second is the endpoint – protecting the workstations, servers, laptops, cloud instances, network devices, etc. – the crown jewels are on endpoints or accessed from these

•The third is identity – the validation that a requestor is who they say they are and has the ability and limitation to do only what they should.

Dodhiawala

Without addressing the identity leg of the tripod, and more importantly privileged identity, there simply is no Zero Trust. With its core tenant of verify (not trust), a robust Zero Trust framework must include the privileged identity and just-in-time authorizations.

In typical attacks, the attacker uses compromised admin credentials to elevate privileges and move laterally between systems. These techniques succeed due to standing privilege granted to the privileged identities – the accounts which are trusted.

To build identity-centric trust across an organization, every enterprise asset must be identified and managed – putting greater emphasis on privileged identity for both human (employees, consultants, partners, vendors, customers, etc.) and digital identities (apps, devices, machines, etc.)

While solutions are available to augment the authentication of an entity through MFA and credential-centric tools, there is a key component missing – authorization. Without this, the identity leg of the tripod will remain incomplete. Attacks are still successful and realized identity enforcement is impossible.

Redefining access

As most of today’s attackers accomplish their mission by leveraging privilege (or admin) account sprawl – a prominent and highly exploited attack surface – it’s unsurprising that once an attacker is inside the network, finding the organization’s crown jewels is straightforward. From there, they can encrypt data, execute a ransomware attack and more.

Given these eminent threats, the industry needs a paradigm shift that goes beyond credential hygiene that more holistically solves for authorization. Given that nearly 80 percent of today’s cyberattacks involve leveraging privileged identities, one novel approach is to forego the focus on the password itself for something different – Zero Standing Privilege (ZSP).

Coined by Gartner, ZSP goes beyond the typical privilege access management (PAM) strategies. It removes the typical, 24×7 standing privilege and protects organizations against the discovery of administrative credentials, hashes, or secrets.

Even if the attacker gains a foothold through a weak password, ZSP protects the organizations by reducing the attack surface they can move to. ZSP is the most important and proactive IAM measure an organization can implement to mitigate real and present threats.

In the end, there is no silver bullet for achieving and maintaining Zero Trust security, and we as an industry have long road to truly establish Zero Trust across each pillar within an organization. With a ZSP approach to identity management though, organizations can more successfully ensure the identity leg of the Zero Trust tripod is powerful and secure.

 About the essayist: Raj Dodhiawala is CEO of Remediant, a San Francisco-based cybersecurity company. He has over 30 years of experience in enterprise software and cybersecurity, primarily focused on bringing disruptive enterprise products to new markets.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone