Privileged Access Management: Critical in Today’s Security Landscape

With so many security priorities to choose from, how can organizations know where to focus their efforts? As a new and stringent regulation goes into effect and static methods of security take a beating, privileged access management becomes more important than ever. Below are three key trends that require serious attention to create and maintain cybersecurity in the new year and for years to come.

GDPR Takes Effect

Compliance has always been a global issue, and the world is now faced with a new regulation: the General Data Protection Regulation (GDPR), which will take effect in May 2018. This regulation will have a major impact on the European Union and on international companies with access to European citizens’ sensitive data. The GDPR is considered comparable to the U.S. Security Breach Legislation enacted in 48 states, but on steroids. Organizations must account for all sensitive data and the access granted to it.

At the same time, it expands the definition of sensitive data to include online identifiers, such as an IP address or cookies.

The GDPR applies to any organization with more than 250 employees that has the personal data of EU citizens—regardless of whether that organization has a location in the EU or targets EU citizens. This marks the first time U.S. companies have had to abide by an EU regulation (as opposed to a Directive), and the fines for non-compliance are steep: up to €20 million or 4 percent of annual global turnover, whichever is greater.

The EU created such expensive fines because it is serious about maintaining data privacy, so this gives it the teeth to police compliance. GDPR compliance language will begin to appear on business websites as companies seek to assure customers that their data will be safe. But the bigger shift for businesses will be the need to dig deep into their processes to comply with this regulation. They will need to have full visibility into who has access to sensitive data—and as we will see below, that is rare.

Attacks on Static Security

With nation-state-sponsored cyberattacks, cybercriminals and hacktivists, organizations worldwide will continue to face cyberthreats and struggle to maintain a solid and continuous compliance and security posture.

In this new world of networks that have no perimeter, companies must spend money down to the infrastructure core of the business to secure their data. But while technology is changing at lightning pace, many processes remain stuck in the past. Static security measures such as passwords and vaults don’t move with the speed of today’s business and simply aren’t enough anymore.

The Role of Privileged Access Management

Maintaining privileged access to protected data has become a challenge to all CIOs, CISOs, IT security and IT architects regardless of where they are located across the globe. It’s a board/business topic. SSH user key-based access, referred to as the dark side of compliance, continues to bubble up on the high-risk radar as uncontrolled and unmanaged elevated access into production. Organizations must consider SSH key access when assessing security because they provide the highest level of access yet are rarely, if ever, monitored.

A recent study by the Cyber Security Research Institute provides proof of this startling reality. It revealed that 61 percent of respondents do not limit or monitor the number of administrators who manage SSH. Further, 90 percent of respondents do not have a complete, accurate inventory of all SSH keys. This means that there is no way to tell whether keys have been stolen or misused or should be trusted.

As businesses transition to the cloud, this level of insecurity cannot be tolerated and translated to the new infrastructure. Cloud applications are elastic, scalable and dynamic. Traditional privileged access management was designed for static physical servers in much smaller environments. But as with passwords and other static security measures, static privileged access management can’t get the job done anymore either. Traditional privileged access management just doesn’t provide the agility one needs in the cloud and doesn’t handle elastic services well at all. In fact, it doesn’t handle traditional legacy infrastructure very well. Projects become complex and expensive.

However, there is hope: Next-generation privileged access management (NXPAM) offers a just-in-time solution to these issues. NXPAM works without any permanent access credentials on servers, using only short-term temporary credentials that are created on demand. There are no passwords to rotate, no vaults needed to store them and no software that needs to be installed and patched on individual servers. This makes for a very fast and straightforward deployment project with unlimited scalability.

Controlling Access

As organizations face the twin behemoths of the GDPR and innovative new cyberthreats, including those from foreign governments, they need to take a hard and close look at what security and compliance measures they have in place. Are policies consistently being carried out? Are they effective?

The sole purpose of implementing security controls is protecting what’s important: transactions and maintaining the business. It is easy to identify a common theme having to do with governance for your trusted access to protected data. Going into 2018, it is crucial to start addressing these risks early. Organizations must have complete accountability of their protected data: Who has access to my data? Where is my data? What laws and regulations impact my compliance program?

Drilling down to the core infrastructure is a necessity, especially if you are operating on legacy systems. This is the level with the potential for greatest harm, should it be compromised. Now that the network has no borders, controlling access to it at this core level is of paramount importance. Addressing the three trends above and NXPAM as part of your overall security and compliance strategy will help your organization stand on solid ground well into the future.

This article was co-written by Red Curry, cybersecurity strategist at SSH Communications Security.

Andy Hammond

Avatar photo

Andy Hammond

Andrew Hammond is vice president of business development at SSH Communications Security. Before joining SSH, Hammond held sales, marketing, business development, and executive management positions at Lotus Development, Open Market, Apple, and Netegrity. He co-founded Cambridge Instruments and GeoOptics Technologies. Hammond works with the MIT Enterprise Forum of Cambridge on entrepreneurial education and mentoring.

andy-hammond has 1 posts and counting.See all posts by andy-hammond