One of the most basic things a company can do to dramatically improve their security posture is to keep very close track of who has what access to which privileged accounts inside the company firewall.
This is a best practice of privileged account management, which is a burgeoning sector of the identity and access management (IAM) field. For a variety of reasons, IAM is once again becoming acutely problematic.
Related article: Why savvy companies lock down privileged access
Not nearly enough attention was paid to IAM best practices when we first cobbled together digital business systems 20 years ago — and then piggybacked them onto the Internet. In general, the corporate world still is not very good at enforcing policies that ensure only the proper people have access to an organization’s technology resources.
And now the “digital transformation” of corporate networks is steamrolling downhill. As we meld legacy company systems to cloud services, IAM exposures are flaring up once again. A recent survey of IT organizations in the U.S. and Europe by Atlanta-based security vendor Bomgar found that risky employee password-usage practices continues to be a challenge for a majority of organizations.
Bomgar was founded in 2003 by Joel Bomgar, who was then a college student moonlighting as a techie contractor helping companies update and manage their Windows computers. One day Bomgar realized he was losing valuable time driving from client to client to resolve simple issues. So he developed his own proprietary solution to access his clients’ computers, and began providing his services remotely.
That quickly evolved into a platform of solutions that allow IT administrators and security professionals to securely manage access to systems and privileged accounts. Bomgar (the company) subsequently emerged as a leading provider of IAM and security solutions and has grown to than 300 employees with offices in five countries.
I had the chance to chat with Sam Elliott, Bomgar’s director of security product management, at the RSA Conference 2018 last week in San Francisco. Elliott connected a few dots as to why poor password hygiene – for privileged account passwords, in particular – continues to be a persistent pain point in the corporate world. We also discussed how fully embracing IAM best practices can result in material security gains. For a full drill down on our conversation please listen to the accompanying podcast. A few high-level takeaways:
In a stunning disclosure, Bomgar’s 2018 Privileged Access Threat Report found that writing down passwords was cited as a problem by 65% of organizations, an increase of 10% over 2017. Colleagues telling each other passwords was also a big problem for 54% of organizations in 2018, rising from 46% in 2017.
What’s happened is that IT administrators and third-party vendors need privileged access to be able to do their jobs effectively. But thanks to how we are digitally transforming our business networks, the number of privileged users is growing exponentially — and access to systems and data is beginning to unravel.
Organizations face a difficult balancing act: they must keep information secure while providing workers the access they need to do their jobs. Efforts to balance security and productivity sometimes have the opposite effect: Employees write down and share passwords, because a lot of people need access to privileged accounts.
“When you don’t make it a seamless experience for users to get what they need when they need it,” passwords will be shared among the team, Elliott says.
Sophisticated systems to proactively monitor and manage privileged accounts have long been available and get more powerful all the time. But technology isn’t a silver bullet. Elliott says companies that want to do a better job at IAM, particularly for privileged users, should be prepared to encounter resistance to change. Higher security generally correlates to less convenience, and it can be counter-productive to bruise the egos of senior-level system administrators accustomed to being left alone.
Yet the status quo clearly won’t do. Bomgar’s survey found 50% of organizations reported suffering a serious breach, or expected to experience one in the next six months, due to third-party and insider threats – up from 42% in 2017. Additionally, 66% of organizations claimed that they could have experienced a breach due to third-party access in the last 12 months, and 62% said they could have been breached due to misuse of insider credentials.
A large part of this risk is begin spawned on premises by the companies themselves; the report found that 73% rely on third-party vendors too heavily, and 72% have cultures that are too trusting of partners. In an age where data breaches have immense financial and reputational implications, organizations have unnecessarily put far too much faith in outsiders.
Making the mitigation of third-party risk a top priority is a wise move for several reasons, Elliott told me. “If you say to a third party, ‘I’m no longer going to let you into my environment using a VPN and just telling you what service to hit; now you’re going to use my new privilege access management solution,’ those folks don’t have much of a choice,” Elliott says. “They can say no, and they’re no longer going to be doing business with you, or they can just say yes and do it.”
If the organization rotates the vendor’s credential every time they access the network, it has the ability to “press that nuclear button and rotate all the credentials in the entire organization (if) you think you’ve been breached,” he says.
A threat actor won’t be able to achieve the dwell time needed to delve deeply into a system because they don’t have a credential that’s valid for more than a few minutes. “That really does make a material difference in your defense,” Elliott says.
Then there is this added bonus: by assigning recalcitrant system administrators to tighten up third-party privileged access, barriers can come down. The internal staffers will be forced to observe the attendant risks, up close and personal, and take a hands-on role in reducing that risk. This can translate into acceptance of similar policies the company will ask them to embrace. “Getting a quick win with third parties can allow you to get a quick win with the insiders,” Elliott says.
Companies need to do this. The slight ding in the vaunted speed and agility of ‘digitally transformed’ networks is a sacrifice that must be made. It’s a balancing act that must take place, the sooner the better.
(Editor’s note: Last Watchdog supplied consulting services to Bomgar.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: http://www.lastwatchdog.com/podcast-how-managing-privileged-accounts-can-help-make-digital-transformation-more-secure/