Category Archives: Identity & Access

Is Corporate VPN Security Dead?

The use of virtual private networks (VPNs) in the enterprise has come a long way. What was once a simple way to ensure a secure connection between an external network and a company’s internal network has become increasingly difficult to manage.

The current line between internal and external is blurry, and enterprises must deal with a growing number of contractors and third-party vendors that need remote access to corporate networks. Administering these various network privileges can be daunting — and as the threat landscape continues to shift, VPN security may not be enough.

VPNs 101

Before exploring whether or not VPNs are falling out of favor, it’s important to define a corporate VPN and how it differs from a personal VPN. Personal VPNs — such as Private Internet Access, VyprVPN and ExpressVPN — can encrypt any data going in or out of a device or laptop from a public or home network. At home, you may use these services to bypass georestricted sites or to keep your activity private. At a coffee shop or airport, for example, you may use them for privacy and security.

Corporate VPNs, according to Comparitech privacy advocate Paul Bischoff, are essentially portals that allow staff members to access internal company resources from anywhere in the world. (Just as if they were in the office.) In this scenario, access control happens in much the same way that it does on a local machine, as each employee is given an account with a certain level of access.

“Guest, user and administrator access are typical, but a corporation might have more,” Bischoff said. “A password and possibly two-factor authentication are required to log into these accounts via the VPN.”

The Larger the Perimeter, the Greater the Risk

While VPNs are cryptographically secure, connections are not immune to compromise. A breached VPN connection is usually the result of either human error or unfavorable encryption methods.

“Different VPNs use different tactics and levels of security, so some are more secure than others,” Bischoff said. “For example, VPNs that employ perfect forward secrecy are much more secure than those that don’t.”

Karl Lankford, senior solutions engineer at Bomgar, explained that while it’s a common practice, using a VPN to facilitate secure remote access to critical systems is no longer a suitable solution.

“The most obvious challenge is ensuring that the user and the machine they are connecting with are not compromised,” Lankford said. “After all, you have provided a direct, trusted connection right past all perimeter defenses.”

While hacking a VPN may not be easy, it’s prevalent for users to be exploited by threat actors using sophisticated, automated tools. With so many employees and third parties requiring access, it becomes an administrative nightmare to manage. Your risk increases dramatically by essentially extending the perimeter of your network.

As the security landscape has developed, Lankford stressed, it has become apparent that VPN technology is too vulnerable to facilitate connections like these because they are not designed to provide granular control.

Overcoming VPN Security Challenges

So, what can today’s enterprises do to keep things under control? Generally speaking, it’s best to combine VPN access policies with network segmentation policies. However, third-party access to your network can introduce significant challenges.

“If the vendor happens to be breached, cybercriminals can abuse this VPN access to get onto the vendor’s network and begin recon and exfiltration work,” Lankford said. “However, by implementing a modern, secure remote access solution, organizations can monitor who has privileged access to the company’s network and how they’re using it. Recording this activity through session monitoring will allow organizations to identify who these privileged users are and assess their IT permission levels.”

To minimize the security risk surrounding this access, third parties should only be granted access to the systems they need to perform their jobs successfully.

“This level of granular control cannot be done effectively through VPN, and organizations should look instead at more modern privileged access solutions,” Lankford said. “Those solutions include privileged access management [PAM], which ensures that third parties do not have the physical foothold in the network that they do with a VPN. PAM allows you to give vendors access to your network without a VPN connection and enables security professionals to control, monitor and manage access to critical systems by privileged users, including third-party vendors.”

In addition to PAM, Bischoff suggested that instead of hosting resources on an internal server and requiring those outside of the office to access it via a VPN, many companies have chosen to put those resources on the cloud. Thanks to an abundance of third-party applications and tools, companies can gain much more granular control.

Finally, it’s critical to clarify how you shouldn’t use a VPN.

“It should not be used to provide remote access for IT administrators, privileged users or third parties to access sensitive, confidential or critical infrastructure,” Lankford said. The role of corporate VPN should be to provide secure, remote access to private company resources, and to secure connections from remote employees when connected to open Wi-Fi networks.

So, is VPN technology dead? No, but let’s just say that the corporate VPN of the future will continue to play an important role — albeit a limited one that represents a piece of a well-defined and managed network access strategy.

Discover, manage, protect and audit privileged account access with IBM Security Secret Server

The post Is Corporate VPN Security Dead? appeared first on Security Intelligence.

Enterprise Cloud Security: Is Blockchain Technology the Missing Link?

Blockchain made headlines recently as the transaction infrastructure for bitcoin and other cryptocurrencies, but this shared ledger solution is now being reimagined as a way to bridge the enterprise security gap. In fact, 60 percent of companies have already implemented (or plan to implement) blockchain technology — with 28 percent actively testing solutions and 20 percent in the discovery and evaluation phase.

But many challenges remain, including scalability and privacy. There’s still more work to do before blockchain can effectively bridge the gap from potential benefit to security baseline.

A Perceptual Shift in Blockchain Technology

The use of blockchain technology as a cryptocurrency record-keeper makes sense. Adding “blocks” of data to a public ledger in sequence helps ensure that transactions are both visible and difficult to alter (since any modification of the original ledger results in widespread mismatches). It’s an ideal combination of user privacy and security oversight: While the identity of digital wallet holders is obfuscated, transaction records are a matter of public record.

As cryptocurrency markets have cooled and (somewhat) stabilized, however, interest in blockchain as a security technology has swelled.

“While still nascent, there is promising innovation in blockchain towards helping enterprises tackle immutable cyber-risk challenges, such as digital identities and maintaining data integrity,” Ed Powers, cyber risk lead at Deloitte U.S., noted in a 2017 report.

Blockchain was also a high-profile topic at the 2018 RSA Conference in April: While some attendees argued for blockchain technology as the solution to General Data Protection Regulation (GDPR) compliance, others worried about issues like viability at scale, data integrity and provenance.

No matter the outlook, it’s clear that blockchain is undergoing a shift as enterprises look for ways to shore up cybersecurity in a market dominated by distributed cloud networks, limited visibility and huge potential consequences.

A Dearth of Blockchain Expertise

So, what’s the potential for blockchain? Demand for blockchain talent recently skyrocketed as companies look for engineers with the skills to develop new applications and services that leverage this technology, according to TechCrunch. There’s already more than $3.7 billion in initial coin offering (ICO) funding waiting for talented developers — and 14 openings for every experienced candidate.

Of course, experience is part of the problem: Blockchain simply hasn’t been around long enough for IT professionals to amass significant working knowledge. Despite supply constraints, however, demand isn’t slowing down. In fact, TechCrunch also reported on a 700 percent increase in companies looking for blockchain engineering talent since January 2017.

Some companies are leveraging blockchain itself to create new cybersecurity marketplaces where motivated white- and black-hat hackers can design antimalware tools for profit. Think of it as a way to bridge the growing cybersecurity skills gap: These hubs enable security professionals to develop antimalware tools or connect with businesses in need of security expertise. Instead of the traditional hiring and vetting process, everything is conducted via blockchain-based secure contracts. Upon completion of successful projects, security experts are paid in cryptocurrency.

More traditional use cases for blockchain leverage its inherent audit capabilities. Since all transactions added to public and private blockchains are signed and time-stamped, enterprises can quickly track down specific events or users of interest. Also, new transactions fundamentally alter the state of the blockchain ledger: Previous iterations are stored, providing companies with a complete history log that both limits the chance of data tampering and ensures all IT actions are auditable as required by emerging compliance regulations.

Build a Better Blockchain, One Link at a Time

Despite enterprise advancement in the area of blockchain, however, there’s still room for improvement. For example, there are limited enterprise use cases for this technology, since very few apps use (or benefit from) the addition of blockchain. While this will change as the market evolves, current use cases are few and far between.

In addition, while traceability is an inherent property of blockchain, data quality is not. The Deloitte report noted that “blockchain technology does not guarantee or improve data quality.” Enterprises remain responsible for ensuring the accuracy and reliability of their data before it becomes part of a shared chain ledger.

Finally, The Wall Street Journal reported that while blockchain excels at data security and trust, it may struggle with privacy. Consider the GDPR: Key components of this legislation are the right to be forgotten and the power of citizens of the European Union (EU) to request access to stored personal data from organizations at any time. The nature of blockchain, however, prohibits this kind of data grab and removal, meaning multiple blockchains might be required to comply with GDPR legislation.

The problem is that the unbroken nature of blockchain is its biggest strength — fragmenting chains reduces total security efficacy.

Enterprises are understandably interested in blockchain’s inherent benefits, such as shared ledgers and natural auditability. Alone, however, blockchain is not the missing link to cloud security. This technology must be paired with apps and services that ensure accurate data entry and reliable sourcing and can address emerging privacy issues. When it comes to enterprise security applications, blockchain holds significant promise but remains developmentally adolescent.

The post Enterprise Cloud Security: Is Blockchain Technology the Missing Link? appeared first on Security Intelligence.

A Proposed Solution to the Password Reuse Problem

Password reuse across multiple sites creates major security risks. If an attacker can steal credentials and gain access to one account, he or she can also log into every other account that uses the same password. The threat doesn’t just apply to individuals, however. Employees using the same passwords at home and work put the entire enterprise at risk.

Facebook CEO Alex Stamos believes password reuse is the top cause of harm on the internet, according to CNET. When it comes to defending crown jewels against nefarious actors, passwords are a weak link.

The average individual has 150 online accounts protected by passwords, Dashlane reported in 2017. Combine that number with the fact that anywhere from 75 to 93 percent of users reuse passwords across multiple sites, according to a range of surveys conducted over the years, and the gravity of the issue becomes difficult to deny.

A New Approach to the Password Reuse Problem

In an effort to stamp out the bad habit of password reuse, two members of the computer science department at the University of North Carolina (UNC) at Chapel Hill proposed a new framework that would enable major web services to coordinate to ensure users don’t use the same passwords.

The authors considered the reality that a framework for password reuse is fraught with risks to users’ security and privacy. However, they asserted that technology can lend a solution to the problem and encouraged thought leaders to consider the benefits of a framework that “enables a server at which a user is setting a password, here called a requester, to ask of other websites, here called responders, whether the user has set a similar password at any of them.”

Neither website would have access to information that reveals the password itself, according to the proposal. The websites would only receive information alerting them to the similarities in the user’s passwords.

Consider single sign-on (SSO) technology, which allows a user to log into one application through his or her LinkedIn or Facebook account. Conceptually, the two websites are sharing information about the user — except, in this case, it’s in lieu of a password. The authors noted that SSO solutions mitigate the problem of password reuse by eliminating the need to create new login credentials.

A Flimsy Framework?

Best practices for cyber hygiene already call for users to create unique passwords for each site, so let’s imagine a scenario in which the proposed framework is implemented. Would behaviors really change?

Rishi Bhargava, co-founder of security operations provider Demisto, said that if sites were to start coordinating under this plan, they could do little more than perhaps alert users to instances of password reuse. If this happens across multiple sites, a user might grow so annoyed that he or she would start using a password manager or modify each password by one character. In other words, the framework would achieve very little.

Still, the likelihood of financial and retail sites going along with the proposal is slim, but the framework is just one of a number of efforts to better secure sites. Organizations and individuals should continue to use two-factor authentication (2FA), but it’s also critical to augment user training.

2FA and Biometrics Provide a More Practical Solution

From a security perspective, the issue is about whether passwords are keeping users safe online. Cybercriminals can use stolen credentials to gain access to multiple sites, so the proposal is a step in the right direction to some degree.

However, the framework has several issues, especially in the European Union (EU), where, according to the General Data Protection Regulations (GDPR), a password hash is considered personally identifiable information (PII). Passing the hash between services could allow a man-in-the-middle (MitM) attack, but it’s also important to note that EU citizens would need to consent to this transfer.

Still, proposing that two companies with PII belonging to millions of people should share information about their passwords seems a bit like the novel “1984.” What would George Orwell say? Surely other options exist.

Depending on the software provider for tools such as business email, people can use 2FA on dozens of third-party applications. A better solution might be to call for internet services to adopt better password and privileged access integration.

The recent IBM Future of Identity Study found that consumers are increasingly embracing biometrics as a viable solution to the password problem. Users are suffering from password fatigue, which is one reason why the proposed framework doesn’t do enough to solve the password problem. Still, the study revealed that password managers and biometrics do hold promise for the future.

Listen to the podcast: Millennials, Baby Boomers and the Future of Identity

The post A Proposed Solution to the Password Reuse Problem appeared first on Security Intelligence.

Four Ways IDaaS Can Help You Overcome Cloud Identity Hurdles

Identity management-as-a-service (IDaaS) helps solve many of the challenges related to identity and access across today’s hybrid enterprise. Organizations looking to embrace the cloud can benefit immensely from IDaaS solutions, which provide customers with relief from the overhead of infrastructure support, specialized staffing, consistent deployments and maintenance and upgrades.

Cloud Identity for Dummies

Below is an excerpt from IBM’s new e-book, “Cloud Identity for Dummies,” which explores the various ways IDaaS can help organizations overcome these obstacles — and optimize their identity and access management (IAM) strategy in the cloud.

Infrastructure

IDaaS solutions don’t require servers, storage or other infrastructure installed and maintained at the customer’s location — everything is hosted from the cloud. For IDaaS, the only client-side equipment required is smart card readers or biometric devices on workstations if multifactor authentication (MFA) is utilized, but those devices are necessary regardless of IDaaS or IAM. The benefit to the consumer is that there are no capital expenditures (CAPEX) on hardware or infrastructure.

Download the complete e-book: Cloud Identity for Dummies

Staffing

IDaaS transfers administrative support from the customer to the cloud service provider. The infrastructure administrative duties, such as installation and configuration, are already performed by the cloud service provider at the multitenant level for all customers. The cloud provider staff performs these tasks for everyone. The customer reaps the benefit of highly skilled, on-premises staff being freed up to support other business-centric initiatives.

Deployment

IDaaS solutions are automatically deployed via the cloud by using a standardized multitenant architecture. When a new customer starts its service, a new IDaaS environment is provisioned in the cloud by using virtualization and cloning technologies. A standardized baseline IDaaS image at the latest version and security patch level is then customized via the consumer using self-service portal access, wizards and templates. The benefit of a standardized deployment process ensures that the consumer is provided a secured, standardized and baselined environment so he or she can start his or her application-specific customizations sooner and at less risk.

Maintenance and Upgrades

IDaaS solutions shift the overhead and complexity of mundane maintenance and upgrade tasks to the cloud service provider. As a software-as-a-service (SaaS) application, these duties are transferred from the customer to the cloud service staff. Centralizing these operations outside the responsibility of the customer ensures that the IDaaS software and customers’ data and configurations are regularly patched and upgraded to the latest version and security release, properly backed up and replicated to the disaster recovery (DR) environment and tuned for optimal performance and efficiency. These technically complex tasks are shifted from the overworked customer’s staff to the full-time, specialized cloud service staff. The benefits are that the maintenance and upgrade workload is shifted to cloud staff specializing in these duties, which removes the burden from the consumer’s IT staff.

Learn More About the Benefits of IDaaS

To learn more about how an investment in IDaaS solutions can help your organization clear common cloud identity hurdles, download a complimentary copy of the full e-book, “Cloud Identity for Dummies.”

The post Four Ways IDaaS Can Help You Overcome Cloud Identity Hurdles appeared first on Security Intelligence.

Musings From a Coffee Bar: Threat Modeling Tips for Open Campus Security

Imagine you’re attending a training conference at a company whose campus is so vast and sprawling that a map is required to get from one end to the other — whether by car or foot. The physical security on this campus is sparse, and Wi-Fi access is in every building. There are a handful of badge readers on the doors, but also underground tunnels, offices without door locks and a lack of security checkpoints.

You also spy agile design spaces with intellectual property scribbled on the walls, as well as hundreds of people during lunch hour. It seems as though just about anyone could walk onto this open campus, grab a coffee — and get in a little afternoon social engineering or, at the very least, eavesdropping.

While this open campus scene is not uncommon, it’s also where threat modeling (i.e., risk identification and prioritization) comes in to play.

Creative Threat Modeling Tips

With such a massive campus, how would a team of cybersecurity professionals secure it? Chief information security officers (CISOs) shouldn’t be afraid of an open campus. Threat modeling allows internal security teams to tailor security to areas that present the greatest security risk. Sometimes, all you need is a little creative thinking to improve your cybersecurity efforts.

  • Revamp Wi-Fi: Segment Wi-Fi based on the individual buildings or by quadrant of the campus, and deploy identity and access management (IAM) in each building and for all mobile infrastructure. Provide guest Wi-Fi that runs on a set of private cloud-based servers — rather than on-premise or within the same data center server cluster on-premise.
  • Smarten up entry and exit points: Implement a facial recognition and voice recognition software in all entry and exit points. This strategy does not mean the ultimate goal is to stop every employee as they go about their workday — or the delivery man who is always dropping off packages. A better solution would be to stop visitors or individuals who are rarely seen on campus.
  • Rethink threat modeling: Perform threat modeling with a twist. Ask a team of security professionals from a security services company to walk around the campus for a week with a Raspberry Pi, a high-gain antenna or Metasploit running on a smartphone — or any of their other favorite hacker toys to see what the team finds. Use the results to build threat models for individual buildings and areas. This strategy allows internal security teams to tailor security to the areas of the campus that present the most significant security risk.
  • Employ drones: Large, sprawling campuses that take up several acres or square miles could employ drones to patrol the perimeter. Of course, the drones and associated software will have to be properly secured before use to prevent them from being hacked. A solid alternative for any company not comfortable with this scenario is to use helicopter patrols or small low-altitude remote-controlled kit airplanes.

Incorporate AI to Perform Fluid Threat Modeling

Cybersecurity threats are changing continuously. So, security responses and practices should be fluid, dynamic and adaptive — not static and rigid as they have been for last two decades.

If companies have the money to spend (and want to be exceptionally forward-thinking), their research and development team could teach artificial intelligence (AI) the concept of fluid threat modeling. Any AI would have to be trained on a wide variety of scenarios by professionals who have experience with threat modeling scenarios, such as active shooters, hostage situations, hijacking, bomb threats and the like.

Facial recognition, for example, could be incorporated into daily physical security through the use of artificially intelligent robots that greet visitors, walk the halls and engage in short conversations with employees, patrol the parking decks, escort individuals walking alone at night and so forth.

This is not to suggest that robots should replace humans outright, only that they could augment security teams that are short-staffed, overwhelmed and cannot be everywhere at once. With the growing shortage of cybersecurity professionals, there may come a day when AI is the only viable alternative to no security at all.

All of this is highly theoretical and many years away, but it could help to grab a cup of coffee and start thinking about it now — especially as security professionals, scientists and mathematicians are making history and setting technology precedence in the field of AI and autonomous systems and neural networks.

The post Musings From a Coffee Bar: Threat Modeling Tips for Open Campus Security appeared first on Security Intelligence.

May’s Cybersecurity Recap: Welcome to the GDPR Compliance Show

This month’s cybersecurity recap has a clear focus: the European Union’s General Data Protection Regulation (GDPR). Now in effect, GDPR has been a source of continuing difficulty and discussion for businesses around the world. But ready or not, the regulation has arrived and companies are now obligated to meet new data handling, disclosure and compliance standards. Here’s a look at some of the top GDPR stories published this May.

Shoring Up GDPR

While enterprises may not be fully prepared for GDPR, there’s no time like the present to gear up for potential compliance challenges. Cindy Compert, Distinguished Engineer and IBM Security’s chief technology officer (CTO) of data and security and privacy, suggests that companies can shore up their GDPR compliance outlook by considering the following:

  • Consult legal experts to determine their obligations
  • Create a cross-functional GDPR team
  • Review all privacy and customer consent policies
  • Ensure all compliance efforts can be tracked, audited and verified

WHOIS Worries

Pre-GDPR, the ICANN WHOIS database provided readily accessible information about registered domains, including owner contact information, availability and registered company. Under current interpretations of GDPR, however, access to this database will be significantly restricted for both security professionals and automated processes associated with security, making it harder for security researchers to track threat origins and discover causal links.

Privacy Problems

Even with GDPR now in force, many companies struggle to secure critical data. In fact, nearly one-quarter of all internal work folders are accessible by all employees within an organization — and almost half of companies surveyed had 1,000 or more sensitive files open to everyone on staff.

What’s more, many “ghost” users, employees who leave the company or move to a new department with different responsibilities, can still access critical files. Under GDPR compliance rules, this is a problem. Enterprises need to know who has access and demonstrate that this access meets new privacy expectations.

Addressing Insider Threats

In addition to “ghost” users, more traditional insider threats remain a critical concern for organizations. Under GDPR, however, the stakes are much higher. If staff maliciously or accidentally expose consumer information, the disclosure requirements alone could cripple corporate finances, to say nothing of assessed penalties and fines.

As a result, it’s critical to evaluate two key areas:

  • Consumer identity and access management (CIAM) solutions: CIAM tools are used to collect basic consumer information. Under GDPR, express consent is required to collect this data, along with clear descriptions of how this data will be used. In addition, consumers must have the ability to “opt out” at any time.
  • Insider threat controls: Because personal data can be found across applications, unstructured sources such as files and structured sources such as databases, insider threat controls are essential to limit the chance of a breach and ensure anyone accessing this information meets GDPR expectations. Companies must have tools in place to ensure the right people have access to personal data and remove any access that doesn’t meet GDPR compliance requirements.

Positive Outlook

Despite insider threat worries, privacy concerns and issues with WHOIS, IBM Security and the IBM Institute for Business Value’s new report, The End of the Beginning: Unleashing the Transformational Power of GDPR, found that the majority of business leaders see the new regulation as an opportunity for innovation. Eighty-three percent of business leaders agree that security and privacy are now key business differentiators and companies on the leading edge of GDPR believe it will create new opportunities for data-led business models and data monetization.

This dovetails with the findings of the IBM Cybersecurity and Privacy Research survey, conducted by The Harris Poll on behalf of IBM, which reported that 75 percent of consumers would not buy products from companies they don’t trust to properly secure their data.

Put simply? While complex and time-consuming, the shift to GDPR may drive long-term business benefits as public privacy perception shifts.

Read the full study: The End of the Beginning — Unleashing the Transformational Power of GDPR

Getting Your House in Order

Indeed, many companies see GDPR as a benefit rather than a burden. Why? Because you can’t protect what you don’t know. Companies can’t defend critical data if they don’t know where it’s located or assure regulators that systems are secure when they aren’t sure if applications are patched or hardware has been updated — and the GDPR provides ample incentive to clean house.

The result is a need for improved cybersecurity strategy. This starts with auditing corporate networks to determine what’s working, what isn’t and what needs to change.

For enterprises, GDPR offers a chance to take stock of current data-handling practices and implement changes that enhance both overall compliance and long-term ROI. While some regulations, such as the approach to WHOIS data, are still a work in progress, the GDPR compliance show puts subpar practices on notice and has the cybersecurity world watching to see what happens next.

Still on your GDPR journey? Get more actionable insights from the IBM Professionals

The post May’s Cybersecurity Recap: Welcome to the GDPR Compliance Show appeared first on Security Intelligence.

The Inadvertent Insider Threat: A CISO Confronts a Breach From Within

The following story illustrates what happens when a chief information security officer (CISO) encounters an inadvertent insider threat. While Marie Addison isn’t real, the challenges she faces are hardly works of fiction. Even the most secure companies have employees who forget to follow best practices. Human error, credential misuse and disgruntled employees may not cause the statistical majority of security incidents, but they do pose a genuine risk for any CISO. Read on to discover the choices Marie makes as her story unfolds. Did she follow the best path?

“The speaker for today’s Women in Technology lunch and learn is Marie Addison, a CISO, cybersecurity leader and big data expert,” announced event host Sara Cheema.

“Marie’s company is an industry leader in data-driven buyer persona profiles,” Sara continued. “Her role includes protecting a variety of fast-streaming data sources, including user behavior, social media sentiment and market research.”

Marie walked to the podium, adjusted the microphone and arranged her notes carefully before starting her speech.

“Thank you, Sara. What I’ve prepared today isn’t going to be your standard talk, but I hope it’s a refreshingly honest look at the challenges I face,” Marie said. “I’ve drawn up some notes about the realities of my role as a CISO.”

After a brief pause she continued, “Sometimes, I’m too busy playing whack-a-mole with high-risk security threats to plan and implement the right preventive measures. But, thankfully, we’ve never had a data breach — and I’m here to tell you how.”

An Inadvertent Insider Threat

Back at the agency, the junior database analyst (DBA), Ross Silver, felt like banging his head against his desk. The internal server the company used to aggregate data was reaching capacity. Based on how slow his queries were running, there wasn’t much time left before capacity was maxed out.

Ross knew uptime was crucial for the agency to do its most important work: using an analytical engine to marry data with insights into social media sentiment, message board text scrapings and third-party market research.

However, the capacity (or lack thereof) wasn’t the source of Ross’s frustration. His irritation stemmed from the fact that he was the only data operations staffer on site that afternoon. The chief information officer (CIO), Rai Kagome, was unreachable for the next two weeks, as she was on a cruise with her family. The senior DBA was attending an event where the CISO, Marie, was the featured speaker. Last, the IT director was taking a few days of medical leave.

Not only was Ross the lone data staffer on site, but his database credentials were also relatively limited.

A Goldmine of Exposed Admin Credentials

Ross walked into the IT director’s empty office and opened the top desk drawer. It didn’t take him long to find what he needed: a sticky note labeled “admin,” which listed a username and password. Ross snapped a quick photo of the note with his mobile device.

Ross used the admin credentials to access the server when he returned to his desk. Clicking on users, he scrolled down until he saw his username listed. With a few more purposeful clicks, he escalated his account privileges — and when he logged back in as Ross Silver, he was both a junior DBA and super admin user of the central database.

A Temporary Cloud Storage Solution

As he worked to connect to an external third-party cloud service, Ross wondered why the organization was using an on-premises database to store such a critical workload — especially when there was so much capacity in the cloud. While it wasn’t cheap to store such a massive amount of data, the service offered a free 30-day trial.

Ross knew temporarily escalating his credentials was risky business, but he didn’t want to be held responsible if the internal server hit capacity and the agency’s productivity slowed to a halt.

Ross knew temporarily escalating his credentials was risky business, but he didn’t want to be held responsible if the internal server hit capacity and the agency’s productivity slowed to a halt. This storage solution wasn’t permanent, he thought. The IT director would be back in the office before Ross’ company credit card got hit for the next month’s subscription fee.

Ross logged back into the admin account to restore his usual junior DBA permissions and felt satisfied that he’d created a temporary bandage for their big data volume problem. Besides, he had heard on a podcast that all of those rumors about public cloud security issues were greatly exaggerated.

Default Access Disaster

Despite Ross’s ability to resourcefully navigate access management for the agency’s on-premises server, he’d left a few crucial boxes unchecked in the cloud. He failed to notice that when he blindly accepted the default access settings for the cloud storage service, it left the repository fully open to anyone searching for open data sets.

Since Ross had labeled the data with his agency’s name, the date and the details “full buyer data backup,” it was practically a pot of gold for cybercriminals.

One Security Researcher’s Discovery

Security researcher Lexi Milic couldn’t believe what she’d found while browsing unprotected data sets on a popular cloud storage service. Right in front of her was bytes upon bytes of personally identifiable information (PII), labeled with an organization’s name and backup.

Lexi was one of the good guys. Sure, she’d built her brand on exposing real companies’ cloud security snafus — but it wasn’t like she sold unprotected data when she uncovered it. Lexi always notified companies about her discoveries, which sometimes netted her a bug finder’s fee. However, her blog and massive social media following were the real pillars of her cloud security influencer brand.

This digital marketing agency was foolish to use its entire name, but that made it easy for Lexi to locate the company’s website. She used the online contact form to write a short, informative email about the exposed data in the cloud, including a direct link to the cloud repository and screenshots.

Glancing at the time on her laptop, Lexi was relieved to see it was only 6 p.m. This meant she might be able to get the blog post published before 7:30 p.m. to get some exposure that evening.

She had already drafted the majority of an article about the perils of the popular cloud security service’s default settings. With a real-world example of a company exposing its own PII, she was in solid shape. In fact, she’d probably spend the following morning on the phone doing interviews with reporters from the big security blogs. She was excited about getting more exposure.

A CISO’s Cybersecurity Nightmare

Marie’s work device buzzed as she sat in gridlocked traffic during her morning commute. Still exhilarated from her speech at the conference the day before, she glanced down and saw a text message from Rai, the CIO: “We’ve had a breach. It’s bad. All over the news. Head to the conference room as soon as you’re here.”

Marie’s hands shook as she typed out a quick response: “Got it. Stuck in traffic, be there in 15 minutes.” She wished the other cars would disappear as she sent a follow-up message: “Will let you know when I’m parking.”

The article said the company’s buyer persona profile data — its proprietary product — was fully exposed in the cloud.

Rai met Marie in the parking lot and briefed her during their walk to the conference room. The previous evening, a popular security blogger had published an article about the company, complete with links and screenshots. The article said the company’s buyer persona profile data — its proprietary product — was fully exposed in the cloud.

Rai had received search alerts for the agency’s name based on data exposure throughout the night, but her phone didn’t wake her up. And the email from Lexi was only discovered when Rai woke up at 7 a.m. By then, the issue was all over the news — and the company’s CEO was blowing up her phone.

Not All PR Is Positive Exposure

The next few weeks at the agency were the worst of Marie’s professional life. She sat in countless incident meetings, chewing her lip while the client-facing C-suite fretted about client churn. The agency hired public relations experts to collaborate with legal counsel as the organization scrambled to address the incident publicly.

Marie and Rai were tasked with fast forensics. There was no shortage of pressure from the CEO to provide a better explanation than, “We’re working to investigate the cause of this incident and improve our controls.”

More than two-thirds of the records compromised in 2017 were caused by an inadvertent insider.

Unfortunately, the forensics were far from simple — especially since the exposed data carried an alleged date on which the vast majority of the IT team was out of office. Marie’s team wasn’t able to pinpoint the cause until the IT director performed a manual log review.

Before long, the junior DBA, Ross Silver, found himself sitting down with human resources for an interview.

Better Ways to Protect PII

Real organizations face data exposure from the well-meaning actions of inadvertent insiders every day. In fact, more than two-thirds of the records compromised in 2017 were caused by an inadvertent insider. Even though this is not the most common type of incident organizations face, it’s still among the most complex threats that security leaders like Marie must face.

As a CISO, Marie was well aware that humans are risky endpoints. She’d worked hard to protect the agency’s digital perimeter as it became more porous. She’d collaborated with the CIO to ensure the right people had the right access. Unfortunately, the IT director had ignored the agency’s policy and written down his credentials anyway.

A Happier Cybersecurity Epilogue

Fortunately for security leaders in the real world, the story doesn’t have to end this way. To avoid a public relations fiasco and frustrating forensic investigation, Marie could have done a number of things differently. First, her agency could have leveraged identity and access management (IAM) services to manage identity governance and technology deployment. Then, there wouldn’t have been a credentials-based nightmare.

In addition, Marie could have used a mainframe security solution to effectively delegate and automate the CISO’s constantly expanding role. She could have also monitored employee behaviors with user behavior analytics (UBA) and insider threat protection tools. Deploying a data protection solution would have helped her keep tabs on high-risk behavior in real time. Plus, a resiliency and compliance platform would have allowed her to restrict attempts to change configurations with a resiliency and compliance platform.

It also goes without saying that proper training for security personnel on incident response and remediation could have helped her team handle the issue. In the case of a future breach, Marie might consider hiring incident response experts to work alongside the company’s own public relations team.

Humans will always make occasional mistakes, but organizations can prepare for the inevitable with the right security arsenal of solutions to monitor users, automate IAM and protect data assets.

Despite the fact that CISOs like Marie Addison are investing heavily in cybersecurity awareness training, users like Ross are still clicking the links in phishing emails and uploading PII to external cloud storage services. Considering the sheer volume of external and internal threats CISOs face daily, Marie’s whack-a-mole reference is not an exaggeration.

Yet the actions of well-meaning insiders who forget to update security settings don’t need to escalate into highly visible security disasters. Humans will always make occasional mistakes, but organizations can prepare for the inevitable with the right security arsenal of solutions to monitor users, automate IAM and protect data assets. With an ecosystem of solutions, CISOs can stop feeling like they’re constantly chasing down threats and instead take a more proactive, secure stance.

 

Read more: From Suspicious Activity to Suspended Account in Less Than a Minute — Stopping Insider Threats With Automation

The post The Inadvertent Insider Threat: A CISO Confronts a Breach From Within appeared first on Security Intelligence.

The Cloud Commotion: An IT Director’s Road to Cloud Transformation

The following story illustrates the struggles IT and security leaders encounter when undergoing cloud transformation. While Shira Sutton is fictitious, many real-life firms face similar pressure to fast-track cloud adoption. Selecting the right approach to cloud migration is not easy, but what can be even more difficult are the unanticipated hurdles that arise around compliance, resilience, data governance and identity management. Follow Shira’s decision-making process throughout her company’s cloud transformation journey, and consider what you may have done differently.

Shira Sutton had been handed the daunting task of cloud transformation.

“Do you think you can handle it?” Wendy Nguyen, the retail organization’s chief information officer (CIO), had asked several weeks prior.

As her organization’s IT director, Shira was no stranger to the cloud — or its cost reduction and operational efficiency potential. However, she was not looking forward to the enormous task ahead.

“Of course,” Shira said confidently. “I’m ready for whatever comes next.” While she wasn’t surprised to receive the directive from Wendy, she knew the move to the cloud would be riddled with challenges.

After a considerable amount of work, Shira was finally presenting a cloud transformation framework to the organization’s leadership team. She was looking forward to the flexibility and scalability benefits of the cloud, but she also had many concerns about how the shift would affect security.

Designing the ‘Right’ Type of Cloud

Shira and Wendy had a brief discussion about the “right” cloud approaches for the organization during their last meeting. Shira knew Wendy’s proposal of using a public cloud wasn’t necessarily the best option for their organization. She was worried about how a public cloud would impact her company’s legacy applications, critical workloads and sensitive data.

A multi-tenant environment could lead to diminished performance — and they certainly couldn’t afford to be the next highly publicized retail data breach. Shira also knew her organization was at risk of falling behind the curve when it came to cloud adoption, considering 83 percent of workloads will be cloud-based by 2020. She wondered if there were a way to hit fast forward on migration and achieve the digital transformation benefits of cloud now.

Shira presented the pros and cons of a multi-tenant public cloud strategy and private cloud to the leadership team, making a case for her preferred solution: a hybrid cloud that would allow the company to maintain control over its cloud workloads in a managed environment.

As adoption of cloud apps and services explodes worldwide, the number of options is also increasing at an overwhelming rate.

In fact, infrastructure-as-a-service (IaaS), just one aspect of the cloud, is currently experiencing 38.1 percent year-over-year growth. As adoption of cloud apps and services explodes worldwide, the number of options is also increasing at an overwhelming rate.

Taking a Vertical Approach to Cloud Migration

The leadership team asked Shira about many issues, including the commonness of hybrid clouds in enterprise settings and how they were trending compared to public clouds. She knew they shared her concerns about security risks, but she also realized their top priority (as business-minded executives) was cutting costs while preserving uptime and minimizing latency.

Shira explained cloud adoption had dropped slightly in the past year but was still at 51 percent in 2018. While the team agreed, Shira wanted to be sure the hybrid cloud was secure enough.

Scaling Governance to the Cloud

After the leadership team gave her recommendation the green light, Shira assembled a task force for vendor selection and spent weeks researching options. With the help of Wendy and other colleagues, she made her final selection and was deep in discussion with a representative from the newly hired vendor.

Armed with a list of questions, Shira sought to understand how her organization’s governance methods would scale to the cloud. Most importantly: Would her cloud workloads be compliant with industry regulations and regulatory requirements?

Assessing Cloud Vendor Security

Shira felt assuaged by the vendor’s explanation of its approach to security and controls. The conversation addressed her concerns about data compliance and encryption. It also helped her understand the company’s well-defined approach to scaling private cloud to hybrid cloud deployments.

While Shira wasn’t fully sold on the vendor’s promise of seamless policy management during the cloud migration, she felt confident in its commitment to availability and data protection. At the end of the conversation, the provider sent up-to-date copies of its certifications.

After she received those documents, Shira followed up with the compliance team about regulatory requirements. She wasn’t entirely sure how she’d achieve always-on compliance in the cloud.

Resilience and Incident Response Planning

Over the next few weeks, Shira turned her attention to resilience planning. With her organization’s workload primed for residency in a more diverse environment, Shira was aware the organization’s strategy for availability and risk response was about to evolve significantly. The purpose of this evolution was to accommodate her customers’ and employees’ need for always-on availability and on-demand access.

Shira carefully outlined the importance of a comprehensive resilience and response plan to the leadership team. While the executives were aware of the crushing cost of a data breach, they agreed with Shira’s assertion that even a 15-minute period of downtime was intolerable.

Shira felt overwhelmed by the simple fact that cloud adoption required a more complex approach to infrastructure, which meant more business risks to manage.

The retailer’s current response and resilience approach weren’t anywhere near industry standards. Its existing data backups and failover solutions certainly weren’t foolproof. However, Shira felt overwhelmed by the simple fact that cloud adoption required a more complex approach to infrastructure, which meant more business risks to manage.

Choosing Rapid Recovery

Business resilience and incident response planning was no joke. Shira used the cloud transformation as a long-overdue opportunity to create a stable plan for potential breaches, failover and disaster recovery. However, that was easier said than done.

Shira chose to focus on rapid recovery. She felt confident that vendor-recommended solutions for high-speed recovery could mitigate risks during downtime, failover or other incidents. Risk tolerance is complex, but Shira knew her team needed to be able to respond to the unexpected and recover quickly.

While Shira was careful to emphasize the realities of security and resilience risks, both she and Wendy agreed response-based resilience planning was the right approach. They decided to invest in regularly verified cloud backups to cover all the bases. Ideally, Shira hoped the organization wouldn’t have to face an unplanned outage or service interruption.

Migrating Identity and Access Management

As she finalized her retail organization’s move to the hybrid cloud, Shira faced the need to scale another mountain: issues of identity and access management (IAM) in the cloud. She also wasn’t the only one worried about this side of cloud risks. Wendy had recently dug into some research on security risks that revealed that compromised or stolen credentials were behind a massive proportion of data breaches.

Like many other organizations in retail, Shira understood her organization’s IAM challenges were immense. There were always remote access challenges, such as the organization’s distributed workforce and high employee turnover in the industry.

The organization faced an ongoing need to protect customers’ online data and mitigate fraud while providing a seamless omnichannel retail experience.

Existing governance at Shira’s organization was far from automated — and best described as a patchwork of policy-based administration across many different legacy apps and services. Internal IAM challenges also weren’t as tough as external ones. The organization faced an ongoing need to protect customers’ online data and mitigate fraud while providing a seamless omnichannel retail experience.

The impending move to the hybrid cloud was the perfect opportunity to reevaluate the company’s existing systems and policies for identity and access governance. But Shira wasn’t even sure where to start when it came to creating a more straightforward mode of managing users and their access to data.

Performing Manual IAM Review

Shira worked to tackle a post-migration plan for reviewing identity and access for each component of the organization post-cloud adoption, including the retailer’s customer-facing apps, internal apps and systems infrastructure.

She also tackled the long-overdue task of updating her organization’s current IAM processes, policies and controls. Shira worked closely with the cloud vendor during this process to understand how current policy-based administration efforts would scale to the cloud. Based on the provider’s recommendations, she began to document testing policies for IAM migration post-deployment.

Preparation Is Key to Cloud Success

Shira knew moving to the cloud would be simpler if the organization had a solid groundwork for managing data, risks people and policies. However, she didn’t have time to redesign its governance strategy from the ground up before migration day.

By the time the go-live date finally rolls around, would Shira feel confident her organization is entering a new era of cloud computing? Or would she instead continue to worry about security, continuity and access risks?

This type of cloud experience isn’t rare: Many organizations struggle to keep their cloud transformation goals on track when they encounter unanticipated obstacles around regulatory compliance, resilience, data governance and identity management.

Shira constantly worried about her options throughout the cloud transformation experience. What if she’d made the wrong recommendations around cloud adoption? Would her organization absorb new security risks, compromise resilience or discover massive issues during deployment testing because legacy systems weren’t functioning correctly or securely in the cloud?

A Smarter Approach to Cloud Transformation

Shira didn’t need to worry about missed opportunities on the road to cloud transformation or risk realization. To overcome the barriers to cloud success, she could have enlisted expert assistance to create a multiyear plan for cloud migration. She also could have invested in managed hybrid could services to unlock an easy-to-manage, centralized infrastructure instead of increased complexity.

In addition, Shira’s team could’ve taken a proactive stance on incident response and intelligence services for resilience planning. Finally, IAM and cloud identity services could have helped Shira create a seamless bridge between on-premises and cloud infrastructure.

With expert guidance and best-of-breed solutions for secure cloud adoption, it’s possible to confidently bridge secure operations in any combination of on-premises, private, public or hybrid cloud deployment.

Cloud adoption may be necessary to help organizations achieve an agile advantage — but it certainly isn’t simple. As Shira discovered, the journey to the cloud is filled with challenges and potential detours. Fortunately, with expert guidance and best-of-breed solutions for secure cloud adoption, it’s possible to confidently bridge secure operations in any combination of on-premises, private, public or hybrid cloud deployment.

 

Read more: It’s Time to Bring Cloud Environments Out of the Shadows

The post The Cloud Commotion: An IT Director’s Road to Cloud Transformation appeared first on Security Intelligence.

SecurityWeek RSS Feed: Open Source Tool From FireEye Helps Detect Malicious Logins

FireEye has released GeoLogonalyzer, an open source tool that can help organizations detect malicious logins based on geolocation and other data.

Many organizations need to allow their employees to connect to enterprise systems from anywhere in the world. However, threat actors often rely on stolen credentials to access a targeted company’s systems.

read more



SecurityWeek RSS Feed

Insider Threat Controls: What Are the GDPR Implications?

Now that we’ve very nearly reached the deadline for General Data Protection Regulation (GDPR), insider threat management is more crucial than ever. What is an insider threat? It’s when an insider’s credentials and access are used — either directly by malicious actors or indirectly by criminals with stolen or acquired credentials — to obtain sensitive data from an organization.

These threats are especially dangerous when an insider gets hold of access that manages personal data about customers or other employees. This is where GDPR comes into play.

Read the white paper: Prevent Unauthorized Access to Personal Data

CIAM: Doing Something New

At this point, you are likely well-versed on the implications of GDPR for your business. One element is allowing customers in the European Union (EU) to express consent about the management of their personal data, which ties into consumer identity and access management (CIAM), a specific segment within the identity space.

CIAM systems typically collect attributes like name, email address, social network accounts, age, gender and location. But without the user’s explicit consent, the collection of this type of data will likely violate GDPR.

So, what’s needed to align with the new regulation? There must be clear methods for customers to see what personal data is being collected and what the processing activities are on that data. Based on this information, customers should then be able to change or revoke their level of consent.

There has also been a lot of varying industry interest in the CIAM component of GDPR. Many industries are paying close attention — as they know auditors will check what they are doing to achieve GDPR requirements.

Insider Threat Controls

In managing insider threats and becoming GDPR compliant, there are two discovery questions you must begin with: Where is personal data in your company stored? Who has access to that personal data? The answers to these questions will lead to awareness and the ability to take action. They will also confirm whether company insiders have access to the appropriate data.

Personal data can appear in many places:

  • Applications and content, such as records and attributes
  • Unstructured data, such as files and folders
  • Structured data, such as database tables and columns

During the discovery phase, you must be able to look at these three types of data repositories to find personal data. This data could be everything from email addresses to credit card numbers and more. Of course, this will likely require some digging. There could be 2,000-plus files in a folder, but only five might be relevant to GDPR. How do you identify the five out of the 2,000?

GDPR Compliance: Finding the Needles in the Haystack

Identifying personal data is the most critical element of the process — and it’s not an easy job to do. Once you’ve found the personal data, how do you make the information consumable, presentable and understandable for applying controls?

Controls will bring business users to attention, rousing them to make a judgment call. This is where governance comes into play: The three repositories need to converge as one unified, protected user interface. This interface should allow even the least tech-savvy user to understand what they’re looking at and feel confident in determining whether or not the access is appropriate. Dedicated solutions, such as IBM Guardium, could help accomplish this goal.

To remain GDPR compliant, you will need to make sure the right people have access to personal data — and remove those who do not. You can address this requirement through leveraging governance and intelligence (IGI). In addition to these necessary controls, IGI provides the reviewer with context throughout the process.

Deliver awareness and actionable controls to minimize your insider threat exposure. And remember: There is no such thing as a solution that delivers compliance.

Read the white paper: Prevent Unauthorized Access to Personal Data

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

To remain GDPR compliant, you will need to make sure the right people have access to personal data and remove those who do not. You can address this requirement through leveraging
governance and intelligence (IGI). In addition to these necessary controls, IGI provides the reviewer with context throughout the process.

The post Insider Threat Controls: What Are the GDPR Implications? appeared first on Security Intelligence.

Critical Data: How Exposed Is Your Personal Information?

Until recently, many of us likely never gave a second thought to the security of our personal data online. Then, when news broke on a largescale social media data breach, millions of users were suddenly outraged and demanded that their information be better protected.

While these scandals have been covered extensively in the media, they actually highlighted a problem that isn’t exactly unique. Almost every organization that holds customers’ critical data is guilty of not doing enough to protect this information.

Most customers don’t know who has access to their sensitive material. The bigger issue, however, is that those in charge of protecting this data may not know who has access either.

Welcome to the Critical Data Show

We like to believe that when we turn our personally identifiable information (PII) over to a company, it is only accessed by those who absolutely must see it. But that’s simply not true: On average, nearly one-quarter of all internal work folders are available to everyone within an organization, according to a 2018 report from Varonis Systems. Also, almost half of the surveyed companies had at least 1,000 sensitive files open to all employees.

Organizations are overwhelmed with unsecured and overexposed data — a problem of its own. Compounding the matter, most don’t realize how much sensitive information is at risk of compromise simply because the wrong person has access to more files than is absolutely necessary. When your critical data is open to everyone in the organization, any data security strategy you have in place to protect it is practically null.

“It only takes one leaked sensitive file to cause a headline-making data breach,” wrote Brian Vecci, technical evangelist at Varonis, in a company statement.

What Do Cybercriminals Want? Critical Data

When they gain access to PII and other sensitive files — such as proprietary research or corporate financial records — cybercriminals can perform a number of sinister acts. They could sell the information on the darknet or use it themselves to directly steal from your bank account. They could also use your research to develop knock-offs of your products or conduct identity theft. Just like burglars who ransack homes or offices, cybercriminals want to find the easiest way inside.

“Attackers take advantage of security missteps and shortcuts to gain access to secure systems and sensitive files,” wrote John Carlin, former assistant attorney general for national security, in the Varonis statement.

When too many people have access to sensitive files, it opens up more opportunities for a mistake to be made that leads to a breach. It also means that people can see information they shouldn’t be reading and can share that data (perhaps unknowingly) beyond its intended scope.

The 2017 Verizon Data Breach Investigation Report found that 58 percent of its security incidents are the result of insiders, with 33 percent of the incidents resulting from errors — and almost 30 percent from misuse of data. Much of this happens because the wrong people can access sensitive information. Having access to critical medical files across a wide spectrum of employees is necessary. However, when that access isn’t kept in check, it is easy to abuse or open the network to more nefarious actions.

Frightening Concerns: ‘Ghost’ Users and Stale Data

Organizations often continue to hold on to stale data or information that is no longer necessary for business operations. This information is likely no longer monitored. Not only is the company paying to store unneeded data, but it is also opening up this information to insider threats. A nosy or malicious insider could access old records or gather details about former clients or employees without anyone noticing.

Ghost users are also a problem: The Varonis report found that 46 percent of organizations had more than 1,000 users with passwords that never expire. Also, 34 percent of user accounts are enabled on average — but “ghost” users still have access to files and folders. In other words: An employee who has transferred to a new department or left the company still has network access. Again, the doors are left open for someone without permission to read critical data.

With the General Data Protection Regulation (GDPR) going into effect on May 25, organizations that do business with data subjects of the European Union (EU) will have no choice but to address the matter of who has access to critical data. And even if your company isn’t doing business with the EU, your customers want to know their privacy is being protected.

Do you know who can see the sensitive files on your network? If you can’t answer that, chances are PII and other critical materials are being seen by not only insiders but cybercriminals who are grateful for the easy access.

Read the complete Forrester report: The future of data security and privacy

The post Critical Data: How Exposed Is Your Personal Information? appeared first on Security Intelligence.

What Is Next-Generation Privileged Account Management?

Privileged account management (PAM) is emerging as one of the hottest topics in cybersecurity — and it’s easy to understand why. Cybercriminals are relentless when it comes to finding and compromising their targets’ privileged credentials to gain unfettered access to critical assets.

An attacker with access to these credentials appears as a trusted user and can go undetected for months. Insider attacks can also inflict far more damage when the threat actors have access to privileged accounts.

Manage Privileged Accounts: What’s the Incentive?

The global average cost of a data breach is $3.62 million, so chief information security officers (CISOs) have plenty of incentive to manage access to privileged accounts robustly and comprehensively. However, market drivers for PAM solutions go beyond the risk of financial consequences due to a breach. Other factors include mandates from auditors and regulators, as well as the desire to increase operational efficiencies by leveraging cloud environments — which adds a layer of complexity when it comes to managing third-party access.

Given all this incentive to effectively manage privileged access, where do enterprises stand today? Shockingly, 54 percent of companies today still use paper or Excel to manage privileged credentials. With no shortage of commercially available solutions on the market, why are so many businesses continuing to use manual processes?

Two answers come to mind: Many vendors offer point solutions, such as password managers and session recorders, that only accomplish a portion of what is needed in (yet another) technology silo. Plus, more robust PAM solutions are often hard to deploy, unintuitive and not integrated with related critical technologies that enable security teams to manage privileged accounts holistically. Businesses looking to move beyond spreadsheets should consider new solutions to mitigate risks and gain a rapid return on investment.

Take Privileged Account Management to the Next Level

Best-in-class PAM solutions offer a comprehensive set of functionalities, integrate into the existing security ecosystem and are simple to deploy and use.

As a baseline, these tools help security teams:

  • Discover all instances of privileged user and application accounts across the enterprise.
  • Establish custom workflows for obtaining privileged access.
  • Securely store privileged credentials in a vault with check-in and check-out functionality.
  • Automatically rotate passwords when needed — either after every use, at regular intervals or when employees leave the company.
  • Record and monitor privileged session activity for audit and forensics.
  • Receive out-of-the-box and custom reports on privileged activity.
  • Enforce least privilege policies on endpoints.

By integrating a PAM solution with identity governance and administration (IGA) tools, security teams can unify processes for privileged and nonprivileged users. They can also ensure privileged users are granted appropriate access permissions based on similar users’ attributes (e.g., job role, department, etc.) and in accordance with the organization’s access policy. Events related to privileged access are sent to a security incident and event management (SIEM) platform to correlate alerts with other real-time threats, which helps analysts prioritize the riskiest incidents. Integration with user behavioral analytics (UBA) solutions, meanwhile, helps security teams identify behavioral anomalies, such as the issuance of a rarely used privilege.

Embracing a Holistic Approach to PAM

IBM Security Secret Server is a new next-generation privileged account management offering that protects privileged accounts from cybercriminals and insider threats, helps ensure compliance with evolving regulations and gives authorized employees access to the tools and information they need to drive productivity. The solution protects privileged accounts from abuse and misuse — and enables organizations to enforce least privilege policies and control applications to reduce the attack surface.

By investing in PAM tools that integrate seamlessly into the existing environment, organizations can put the full power of the security immune system behind the ongoing effort to protect sensitive access credentials from increasingly sophisticated threat actors. This enables security teams to move beyond inefficient, manual processes and embrace a holistic approach to privileged account management.

Discover, manage, protect and audit privileged account access with IBM Security Secret Server

The post What Is Next-Generation Privileged Account Management? appeared first on Security Intelligence.