Identity matters in managing cybersecurity risk, but it’s only part of the equation. We need to know not only who we’re letting into our systems and networks, but also what they want to do there and why.
And when someone tries to move into territory or perform actions for which they’re not approved, we need a guardian at the gate to provide the added access – or not.
The “how” of access management matters. Insider threats are increasing. So are breaches from without, as cybercriminals use stolen credentials to slip past identity-based barriers. “Privileged access” becomes meaningless when a hacker knows your CEO’s username and password.
Internally, excess privileges can be an open door to compromise. Often granted to developers, they confer god-like powers to make changes to not only the application they’re designing and testing, but to any other software in the system, as well.
Do your developers understand the context behind your organization's security policies? And keep in mind that your developers are human – and humans err.
What if there were a better way to protect your enterprise than access management that relies on identity?
The problem is big – and growing
We’ve known about the access problem for quite some time, but only recently has it become serious enough to sound alarms.
Verizon’s Data Breach Investigation Report 2021 shows that, in 2020, 61 percent of breaches involved credentials, and credentials remain one of the most sought-after data types (targeted in 59 percent of attacks). Some 70-75 percent involved privilege abuse, and 99 percent of those incidents came from within – from trusted employees.
The 2019 Capital One breach opened many eyes to the dangers of one-and-done, identity-based access. In this famous insider attack, an ex-employee of the Amazon Web Services cloud provider slipped into the bank’s AWS account and pilfered the personal data of 100 million customers. Reactions focused largely on cloud security, and how to tighten controls. Few questioned the concept of letting people (or bots) into a system or network based on who they are or what the context behind their role might be.
Current industry solutions enable organizations to define policies for gating access behaviors, but the recent cyber breaches have amply demonstrated that the organizations’ trust goes beyond policy gating
At the same time, hackers are using ever-more-sophisticated methods to crack passwords and even encryption keys, targeting the credentials of high-level executives that will provide them with the broadest access.
Even thornier is the issue of insider threats, especially where highly sensitive information and critical infrastructure are at stake. The proliferation of remote work allows malicious insiders to probe systems and download files without oversight, adding to the risk of a breach or compromise. The use of cloud environments, while more convenient, increases risk even more. If your house has only a single locked door, the chance that it will be broken into is relatively small. For every additional door and window, however, your home’s vulnerability rises.
And if you’re letting people walk-in based on their role, you’ll certainly make sure they do only what you’re paying them for. Otherwise, the plumber might help themselves to the supper you’ve got cooking for yourself that night, or the parcel delivery person to the golf clubs in your hall closet.
Intention is everything
If you’ve locked the closet door, your clubs will most likely be safe whether you are personally watching them or not. I can’t vouch for your supper, though – an honest worker in your kitchen won’t touch it, because they know that’s not why they’re there, but the dishonest (or very hungry) person might sneak a taste if you’re not there to watch and give your OK.
By the same token, you want to provide users with access to the parts of your system where they need to be, but also need to prevent them from doing anything unauthorized. Monitoring isn’t the answer, not the way it happens today.
We have solutions that compartmentalize systems to allow or disallow access to a user, but they don’t check for the user’s intent. Nor will monitoring software alert you in advance when something isn’t right. Instead, they sound alarms after an incident has occurred – which is too late.
Rather than granting access based on identity, we need a way to let users in for a specific purpose or event. When we attend a basketball game or concert, we have to show our ticket before entering. The ticket taker doesn’t care who we are: they only check to make sure we’ve purchased the right to be at the show. If we try to do something else, like give ourselves a tour of the rest of the facility, security guards may block the way. If our intent is malicious – if we try to start a fire or break into offices – they’ll boot us from the premises and may call law enforcement.
Likewise, an app developer trying to make changes to services or get access to resources outside their purview should have to seek permission before even getting in. Until they get that permission, they’re blocked.
Event-based access management lets authorized users into your systems, network, or applications based not only on who they are but also on what they wish to do. If they decide to do something else but aren’t authorized for that task or event, they’ll need first to get permission.
Actions matter
No one wants notifications at all hours of the day or night asking for user permissions. Preset security policies can, for the most part, take care of these requests automatically. Certain actions can and should be strictly off-limits: deleting or altering sensitive medical records or financial account information, for instance.
Event-based access management needn’t mean that the CISO or other security manager must constantly give people permission to do their jobs. If policies clearly define what isn’t allowed, an automated event-based access solution will deny permission for forbidden tasks.
Just as there’s no need to let someone wreak havoc in your systems – intentional or not – based on their identity or role, there’s no need to micromanage every move in an event-based world if you’ve set firm boundaries around what you don’t want to happen.
When the culprit is non-human, such as a bot or API service, the threat increases – but your vulnerability doesn’t have to. No matter who or what the user’s identity, if they’re trying to do something you don’t want, they won’t be able to.
If you’re thinking about access in the same old, tired way – as a role-based or identity-based privilege – you’re taking enormous chances with your security and privacy. As we’ve seen, once hackers have your credentials it’s open season on your systems, and insiders can abuse their privileges without your even knowing. Shifting the focus on access security from “who’s at the door” to “what they want to do” can literally change the game, and position you as the winner.
How can organizations' ensure Proof of Trust for every access transaction?