Protecting agency assets begins with identity-centric security
By Craig McCullough
The more IT environments become distributed, cloud-based and mobile, the more securing identities gravitates to the center of infosec strategy.
As Jay Gazlay, a technical strategist at the Cybersecurity and Infrastructure Security Agency recently summed up for members of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board: “Identity is everything now. We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really, identity has become the boundary, and we need to start readdressing our infrastructures in that manner.”
No identities are more imperative to secure than those with privileged access to systems, data, applications and other resources. With the power to install and remove software, upgrade operating systems and modify and configure applications, privileged credentials and access can fast-track access to sensitive assets for an attacker or give malware the foothold it needs to spread and escalate an attack.
This calendar year kicked off with a succession of spectacular cyberattacks on government agencies and enterprises with implications that will ripple for years through the industry. The extent of the damage in the SolarWinds, Verkada and other attacks -- in many cases, perpetrated by nation-state actors -- may be not be fully grasped for years. Inadequate identity and access controls have continuously surfaced as a key theme of these breaches, just as they have in most breaches in the last decade.
In 2019, the Office of Management and Budget issued its Identity, Credentialing, and Access Management (ICAM) policy. It requires that agencies “shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems.” Now, identity-centric security, along with zero trust, can no longer be ignored. In fact, identity-centric security, particularly privileged-access management (PAM) controls, are also an essential piece of enabling a zero-trust architecture.
What is identity-centric security?
In an industry overstuffed with jargon, let’s back up for a moment and clarify what identity-centric security refers to. An identity-centric security approach encompasses both human and machine (application, software bots, etc.) identities and focuses on enabling the five As: authentication, authorization, access to data, auditing and accountability. This entails centrally managing roles, policies, access control and privileges across the disparate, far-flung pieces of today’s enterprises.
Identity-centric security is not meant to promote an identity-only security approach. Data security, application security and network security all remain important pieces and overlap each other. However, this approach recognizes identity security as the keystone of IT security in the modern computing environment.
Success with an identity-centric security strategy absolutely demands the knocking down of organizational silos and barriers to streamline identity management throughout the IT environment. Only with the integration of various directory services, applications, databases, networks and resources can organizations understand and enforce who users are, what they are allowed to do, where and with what they can do it and whether their actions are appropriate or not given the context.
PAM clarifies privileged identity and activity
Identity governance spans everything -- from onboarding and offboarding employees and contractors to managing privileged account credentials and derived cryptographic credentials, automated processes and multifactor authentication. It is also one of the main focus areas in the government’s Continuous Diagnostics and Mitigation program and ICAM architecture.
Although privileged-access management is arguably the most important technology area of this domain, protecting privileged credentials granularly enforces least privilege and monitors and manages every session involving privileged access -- whether human, machine, employee or vendor. After all, almost every attack today requires privilege for the initial exploit or to laterally move within a network.
PAM solutions can protect agencies by:
Implementing credential management best practices to prevent credentials from being stolen or misused.
Enforcing least-privilege across users, applications, systems, etc. to drastically reduce the attack surface and minimize potential lateral access pathways.
Ensuring elevated access is only given when contextual parameters are met and is immediately revoked after the activity is performed or the context has changed.
Securing remote access for employees or contractors -- without a VPN -- and enabling agencies to lock down access to cloud, virtual and DevOps control planes and other consoles.
Monitoring and managing every privileged session, providing an unimpeachable audit trail and the ability to pause or terminate suspicious sessions.
Identity-centric security with a PAM platform applies a unified and automated approach to identity, securing privileged sessions, users and assets. This reduces the attack surface and limits lateral movement from user- and device-impersonation attacks. It protects against any type of threat actor: nation-state, inside, external, human, machine and malware.
The path of least resistance is shifting
Managing the digital identity lifecycle of devices, human and machine identities and automated technologies is critical for mitigating risk because it helps ensure all digital identities are distinguishable, auditable and consistently managed across the agency.
Bad actors typically go after easy targets: unsuspecting users and unpatched and misconfigured systems. They target credentials that give them access to the data they want. When they pursue privileged credentials, they can gain broad access to critical systems, applications and even storage systems.
While threat actors have always taken the path of least resistance, that strategy has been shifting in the wake of digital transformation and the massive increase in remote work that have multiplied the number of privileges agencies need to manage. Yet here again, an identity-centric approach, leaning heavily on PAM, best positions agencies to address these risks. Agencies that have closed the paths of least resistance will find threat actors choosing an easier target.
Craig McCullough is the senior vice president, public sector, at BeyondTrust.