[BreachExchange] Protecting agency assets begins with identity-centric security

[Audrey McNeil]

https://gcn.com/articles/2021/05/19/identity-centric-security.aspx


The more IT environments become distributed, cloud-based and mobile, the
more securing identities gravitates to the center of infosec strategy.

As Jay Gazlay, a technical strategist at the Cybersecurity and
Infrastructure Security Agency recently summed up for members of the
National Institute of Standards and Technology’s Information Security and
Privacy Advisory Board: “Identity is everything now. We can talk about our
network defenses, we can talk about the importance of firewalls and network
segmentation, but really, identity has become the boundary, and we need to
start readdressing our infrastructures in that manner.”

No identities are more imperative to secure than those with privileged
access to systems, data, applications and other resources. With the power
to install and remove software, upgrade operating systems and modify and
configure applications, privileged credentials and access can fast-track
access to sensitive assets for an attacker or give malware the foothold it
needs to spread and escalate an attack.

This calendar year kicked off with a succession of spectacular cyberattacks
on government agencies and enterprises with implications that will ripple
for years through the industry. The extent of the damage in the SolarWinds,
Verkada and other attacks -- in many cases, perpetrated by nation-state
actors -- may be not be fully grasped for years. Inadequate identity and
access controls have continuously surfaced as a key theme of these
breaches, just as they have in most breaches in the last decade.

In 2019, the Office of Management and Budget issued its Identity,
Credentialing, and Access Management (ICAM) policy. It requires that
agencies “shift from simply managing access inside and outside of the
perimeter to using identity as the underpinning for managing the risk posed
by attempts to access federal resources made by users and information
systems.” Now, identity-centric security, along with zero trust, can no
longer be ignored. In fact, identity-centric security, particularly
privileged-access management (PAM) controls, are also an essential piece of
enabling a zero-trust architecture.

What is identity-centric security?

In an industry overstuffed with jargon, let’s back up for a moment and
clarify what identity-centric security refers to. An identity-centric
security approach encompasses both human and machine (application, software
bots, etc.) identities and focuses on enabling the five As: authentication,
authorization, access to data, auditing and accountability. This entails
centrally managing roles, policies, access control and privileges across
the disparate, far-flung pieces of today’s enterprises.

Identity-centric security is not meant to promote an identity-only security
approach. Data security, application security and network security all
remain important pieces and overlap each other. However, this approach
recognizes identity security as the keystone of IT security in the modern
computing environment.

Success with an identity-centric security strategy absolutely demands the
knocking down of organizational silos and barriers to streamline identity
management throughout the IT environment. Only with the integration of
various directory services, applications, databases, networks and resources
can organizations understand and enforce who users are, what they are
allowed to do, where and with what they can do it and whether their actions
are appropriate or not given the context.

PAM clarifies privileged identity and activity

Identity governance spans everything -- from onboarding and offboarding
employees and contractors to managing privileged account credentials and
derived cryptographic credentials, automated processes and multifactor
authentication. It is also one of the main focus areas in the government’s
Continuous Diagnostics and Mitigation program and ICAM architecture.

Although privileged-access management is arguably the most important
technology area of this domain, protecting privileged credentials
granularly enforces least privilege and monitors and manages every session
involving privileged access -- whether human, machine, employee or vendor.
After all, almost every attack today requires privilege for the initial
exploit or to laterally move within a network.

PAM solutions can protect agencies by:

- Implementing credential management best practices to prevent credentials
from being stolen or misused.
- Enforcing least-privilege across users, applications, systems, etc. to
drastically reduce the attack surface and minimize potential lateral access
pathways.
- Ensuring elevated access is only given when contextual parameters are met
and is immediately revoked after the activity is performed or the context
has changed.
- Securing remote access for employees or contractors -- without a VPN --
and enabling agencies to lock down access to cloud, virtual and DevOps
control planes and other consoles.
- Monitoring and managing every privileged session, providing an
unimpeachable audit trail and the ability to pause or terminate suspicious
sessions.
- Identity-centric security with a PAM platform applies a unified and
automated approach to identity, securing privileged sessions, users and
assets. This reduces the attack surface and limits lateral movement from
user- and device-impersonation attacks. It protects against any type of
threat actor: nation-state, inside, external, human, machine and malware.

The path of least resistance is shifting

Managing the digital identity lifecycle of devices, human and machine
identities and automated technologies is critical for mitigating risk
because it helps ensure all digital identities are distinguishable,
auditable and consistently managed across the agency.

Bad actors typically go after easy targets: unsuspecting users and
unpatched and misconfigured systems. They target credentials that give them
access to the data they want. When they pursue privileged credentials, they
can gain broad access to critical systems, applications and even storage
systems.

While threat actors have always taken the path of least resistance, that
strategy has been shifting in the wake of digital transformation and the
massive increase in remote work that have multiplied the number of
privileges agencies need to manage. Yet here again, an identity-centric
approach, leaning heavily on PAM, best positions agencies to address these
risks. Agencies that have closed the paths of least resistance will find
threat actors choosing an easier target.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/c5c550b0/attachment.html>