At the last Gartner Security and Risk Management Summit, Gartner shared Top 10 Security Projects for CISOs to focus on to reduce risk and make a large impact on the business. It's no surprise that privilege management was their #1 recommendation.
Trends such as hybrid cloud, mobility, big data, CIAM, IoT and digital transformations all introduce new threats and levels of risk around privilege. Adding to the complexity is that identities are now much more than people – they can also be services, devices or things – and most identities have some form of privilege. IT grants identities elevated privileges in the name of productivity every day. All of these identities are vulnerable because they have elevated access to critical systems and information that will, in turn, open the company up to risk.
There are three main types of risk around privileged access:
- Outside threats: Sophisticated hackers direct phishing and spear-phishing attacks at those who would have elevated access—executives, system admins, network managers, engineers, and security workers who have access to finances, intellectual property, customer data, formulas, manufacturing processes, etc. Many of these users are sophisticated themselves, but they’re still human and can be deceived. Hackers may not know which identity has access to what, but they consider the privileged ones to be the Holy Grail. Attackers who gain access to privileged users’ credentials can lurk undetected for months while they learn a company’s systems and decide what to steal.
- Inside threats: Organizations must also protect against insider threats, both malicious and accidental. Whether they mean to or not, users whom have been given or steal credentials with elevated access could easily take down a network, expose confidential information and much more—potentially costing the organization millions of dollars in lost productivity, lost revenue, and compliance fines. There are known cases of employees or contractors performing malicious acts, but most circumstances are the result of human error or carelessness. If the company doesn’t provide a good user experience and the right access at the right time, even highly-technical and trusted privileged users will find ways to get their job done, sometimes at the expense of security.
- Non-compliance: There are many existing compliance regulations around data access such as GDPR, HIPPA, and PCI – with the expectation that more will be introduced in the coming years. As compliance and internal governance requirements continue to become more stringent and audits more grueling, organizations are being pressured to strike a balance between keeping people productive and enforcing security controls based on identity. Many are looking for quick wins to mitigate the amount of risk their organization is facing, with the ability to prove to auditors that they have implemented the necessary standards.
This is why privilege management is at the core of a comprehensive identity and access management strategy and why it was #1 on Gartner’s list. Many organizations today either ignore their privilege problem, don’t know where to start, or only have manual processes in place – these companies are setting themselves up for a major data breach, incident or, at the very least, a failed audit.
Take the time that’s left in 2018 to evaluate your existing privilege strategy and put in a new plan in place to take control of those pesky privileged identities.