Threats to cybersecurity, and the risks and cost to business, will be magnified by accelerating digitalization unless organisations quickly and aggressively bring identity management under control.
While digital technologies accelerate business growth and supercharge efficiency, they can also be exploited by cybercriminals and amplify the opportunity for malfeasance when identity management is compromised.
- Register your interest for our senior executive lunch: Translating cyber risk into business impact for boards (No IT Vendors or consultants, please)
The problem is only going to get worse as devices, apps and automation bots are propagating rapidly across the enterprise.
Indeed, according to McKinsey and Co, digital transformation accelerated at an extraordinary pace during the global COVID disruption, since Business as Usual was no longer an option. In one study, McKinsey revealed that its clients experienced seven years of transformation in just six months in 2020.
This great leap forward created powerful competitive advantage — but it vastly inflated the playing field for vulnerabilities, putting the newly found gains at risk.
That’s because digitalization creates massive opportunities for access to data — access that can be used for good or for ill.
That crisis-fueled shift to cloud applications and remote working during the pandemic will undoubtedly have created new vulnerabilities, and many of those vulnerabilities will still be there long after COVID recedes and work returns to its new normal.
That puts huge stresses on IT departments to take control of all forms of identity that have access to systems — people, devices and automated bots — catapulting identity management to the top tier of any successful information security strategy.
Not just people
Just like humans – whether employees, partners and customers – devices, apps and bots using the network also have identities and privileges ripe for exploitation.
The level of access and privileges afforded to every identity needs to be carefully controlled and managed in order to secure your data and applications.
While this has been the reality for some time, the problem is compounded by the fact that digital transformation succeeds when at scale. For example, for analytics driven by AI to draw meaningful insights requires massive amounts of data. This means there needs to be connectivity and communication between the many different identities across applications, devices, people and bots, and it all must happen almost instantly and at scale.
If any of those identities can be compromised, a bad actor could enter the organisations network and use the privileges associated with that identity — whether it’s a person, an application, or a printer — to do harm.
Take for example Robotic Process Automation (RPA). While RPA increases efficiency, productivity and quality —it also provides a new and attractive attack surface for exploitation. That’s because RPA bots are often given access to a variety of highly sensitive business applications, and if the bot’s credentials can be obtained they can be reprogrammed — potentially giving attackers enormous power. For example, a robot tasked with processing invoices could be reprogrammed to send payments to an attacker.
It’s no surprise therefore that the credentials robots use to access business applications are an especially attractive target. Most RPA tools store credentials used by robots in a database on the RPA host machine, and attackers can often gain access to the host machine through various attack methods. With organisations heavily invested in using cloud applications, an attacker could use access to cloud systems to move laterally with a compromised account between systems.
To manage this increasingly complex security environment, organisations are starting to change the way they think about security.
The old security model was more or less a kind of “fortress” — organisations placed boundaries around the edge of the business, with guards posted around the periphery, providing protection. The guards allow trusted parties — those with the right privileges — to enter and leave through gaps in the fortress walls. If an individual can prove their identity, they can pass through the gap.
Once an identity enters the fortress, the monitoring stops and it’s trusted to do only what it should do. However, that trust can be (and often was) misplaced.
The “fortress” model doesn’t work in the modern digitalized, distributed environment of remote work and cloud applications and bots coming and going at the speed of thought. You can’t put a wall around the business when it’s spread across multiple private and public clouds as well as on-premises environments.
This has led to the emergence of approaches like Zero Trust for access and identity management that recognises the scale and complexity of digital businesses.
This approach is built on the idea that organisations should not automatically trust anyone or anything — whether outside or inside the network perimeter.
Zero Trust demands that anyone and everything trying to connect to an organisation’s systems must first be verified — every time — before access is granted. And when access is granted, it is on the basis of “least privilege” — that is, the identity attempting to access a service on the network is given the minimal permission necessary to do what it is requesting, and nothing more.
Information about the user, endpoint, application or server, policies, and all activities related to them can be collected and fed into a data pool that fuels machine learning. According to the Identity Management Institute, “This allows the system to automatically recognise unusual behaviours, such as a user trying to access resources from an unusual location, or from an unfamiliar machine. That would then immediately trigger the need for additional authentication, or access can be blocked.”
By feeding every access attempt back into an analytics platform, you can apply modern machine learning to build individual profiles for every user. Technologies like machine learning greatly reduce the complexity of analysis required for access controls.
Instead of writing complicated rules, IT can decide how to respond to the risk level of an access attempt, saving a great deal of time and frustration.
AI-powered systems are able to apply appropriate identity access management policies to any access request based on needs and circumstances so that the IT department doesn’t have to waste time figuring out the basics of “least privilege” for every use case or resolving problems with privilege creep.
This saves time and frustration on the part of the IT team and also avoids “security fatigue” for non-IT employees — allowing everyone to focus on maximising the benefits of digital transformation.
Organisations have no option but to bring identity management and access under control. The risks of breaches will only increase as digital transformation accelerates in the post-COVID world, and emerging technologies increase the sophistication of opportunities for both attackers and defenders.
This article was produced by Which-50’s Digital Intelligence Unit on behalf of CyberArk