- CIOs should not have to choose between business risk and business growth.
- As your business grows, as attacks grow and attack sophistication increases, it is time to protect what matters most, without constraining the business.
- How can you get your organization to migrate to a more secure access policy that allows your business to grow while managing the risk from business expansion?
- Cleaning up application access privileges, tailoring policies to individual user groups, and making your access dynamic should help you start.
The need for access to corporate information is broad and growing, both from within and outside your company. This need can look like an employee at a remote manufacturing site accessing data across a corporate network, an employee working from home accessing a cloud application, a third-party supplier engaged in joint design accessing design requirements through a supplier portal, an internal global product design team accessing results from confidential research or design programs, and more.
The pandemic heralded the beginning of the end for homogenous access control policies with blunt access tools like VPN. VPN implementations were fast, but VPNs weren’t designed to grant differentiated access by user group or adjust such access based on risk profiles. Even with a VPN or a firewall-based protection, a single compromised credential can put a significant amount of valuable data or assets in the hands of an attacker, making it ineffective for true cyber-risk management.
Recent attacks in the private sector have shown the impact of such intrusions can extend well beyond damage for individual companies into entire value chains. The recent Kaseya hack hit hundreds of companies with ransomware that took advantage of third-party access. The Colonial Pipeline ransomware attack impacted energy stability in the United States by taking advantage of a single compromised user account.
The most secure approach in this environment is a zero trust access approach, which grants the least access possible. As the recent 2021 presidential executive order on cybersecurity and its recommendation for federal agencies and enterprises shows, zero trust as an approach is gaining attention as something needed, but what does that mean to your organization, and how do you make it happen?
Zero trust through user identity-based segmented access
In the report, “What Are Practical Projects for Implementing Zero Trust?” (published March 2021), Gartner recommends organizations implement zero trust by focusing on two complementary projects: (1) zero trust network access and (2) identity-based segmentation. The powerful combination allows businesses to construct a complete access picture based on full context of who is accessing information (including the user identity and role, devices they are accessing from, and behaviors in the access) and the minimum set of things they need to access in order to perform their roles (including specific cloud workloads or data center applications).
With user identity-based segmented access, access is granted to specific groups of users for accessing specific applications or groups of applications they must access and is reevaluated for risk constantly. With this approach, CIOs can not only secure remote workforces without constraining the business, but they can also solve common, complex access problems such as securing globally based remote IT admins who may have detailed access requirements and privileges, granting remote developers access to specific cloud workloads for changes they are authorized to make, or restricting third-party access to the company’s crown jewels.
In addition, companies can also enforce specific compliance policies during access and conduct a full audit of who is allowed access to what resources, when they’re accessing it, and risks from unauthorized or unusual behavior in their access, that can be flagged through machine learning.
Creating a better cybersecurity landscape
How can you get your organization to migrate to a more secure access policy that allows your business to grow while managing the risk from business expansion? Three easy steps will help:
- Clean up existing application access privileges
You might be surprised by how many former employees or past contractors still have access to your systems. Disgruntled individuals could certainly pose a threat, but it’s more likely that cybercriminals could steal a former employee’s credentials in a separate breach. Our tendency to reuse usernames and passwords across different applications means that one set of stolen credentials could lead to more than one distinct breach. Think of everyone who’s ever had access to your system as a doorway that cybercriminals could use to access your network — so it’s important to close and lock any door that isn’t being used.
For current employees and contractors, use the principle of least-privilege access to what they need to do. This concept means that users can only access the sources they need to perform their specific roles. In large organizations, applying these principles can be time-consuming, which is why you should lean on machine learning to develop access systems that recommend the right policies for you based on risk, usage, and behavioral metrics.
- Tailor specific policies to individual user groups and applications they can access
Wide access enables faster business speed but presents an ideal attack vector to cybercriminals, which is why you should apply policies to ensure that users can only access the applications they need to do their jobs. And if their jobs change, their access changes as well.
Creating user groups tied to specific applications or workload micro-segments is one way to achieve that. Remote full-time employees, for example, should have a different set of policies than remote third-party contractors in terms of applications they can access. A testing lab should only provide access for a third-party test partner to those resources or applications they need to test. Identity-based segmentation will dramatically limit lateral movement and reduce the attack surface for both front-end and back-end access.
- Make your access dynamic so as your business grows, your risk does not
As your business grows, your application base changes, your ecosystem grows, and your employee base grows. The amount of proprietary information you have grows. Your access policies should adapt so they help you manage your risk down, without cramping your business. This means adding a new user or a new application or changing access rules cannot be cumbersome but very easy to implement in the tool you use. Similarly, dynamic access provisioning within your networks to avoid security gaps should be mainstream, not an afterthought.
The pandemic forced CIOs and IT teams to accelerate their digital transformation while at the same time putting new demands on security through changes in business like more prevalent remote access. CIOs should not have to choose between business risk and business growth. As your business grows, as attacks grow and attack sophistication increases, it is time to protect what matters most, without constraining the business. This will require not only a differentiated access policy by user group, but the ability to limit the attack surface from any compromised credentials to be as small as possible.
Written by Vats Srivatsan. Attribution: Gartner, What Are Practical Projects for Implementing Zero Trust?, John Watts, Neil MacDonald, 17 March 2021
Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine. Follow CEOWORLD magazine on Twitter and Facebook. For media queries, please contact: email@example.com