Skip to content

Posts from the ‘cybersecurity’ Category

Why Manufacturing Supply Chains Need Zero Trust

  • According to the 2019 Verizon Data Breach Investigation Report, manufacturing has been experiencing an increase in financially motivated breaches in the past couple of years, whereby most breaches involve Phishing and the use of stolen credentials.
  • 50% of manufacturers report experiencing a breach over the last 12 months, 11% of which were severe according to Sikich’s 5th Manufacturing and Distribution Survey, 2019.
  • Manufacturing’s most commonly data compromised includes credentials (49%), internal operations data (41%), and company secrets (36%) according to the 2019 Verizon Data Breach Investigation Report.
  • Manufacturers’ supply chains and logistics partners targeted by ransomware which have either had to cease operations temporarily to restore operations from backup or have chosen to pay the ransom include Aebi SchmidtASCO Industries, and COSCO Shipping Lines.

Small Suppliers Are A Favorite Target, Ask A.P. Møller-Maersk

Supply chains are renowned for how unsecured and porous they are multiple layers deep. That’s because manufacturers often only password-protect administrator access privileges for trusted versus untrusted domains at the operating system level of Windows NT Server, haven’t implemented multi-factor authentication (MFA), and apply a trust but verify mindset only for their top suppliers. Many manufacturers don’t define, and much less enforce, supplier security past the first tier of their supply chains, leaving the most vulnerable attack vectors unprotected.

It’s the smaller suppliers that hackers exploit to bring down many of the world’s largest manufacturing companies. An example of this is how an accounting software package from a small supplier, Linkos Group, was infected with a powerful ransomware agent, NotPetya, bringing one of the world’s leading shipping providers,  A.P. Møller-Maersk, to a standstill. Linkos’ Group accounting software was first installed in the A.P. Møller-Maersk offices in Ukraine. The NotPetya ransomware was able to take control of the local office servers then propagate itself across the entire A.P. Møller-Maersk network. A.P. Møller-Maersk had to reinstall their 4,000 servers, 45,000 PCs, and 2500 applications, and the damages were between $250M to $300M. Security experts consider the ransomware attack on A.P. Møller-Maersk to be one of the most devastating cybersecurity attacks in history. The Ukraine-based group of hackers succeeded in using an accounting software update from one of A.P. Møller-Maersk’s smallest suppliers to bring down one of the world’s largest shipping networks. My recent post, How To Deal With Ransomware In A Zero Trust World explains how taking a Zero Trust Privilege approach minimizes the risk of falling victim to ransomware attacks. Ultimately, treating identity as the new security perimeter needs to be how supply chains are secured. The following geographical analysis of the attack was provided by CargoSmart, showing how quickly NotPetya ransomware can spread through a global network:

CargoSmart provided a Vessel Monitoring Dashboard to monitor vessels during this time of recovery from the cyber attack.

Supply Chains Need To Treat Every Supplier In Their Network As A New Security Perimeter

The more integrated a supply chain, the more the potential for breaches and ransomware attacks. And in supply chains that rely on privileged access credentials, it’s a certainty that hackers outside the organization and even those inside will use compromised credentials for financial gain or disrupt operations. Treating every supplier and their integration points in the network as a new security perimeter is critical if manufacturers want to be able to maintain operations in an era of accelerating cybersecurity threats.

Taking a Zero Trust Privilege approach to securing privileged access credentials will help alleviate the leading cause of breaches in manufacturing today, which is privileged access abuse. By taking a “never trust, always verify, and enforce least privilege” approach, manufacturers can protect the “keys to the kingdom,” which are the credentials hackers exploit to take control over an entire supply chain network.

Instead of relying on trust but verify or trusted versus untrusted domains at the operating system level, manufacturers need to have a consistent security strategy that scales from their largest to smallest suppliers. Zero Trust Privilege could have saved A.P. Møller-Maersk from being crippled by a ransomware attack by making it a prerequisite that every supplier must have ZTP-based security guardrails in place to do business with them.

Conclusion

Among the most porous and easily compromised areas of manufacturing, supply chains are the lifeblood of any production business, yet also the most vulnerable. As hackers become more brazen in their ransomware attempts with manufacturers and privileged access credentials are increasingly sold on the Dark Web, manufacturers need a sense of urgency to combat these threats. Taking a Zero Trust approach to securing their supply chains and operations, helps manufacturers to implement least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, manufacturers can minimize the attack surface, improve audit and compliance visibility, and reduce risk, complexity, and costs for the modern, hybrid manufacturing enterprise.

Absolute’s CEO Christy Wyatt On Leading A Cybersecurity Company And The Power Of Resilience

Christy Wyatt’s career exemplifies what you would expect from a high-performing tech leader who thrives on turning challenges into growth. Showing persistence, resiliency, and tenacity – she has a long history of scaling high-growth technology companies and infusing them with greater creative energy, ingenuity, and intensity for results. As CEO of Absolute, she’s leading the company through an evolution that is shifting its focus from simply being known as a ‘track and trace’ company to becoming the world’s most trusted security company delivering endpoint resiliency to businesses of all sizes.

Previously she served as CEO of Dtex Systems, a user behavior intelligence company that grew revenue by 321% last year. Before Dtex, she was Chairman, CEO, and President of Good Technology, the global leader in mobile security where she defined and delivered an aggressive growth strategy before its successful acquisition by BlackBerry. Wyatt began her career as a software engineer and rose through the executive leadership ranks at Citigroup, Motorola, Apple, Palm and Sun Microsystems. She was named one of Inc. Magazine’s Top 50 Women Entrepreneurs in America, CEO of the Year by the Information Security Global Excellence Awards, and one of Fierce Wireless’s Most Influential Women in Wireless.

Insights From Absolute’s Latest Earnings Call

On August 13th, Christy Wyatt and Errol Olsen, CFO of Absolute, hosted the company’s latest earnings call with financial analysts. A transcript of the call is available here. Key insights from the company’s latest quarter and fiscal year-end were shared and included the following:

  • Total revenue in FY19 was $98.9M, representing an increase of 6% over the prior fiscal year with the ACV Base reaching $98M as of June 30, 2019, up $6.5M or 7%, over the prior year.
  • Enterprise sector portion of the ACV Base increased 11% year-over-year. Enterprise customers represented 55% of the ACV Base of June 30, 2019. And the Government sector portion of the ACV Base increased 15% year-over-year, now representing 12% of the ACV Base as of June 30, 2019.
  • Incremental ACV from new customers was $5.2M in FY19, compared to $3.4M in FY18.
  • Adjusted EBITDA in FY19 was $19.3M, or 20% of revenue, up from $9.2M or 10% of revenue, in the prior fiscal year.
  • FY19 Net Income increased 144% over the prior fiscal year based on continued Enterprise market growth.
  • In Q4, Absolute signed a new financial services customer with an ACV just under $1M with their service being delivered by a Managed Service Provider (MSP) that maintains the customers computing infrastructure.
  • Absolute has provided product-level enhancements to make it easier for MSP partners to use their products to support multiple customers, with the strategy paying off with more deals globally.

Christy Wyatt On Competing In Today’s Cybersecurity Industry 

I recently had the opportunity to interview Christy and learn more about how she sees the cybersecurity industry today and where it’s heading, in addition to gaining insights into her and her teams’ goals at Absolute, one of the top 10 cybersecurity companies to watch in 2019. Absolute serves as the industry benchmark for endpoint resilience, visibility, and control. Embedded in over a half-billion devices, the company enables more than 12,000 customers with self-healing endpoint security, always-connected visibility into their devices, data, users, and applications whether endpoints are on or off the corporate network, and the ultimate level of control and confidence required for the modern enterprise.

The following is my interview with Christy:

Louis:             Coming into a new company environment and establishing yourself with credibility in the role is key. What are the things that you’ve gone after immediately to address how the company is doing and where it’s going? In essence, what’s been your 90-day plan, and how’s that going overall?

Christy:          Most incoming CEOs join a company with a thesis about why this is an interesting opportunity and how they can invest significant intellectual capital into it. And then that first 90 days is really about vetting out that model and seeing if the opportunity is real. With Absolute, my thesis was here is a company that very few people understood, with an amazing install base and partner community built around unique self-healing capabilities. If you juxtapose that against the security industry today, you’ll see the glaringly huge problem. There are start-ups after start-ups all claiming they can protect businesses from breaches – so organizations keep buying more and more technology – all while breaches are accelerating. And those businesses keep asking themselves, “Are we more secure? How do I know if my business is more secure?” And the answer is they don’t know.

When I talk to customers, they say, “I have more than ten agents on every laptop in my device fleet. User experience is suffering, and the complexity is mind boggling.” As a CEO, I want to be able to fix that, right? How do we effectively deploy security controls in a way that is healthy and productive for both the laptop and for the user? That’s a massive opportunity, and that’s what gets me excited about Absolute.

Louis:             In your last few earnings calls, you referenced wins in financial services, healthcare, and professional services. What do you attribute the success of Absolute moving more towards the enterprise?

Christy:          The initial transition and increased focus on the enterprise market predates me. Over the past year, however, we’ve expanded our discussions into all the sectors you mention, and more, to better understand what they’re doing around enterprise resilience.

In April, we published original research that examined the state of decay and exposure points around endpoint security. Once we quantified that, we then spent our time with customers talking about what’s happening within their unique environments. What we found was that they had a false sense of security. They have encryption, malware security, and VPN all checked. But based on our research and new analytics, we were able to show them there are gaps in their protection when those agents became un-installed, missed a patch, or conflicted with other controls. That is the rate of decay we are talking about. How to make their existing controls more resilient to decay. We highlighted how their existing deployments degrade, weaken and fail over time. We also showed them some simple strategies to heal and even boost the immune system of their environment. That’s very powerful, and as a result, customers are leaning into our resilience story – it helps them capture the value of the investments they have already made.

Louis:             Regarding your product roadmap and the direction you’re going in, what are some of the plans that you’re looking to be able to capitalize on that presence that you have on billions of devices?

Christy:          Critical to our success has always been our partners. If you look at our Resilience product, which is our enterprise product, we can heal other third-party applications. So if the average enterprise has ten plus security agents deployed, there are probably at least three to five that they care about. They say, “Look, I feel exposed from a compliance perspective or a risk perspective if I don’t have, for example, encryption turned on… and it’s not okay with me that my users can delete something or turn it off.” Our data tells us where and how we can serve, and better secure, those enterprise IT architectures.

There’s a growing list of things within our platform today that we already heal. Broadening our resilience capabilities is something you’re going to see us invest significantly in. And then there’s work we have to do for our customers’ security and IT organizations, pointing them to the specific, critical things that need their focus right now. So if there’s a gap or something has gone offline in their security fabric, I want to bring their attention to it; I want to heal it and fix it. Absolute excels at solving those challenges for our customers.

Louis:             You mention endpoints often, and it makes me think about ‘Zero Trust’ security and the proliferation of IoT and industrial internet of things devices and how that’s flourishing across manufacturing and other distributed based industries like supply chains. What are your long term plans in these areas?

Christy:          We’re doing a lot of work in that space. With 5G quickly evolving, this is going to have a significant impact on the enterprise, and the ability to have similar controls on anything that’s connected to your network will be critical. I think there is a lot of credence in Zero Trust model as one of the many security architectures, but any one of these has to be rooted in something. So even if you’re trying to manage security from the cloud, your efficiency and your effectiveness are only as good as the data that you’re getting. If you don’t have visibility on what’s connected or what’s happening on the endpoint, your ability to diagnose it or fix it is relatively is impacted. My view is whatever you think your security strategy is today, the controls you think you need are going to be completely different 18 months from now. And so the five things you care about persisting and healing today are not going to be the same five things you care about in that timeframe. Our job is leverage our BIOS enabled foundation that allows enterprises to get reliable data, see the things that are protecting their environment, and heal them if something goes wrong – regardless of what their stack looks like.

Louis:             So Absolute becomes a system of record because it is the definitive record of all activity coming off of that laptop or that device that’s enabled at the BIOS level with your technology.

Christy:          I think we’re a big part of that. We’ve talked to a lot of customers, and there are other visibility solutions on the market. A lot of times somebody says, “Well, I have a fill-in-the-blank-security-product, and so I think I see everything.” My answer is the thing they are relying on is likely one of those ten things that are sitting in the stack that has a rate of decay – because it is not rooted in the BIOS so, therefore, it has some inherent vulnerability. So we should be instrumenting that and ensuring that we protect that critical control, ensure it is always running, and heal it if it goes offline. Our customers rely on us because they know that we are giving them the complete picture.

I don’t see the vast ecosystem of security products as competitive to what we are doing. I see those as complementary. Whatever is in your security technology stack, let’s make sure it’s always there, let’s make sure it’s always turned on, and let’s heal it if it goes offline.

Louis:             Regarding the designed-in win you’ve achieved with being embedded at the BIOS level, do you spend time OEMs? How is that all orchestrated at the platform level, or at the OEM level, to ensure that you continue to have that as a competitive advantage?

Christy:          We’ve had very close relationships with our OEM partners for well over a decade. We spend a lot of time looking at both the technical architectures and customer challenges. Every one of our OEM partners has a unique strategy for how they are delivering unique security services to their customers, and we view ourselves as an enabler of those strategies.

Louis:             When you visit customers, what are they most excited about? What’s their burning need right now? What are they focused on?

Christy:          Right now, we’re spending a lot of time with our customers focused on simplifying their experience and making these new capabilities easier to use, and easier to integrate into their environments. A lot of our customers have been with us for a long time and get very excited about how we make their jobs easier with more automation using things like our constantly expanding library of Reach scripts, enabling their IT teams to automate a lot of their endpoint tasks.

Where we also see a significant change in behavior is when we show them the power of some of our Resilience capabilities, paired with some of our analytics pieces. When we show them the state of the endpoint as it applies to their unique environment, where the gaps are, and demonstrate how we can help heal those gaps, I often hear, “Oh, I didn’t know Absolute could do that…” It’s a big departure from where we were ten years ago. So I think we’re going through a period of reintroducing ourselves to our customers and showing them that, even with the technology they already have, they could be doing so much more.

Louis:             How do you build the business case for Absolute?

Christy:          I think it depends on the customer. I think that if they’re a customer that’s talking to us about our visibility and control products, which are really about trust in our BIOS level visibility and control, management and tracking and locating and taking fine grain view at their assets, then I think the conversation is really about return on investment around the asset itself. Using their data to give them valuable insights about the state of their assets, as well as their posture. It’s a conversation about protecting the investment you’re making in your computing infrastructure.

When we’re talking to a customer about resiliency, it’s really about how much they are spending on security and how do we help them get back the return on investment of the dollars they’ve already spent. I believe the frenzy around security spending has put a lot of IT managers into a position where they have deep stacks and are not getting the full return on investment from those controls. We want to help them close the gap.

Louis:             How do you enable innovation of culture and be able to turn out the next generation products?

Christy:          So, I’ve done it a bunch of different ways, and I believe that what is most empowering to people who love to build great products….is when individuals get to see their stuff, their unique idea, their new concept go to market and be used by customers. We are fundamentally builders using our tools to solve customer problems.

What I like is a little bit more of the startup energy. Where people can bring forward ideas, and if we agree this is a cool idea – we invest.  We give them a team and a timeline. We can give those ideas an opportunity for commercialization. And by the way, that’s what engineers and innovators and entrepreneurs love the most. That’s what they want. They get passionate about pointing to a product and saying, “I did that. That’s super cool. It was my idea; they gave me a team. I learned a lot, and I got to have an impact.” And I think that impact is really what fires or fuels the innovation culture.

The Truth About Privileged Access Security On AWS And Other Public Clouds

 

Bottom Line: Amazon’s Identity and Access Management (IAM) centralizes identity roles, policies and Config Rules yet doesn’t go far enough to provide a Zero Trust-based approach to Privileged Access Management (PAM) that enterprises need today.

AWS provides a baseline level of support for Identity and Access Management at no charge as part of their AWS instances, as do other public cloud providers. Designed to provide customers with the essentials to support IAM, the free version often doesn’t go far enough to support PAM at the enterprise level. To AWS’s credit, they continue to invest in IAM features while fine-tuning how Config Rules in their IAM can create alerts using AWS Lambda. AWS’s native IAM can also integrate at the API level to HR systems and corporate directories, and suspend users who violate access privileges.

In short, native IAM capabilities offered by AWS, Microsoft Azure, Google Cloud, and more provides enough functionality to help an organization get up and running to control access in their respective homogeneous cloud environments. Often they lack the scale to fully address the more challenging, complex areas of IAM and PAM in hybrid or multi-cloud environments.

The Truth about Privileged Access Security on Cloud Providers Like AWS

The essence of the Shared Responsibility Model is assigning responsibility for the security of the cloud itself including the infrastructure, hardware, software, and facilities to AWS and assign the securing of operating systems, platforms, and data to customers. The AWS version of the Shared Responsibility Model, shown below, illustrates how Amazon has defined securing the data itself, management of the platform, applications and how they’re accessed, and various configurations as the customers’ responsibility:

AWS provides basic IAM support that protects its customers against privileged credential abuse in a homogenous AWS-only environment. Forrester estimates that 80% of data breaches involve compromised privileged credentials, and a recent survey by Centrify found that 74% of all breaches involved privileged access abuse.

The following are the four truths about privileged access security on AWS (and, generally, other public cloud providers):

  1. Customers of AWS and other public cloud providers should not fall for the myth that cloud service providers can completely protect their customized and highly individualized cloud instances. As the Shared Responsibility Model above illustrates, AWS secures the core areas of their cloud platform, including infrastructure and hosting services. AWS customers are responsible for securing operating systems, platforms, and data and most importantly, privileged access credentials. Organizations need to consider the Shared Responsibility Model the starting point on creating an enterprise-wide security strategy with a Zero Trust Security framework being the long-term goal. AWS’s IAM is an interim solution to the long-term challenge of achieving Zero Trust Privilege across an enterprise ecosystem that is going to become more hybrid or multi-cloud as time goes on.
  2. Despite what many AWS integrators say, adopting a new cloud platform doesn’t require a new Privileged Access Security model. Many organizations who have adopted AWS and other cloud platforms are using the same Privileged Access Security Model they have in place for their existing on-premises systems. The truth is the same Privileged Access Security Model can be used for on-premises and IaaS implementations. Even AWS itself has stated that conventional security and compliance concepts still apply in the cloud. For an overview of the most valuable best practices for securing AWS instances, please see my previous post, 6 Best Practices For Increasing Security In AWS In A Zero Trust World.
  3. Hybrid cloud architectures that include AWS instances don’t need an entirely new identity infrastructure and can rely on advanced technologies, including Multi-Directory Brokering. Creating duplicate identities increases cost, risk, and overhead and the burden of requiring additional licenses. Existing directories (such as Active Directory) can be extended through various deployment options, each with their strengths and weaknesses. Centrify, for example, offers Multi-Directory Brokering to use whatever preferred directory already exists in an organization to authenticate users in hybrid and multi-cloud environments. And while AWS provides key pairs for access to Amazon Elastic Compute Cloud (Amazon EC2) instances, their security best practices recommend a holistic approach should be used across on-premises and multi-cloud environments, including Active Directory or LDAP in the security architecture.
  4. It’s possible to scale existing Privileged Access Management systems in use for on-premises systems today to hybrid cloud platforms that include AWS, Google Cloud, Microsoft Azure, and other platforms. There’s a tendency on the part of system integrators specializing in cloud security to oversell cloud service providers’ native IAM and PAM capabilities, saying that a hybrid cloud strategy requires separate systems. Look for system integrators and experienced security solutions providers who can use a common security model already in place to move workloads to new AWS instances.

Conclusion

The truth is that Identity and Access Management solutions built into public cloud offerings such as AWS, Microsoft Azure, and Google Cloud are stop-gap solutions to a long-term security challenge many organizations are facing today. Instead of relying only on a public cloud provider’s IAM and security solutions, every organization’s cloud security goals need to include a holistic approach to identity and access management and not create silos for each cloud environment they are using. While AWS continues to invest in their IAM solution, organizations need to prioritize protecting their privileged access credentials – the “keys to the kingdom” – that if ever compromised would allow hackers to walk in the front door of the most valuable systems an organization has. The four truths defined in this article are essential for building a Zero Trust roadmap for any organization that will scale with them as they grow. By taking a “never trust, always verify, enforce least privilege” strategy when it comes to their hybrid- and multi-cloud strategies, organizations can alleviate costly breaches that harm the long-term operations of any business.

74% Of Data Breaches Start With Privileged Credential Abuse

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. Photo credit: iStock

Enterprises who are prioritizing privileged credential security are creating a formidable competitive advantage over their peers, ensuring operations won’t be interrupted by a breach. However, there’s a widening gap between those businesses protected from a breach and the many who aren’t. In quantifying this gap consider the typical U.S.-based enterprise will lose on average $7.91M from a breach, nearly double the global average of $3.68M according to IBM’s 2018 Data Breach Study.

Further insights into how wide this gap is are revealed in Centrify’s Privileged Access Management in the Modern Threatscape survey results published today. The study is noteworthy as it illustrates how wide the gap is between enterprises’ ability to avert and thwart breaches versus their current levels of Privileged Access Management (PAM) and privileged credential security. 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access credential abuse, yet just 48% have a password vault, just 21% have multi-factor authentication (MFA) implemented for privileged administrative access, and 65% are sharing root or privileged access to systems and data at least somewhat often.

Addressing these three areas with a Zero Trust approach to PAM would make an immediate difference in security.

“What’s alarming is that the survey reveals many organizations, armed with the knowledge that they have been breached before, are doing too little to secure privileged access. IT teams need to be taking their Privileged Access Management much more seriously, and prioritizing basic PAM strategies like vaults and MFA while reducing shared passwords,” remarked Tim Steinkopf, Centrify CEO. FINN Partners, on behalf of Centrify, surveyed 1,000 IT decision makers (500 in the U.S. and 500 in the U.K.) online in October 2018. Please see the study here for more on the methodology.

How You Choose To Secure Privileged Credentials Determines Your Future 

Identities are the new security perimeter. Threats can emerge within and outside any organization, at any time. Bad actors, or those who want to breach a system for financial gain or to harm a business, aren’t just outside. 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000, and 24% of employees know of someone who has sold privileged credentials to outsiders, according to a recent Accenture survey.

Attackers are increasingly logging in using weak, stolen, or otherwise compromised credentials. Centrify’s survey underscores how the majority of organizations’ IT departments have room for improvement when it comes to protecting privileged access credentials, which are the ‘keys to the kingdom.’ Reading the survey makes one realize that forward-thinking enterprises who are prioritizing privileged credential security gain major cost and time advantages over their competitors. They’re able to keep their momentum going across every area of their business by not having to recover from breaches or incur millions of dollars on losses or fines as the result of a breach.

One of the most promising approaches to securing every privileged identity and threat space within and outside an organization is Zero Trust Privilege (ZTP). ZTP enables an organizations’ IT team to grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Key Lessons Learned from the Centrify Survey

How wide the gap is between organizations who see identities as the new security perimeter and are adopting a Zero Trust approach to securing them and those that aren’t is reflected in the results of Centrify’s Privileged Access Management in the Modern Threatscape surveyThe following are the key lessons learned of where and how organizations can begin to close the security gaps they have that leave them vulnerable to privileged credential abuse and many other potential threats:

  • Organizations’ most technologically advanced areas that are essential for future growth and attainment of strategic goals are often the most unprotected. Big Data, cloud, containers and network devices are the most important areas of any IT infrastructure. According to Centrify’s survey, they are the most unprotected as well. 72% of organizations aren’t securing containers with privileged access controls. 68% are not securing network devices like hubs, switches, and routers with privileged access controls. 58% are not securing Big Data projects with privileged access controls. 45% are not securing public and private cloud workloads with privileged access controls. The study finds that UK-based businesses lag U.S.-based ones in each of these areas as the graphic below shows:

  • Only 36% of U.K. organizations are very confident in their company’s current IT security software strategies, compared to 65% in the U.S. The gap between organizations with hardened security strategies that have a higher probability of withstanding breach attempts is wide between U.K. and U.S.-based businesses. 44% of U.K. respondents weren’t positive about what Privileged Access Management is, versus 26% of U.S. respondents. 60% of U.K. respondents don’t have a password vault.

  • Just 35% of U.S. organizations and 30% of those in the UK are relying on Privileged Access Management to manage partners’ access to privileged credentials and infrastructure. Partners are indispensable for scaling any new business strategy and expanding an existing one across new markets and countries. Forward-thinking organizations look at every partner associates’ identity as a new security perimeter. The 35% of U.S.-based organizations doing this have an immediate competitive advantage over the 65% who aren’t. By enforcing PAM across their alliances and partnerships, organizations can achieve uninterrupted growth by eliminating expensive and time-consuming breaches that many businesses never fully recover from.
  • Organizations’ top five security projects for 2019 include protecting cloud data, preventing data leakage, analyzing security incidents, improving security education/awareness and encrypting data. These top five security projects could be achieved at scale by having IT teams implement a Zero Trust-based approach to Privileged Access Management (PAM). The time, cost and scale advantages of getting the top five security projects done using Zero Trust would free up IT teams to focus on projects that deliver direct revenue gains for example.

Conclusion

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. It also reveals that there is a strong desire to adhere to best practices when it comes to PAM (51% of respondents) and that the reason it is not being adequately implemented rarely has to do with prioritization or difficulty but rather budget constraints and executive buy-in.

The survey also shows U.K. – and U.S.-based organizations need to realize identity is the new security perimeter. For example, only 37% of respondents’ organizations are able to turn off privileged access for an employee who leaves the company within one day, leaving a wide-open exposure point that can continue to be exploited.

There are forward-thinking organizations who are relying on Zero Trust Privilege as a core part of their digital transformation efforts as well. The survey found that given a choice, respondents are most likely to say digital transformation (40%) is one of the top 3 projects they’d prefer to work on, followed by Endpoint Security (37%) and Privileged Access Management (28%). Many enterprises see digital transformation’s missing link being Zero Trust and the foundation for redefining their businesses by defining every identity as a new security perimeter, so they can securely scale and grow faster than before.

Digital Transformation’s Missing Link Is Zero Trust

    • Enterprises will invest $2.4T by 2020 in digital transformation technologies including cloud platforms, cognitive systems, IoT, mobile, robotics, and integration services according to the World Economic Forum.
    • Digital transformation software and services revenue in the U.S. is predicted to reach $490B in 2025, soaring from $190B in 2019, attaining a Compound Annual Growth Rate (CAGR) of 14.49% according to Grand View Research published by Statista.
    • IDC predicts worldwide spending on the technologies and services that enable the digital transformation of business practices, products, and organizations will reach $1.97T in 2022.
    • Legacy approaches to Privileged Access Management (PAM) don’t protect the new threatscapes digital transformation initiatives create, making Zero Trust Privilege essential for enterprises.

B2B customers, including manufacturers looking to replace legacy production equipment with smart, connected machines, have high expectations when it comes to product quality, ease of integration, and intuitive user experiences. Replacing factories full of legacy assets with smart, connected machinery is one of the most powerful catalysts driving digital transformation today. Innovative smart, connected machinery and the performance gains they provide are the oxygen that keeps customer relationships alive. That’s why digital transformation forecasts from the World Economic Forum, Grand View ResearchIDC, and many others predict perennial growth. The many forecasts reflect a fundamental truth: digital transformation done with intensity creates a customer-driven renaissance for any business.

Businesses digitally transforming themselves are succeeding because they’ve made themselves accountable and transparent to customers. Earning and protecting that trust is the heartbeat of any business’ growth. 51% of enterprises invest in digital transformation to capture growth opportunities in new markets, with 46% investing to stay in front of evolving customer behaviors and preferences. Brian Solis’ excellent report, The State of Digital Transformation, 2018 – 2019 Edition (31 pp., PDF, opt-in) shows how digitally transforming any business with the customer first leads to greater growth. The graphic from his study illustrates this point:

 

Closing The Digital Transformation Gap With Zero Trust

Gaps exist between the results digital transformation initiatives are delivering today, and the customer-driven value they’re capable of. According to Gartner, 75% of digital transformation projects are not aligned internally today, leading to delayed new product launches, mediocre experiences, and greater security risks than ever before. Interactive, IoT-enabled experiences and products are expanding the threatscape of enterprises to include Big Data, cloud, containers, DevOps, IoT systems, and more. With that comes a host of new exposure points, many of which allow access to sensitive data that must be protected with modern Privileged Access Management solutions that reduce risk in these modern enterprise use cases.

The new security perimeter is identity. Forrester estimates that 80% of data breaches are caused by privileged access abuse. Every smart, connected machine that replaces legacy production equipment is another identity that defines a manufacturer’s security perimeter.

As the use cases and adoption of smart, connected machines proliferate, so too does the urgency that manufacturers need to replace their legacy approaches to Privileged Access Management (PAM). Relying on outdated strategies for protecting administrative access to all machines needs to be replaced with a “never trust, always verify, enforce least privilege” approach.

IT needs to improve how they’re protecting the most privileged access credentials, the ‘keys to the kingdom,’ by granting just-enough, just-in-time privilege. Of the many cybersecurity approaches available today, Zero Trust Privilege (ZTP) enables IT to grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

The more diverse any digital transformation strategy, the greater the risk of privileged credential abuse. Thwarting privileged credential abuse needs to start with a least privilege access approach, minimizing each attack surface, improving audit and compliance visibility while reducing risk, complexity, and costs. Leaders in Zero Trust include CentrifyMobileIronPalo Alto Networks, and others. Of these companies, Centrify’s approach to Zero Trust to prevent privileged access abuse shows the greatest potential for securing digital transformation initiatives and strategies.

How To Secure Digital Transformation Strategies

IDG Research found in their Security Priorities for 2018 study that 71% of security-focused IT decision-makers are aware of the Zero Trust model and 18% of enterprises are either running pilots or have implemented Zero Trust.

Zero Trust Privilege (ZTP) is the force multiplier digital transformation initiatives need to reach their true potential by securing administrative access to the complex mix of machinery and infrastructure – and the sensitive data they hold and use – that manufacturers rely on daily.

Starting with a strategic perspective, ZTP’s contribution to securing digital transformation deployments apply to every area of planning, pilots, platforms, product, and service data being designed to stop the leading cause of breaches, which is privileged credential abuse. The following graphic illustrates how ZTP needs to span every aspect of an enterprise’s digital transformation capabilities.

Source: World Economic Forum, Digital Transformation Initiative, May 2018

Conclusion

By 2020, 30% of Global 2000 companies will have allocated capital budget equal to at least 10% of revenue to fuel their digital transformation strategies according to IDC.  European spending on technologies and services that enable the digital transformation of business practices, products, and organizations is forecasted to reach $378.2B in 2022. The perennial growth these forecasts promise is predicated on enterprises delivering new experiences and innovative products, which create the oxygen that keeps their customer relationships alive.

Amidst all the potential for growth, enterprises need to realize every new infrastructure element, machine, or connected production asset is a new identity that collectively comprises the fabric of their security perimeter. Legacy cybersecurity approaches won’t scale to protect the proliferating number of smart machines being put into use today. Relying entirely on legacy approaches to PAM, where privileged access to systems and resources only inside the network are secure, is failing today. Smart, connected machinery and the products and experiences they deliver require an entirely new cybersecurity strategy, one based on a “never trust, always verify, enforce least privilege” approach. Centrify Zero Trust Privilege shows potential to meet this challenge by granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

%d bloggers like this: