Skip to content

Posts tagged ‘Gartner’

CIO’s Guide To Stopping Privileged Access Abuse – Part I

CIOs face the paradox of having to protect their businesses while at the same time streamlining access to the information and systems their companies need to grow. The threatscape they’re facing requires an approach to security that is adaptive to the risk context of each access attempt across any threat surface, anytime. Using risk scores to differentiate between privileged users attempting to access secured systems in a riskier context than normal versus privileged credential abuse by attackers has proven to be an effective approach for thwarting credential-based breaches.

Privileged credential abuse is one of the most popular breach strategies organized crime and state-sponsored cybercrime organizations use. They’d rather walk in the front door of enterprise systems than hack in. 74% of IT decision makers surveyed whose organizations have been breached in the past say it involved privileged access credential abuse, yet just 48% have a password vault. Just 21% have multi-factor authentication (MFA) implemented for privileged administrative access. These and many other insights are from Centrify’s recent survey, Privileged Access Management in the Modern Threatscape.

How CIOs Are Solving the Paradox of Privileged Credential Abuse

The challenge to every CIO’s security strategy is to adapt to risk contexts in real-time, accurately assessing every access attempt across every threat surface, risk-scoring each in milliseconds. By taking a “never trust, always verify, enforce least privilege” approach to security, CIOs can provide an adaptive, contextually accurate Zero Trust-based approach to verifying privileged credentials. Zero Trust Privilege is emerging as a proven framework for thwarting privileged credential abuse by verifying who is requesting access, the context of the request, and the risk of the access environment.

By taking a least privilege access approach, organizations can minimize attack surfaces, improve audit and compliance visibility, and reduce risk, complexity, and the costs of operating a modern, hybrid enterprise. CIOs are solving the paradox of privileged credential abuse by knowing that even if a privileged user has entered the right credentials but the request comes in with risky context, then stronger verification is needed to permit access.

Strategies For Stopping Privileged Credential Abuse

The following are five strategies CIOs need to concentrate on to stop privileged credential abuse. Starting with an inventory of privileged accounts and progressing through finding the gaps in IT infrastructure that create opportunities for privileged credential abuse, CIOs and their teams need to take preemptive action now to avert potential breaches in the future.

In Part 1 of a CIO’s Guide to Stopping Privileged Access Abuse, below are the steps they can take to get started:

  1. Discover and inventory all privileged accounts and their credentials to define who is accountable for managing their security and use. According to a survey by Gartner, more than 65% of enterprises are allowing shared use of privileged accounts with no accountability for their use. CIOs realize that a lack of consistent governance policies creates many opportunities for privileged credential abuse. They’re also finding orphaned accounts, multiple owners for privileged credentials and the majority of system administrators having super user or root user access rights for the majority of enterprise systems.
  2. Vault your cloud platforms’ Root Accounts and federate access to AWS, Google Cloud Platform, Microsoft Azure and other public cloud consoles. Root passwords on each of the cloud platforms your business relies on are the “keys to the kingdom” and provide bad actors from inside and outside the company to exfiltrate data with ease. The recent news of how a fired employee deleted his former employer’s 23 AWS servers is a cautionary tale of what happens when a Zero Trust approach to privileged credentials isn’t adopted. Centrify’s survey found that 63% or organizations take more than a day to shut off privilege access for an employee after leaving the company. Given how AWS root user accounts have the privilege to delete all instances immediately, it’s imperative for organizations to have a password vault where AWS root account credentials are stored. Instead of local AWS IAM accounts and access keys, use centralized identities (e.g., Active Directory) and enable federated login. By doing so, you obviate the need for long-lived access keys.
  3. Audit privileged sessions and analyze patterns to find potentially privileged credential sharing or abuse not immediately obvious from audits. Audit and log authorized and unauthorized user sessions across all enterprise systems, especially focusing on root password use across all platforms. Taking this step is essential for assigning accountability for each privileged credential in use. It will also tell you if privileged credentials are being shared widely across the organization. Taking a Zero Trust approach to securing privileged credentials will quickly find areas where there could be potential lapses or gaps that invite breaches. For AWS accounts, be sure to use AWS CloudTrail and Amazon CloudWatch to monitor all API activity across all AWS instances and your AWS account.
  4. Enforce least privilege access now within your existing infrastructure as much as possible, defining a security roadmap based on the foundations of Zero Trust as your future direction. Using the inventory of all privileged accounts as the baseline, update least privilege access on each credential now and implement a process for privilege elevation that will lower the overall risk and ability for attackers to move laterally and extract data. The days of “trust but verify” are over. CIOs from insurance and financial services companies recently spoken with point out that their new business models, all of them heavily reliant on secured Internet connectivity, are making Zero Trust the cornerstone of their future services strategies. They’re all moving beyond “trust but verify” to adopt a more adaptive approach to knowing the risk context by threat surface in real-time.
  5. Adopt multi-factor authentication (MFA) across all threat surfaces that can adapt and flex to the risk context of every request for resources. The CIOs running a series of insurance and financial services firms, a few of them former MBA students of mine, say multi-factor authentication is a must-have today for preventing privileged credential abuse. Their take on it is that adding in an authentication layer that queries users with something they know (user name, password, PIN or security question) with something they have (smartphone, one-time password token or smart card), something they are (biometric identification like fingerprint) and something they’ve done (contextual pattern matching of what they normally do where) has helped thwart privileged credential abuse exponentially since they adopted it. This is low-hanging fruit: adaptive MFA has made the productivity impact of this additional validation practically moot.

Conclusion

Every CIO I know is now expected to be a business strategist first, and a technologist second. At the top of many of their list of priorities is securing the business so it can achieve uninterrupted growth. The CIOs I regularly speak with running insurance and financial services companies often speak of how security is as much a part of their new business strategies as the financial products their product design teams are developing. The bottom line is that the more adaptive and able to assess the context of risks for each privilege access attempt a company’s access management posture can become, the more responsive they can be to employees and customers alike, fueling future growth.

Gartner’s Top 10 Strategic Technology Trends For 2015

speed-of-quality-management-systems-makes-manual-systems-seem-asleep-300x199Gartner presented their top 10 strategic technology trends for 2015 at their annual Gartner Symposium/ITxpo 2014 held in Orlando earlier this month.  Computing Everywhere, the Internet of Things (IoT) and 3D Printing are projected to be the three most important strategic technology trends in 2015.

3D Printing Will Continue To Revolutionize Prototyping And Manufacturing  

3D printing is forecast to reach a tipping point in the next three years due to streamlined prototyping and short-run manufacturing. Improving time-to-market, ensuring greater accuracy of highly customized products, and reducing production costs over the long-term are three of the many benefits companies are adopting 3D printing for today.  Be sure to read Larry Dignan’s excellent post covering the conference and top ten strategic technology trends, 3D printing turns strategic in 2015, says Gartner.

Taking Analytics To The Next Level in 2015

Advanced, persuasive and invisible analytics, context-rich systems, and smart machines also are included in the top 10 strategic technology trends for 2015. Given how quickly analytics is maturing as a technology category, it’s understandable why Gartner ranked this area as the 4th most strategic.  In 2015, analytics will move beyond providing dashboards with metrics and Key Performance Indicators (KPIs) to a more intuitive series of applications that give business analysts the flexibility to define models and test them in real-time. Alteryx and Tableau are interesting companies to watch in this area and Tableau Public is worth checking out and learning due to its advanced visualization features (free, opt-in).

Cloud Computing Becomes Part Of The New IT Reality

The last four technology trends Gartner mentions include cloud/client computing, software-defined applications and infrastructure, Web-scale IT and risk-based security and self-protection.

The following graphic provides an overview of the top 10 strategic technology trends for 2015.

gartner-top-2015-tech-620x334

Sizing the Public Cloud Services Market

Gartner’s latest forecast of the public cloud services market predicts that by 2015, this worldwide market will be worth $176.8 billion, achieving a five-year compound annual growth rate (CAGR) of 18.9%.

Their latest forecast is based on defining the public cloud services market from revenue generation, not an IT spending perspective.  This is in contrast to the public cloud services forecast IDC also released this week, stating that public IT cloud services spending would reach $72.9B by 2015.  Of the two approaches, the one that is revenue-based delivers a more granular, detailed look at Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) challenges and opportunities for growth (see tables below for details).  The Gartner report, Public Cloud Services, Worldwide and Regions, Industry Sectors, 2010-2015, 2011 Update, was published on June 29, 2011.

Gartner’s decision to base their methodology on revenue generated versus pure IT spending opens up the potential to evaluate entirely new business models based on services growth.  The forecast is based on revenue either directly or indirectly generated from the sales of services and from sales to enterprise or consumers.  Business process services are defined in this forecast as any process that can be delivered as a service over a scalable, elastic and secure connection over the web.  This includes advertising, payroll, printing, e-c0mmerce, in addition to applying applications and systems infrastructure. Presented below are key take-aways and analysis from the reports.

Key Take-Aways

  • By 2015, the total market will be worth $176.8 billion, which represents a five-year compound annual growth rate (CAGR) from 2010 of 18.9%. The largest part of this is revenue derived from advertising that is used to provide IT services ($77.1 billion in 2015), which represents an addition to the total size of the IT market.
  • The transition of software from licensed to service models continues, but it has yet to reach breakthrough proportions (9.6% in 2010, rising to 13.8% in 2015). Traditional outsourcing services also continue to transition to cloud delivery models, involving a high degree of service standardization. Gartner continues to take a conservative view of revenue recognition in terms of SaaS adoption compared to other research firms as is shown in the following table.

  • Application and systems infrastructure are projected to grow the fastest in terms of revenue generation through 2015, with advertising-related revenue being a significant proportion of the total public cloud services market through the forecast period.  The following table breaks out public cloud revenue globally by business process services, applications, application infrastructure and systems infrastructure.
  • The high-tech, manufacturing and financial services sectors and the public sector will continue to be the most-aggressive adopters of cloud services through 2015.  Presented below is a table comparing cloud services revenue by industry sector.
  • The North American market continues to be, by far, the largest regional market representing 60% of the global market currently, but growth in China remains of interesting potential.
  • Financial services organizations in aggregate represent the largest users of public cloud services.
  • Some smaller countries will demonstrate very high growth (more than 25%) in e-commerce cloud services, because of high growth in underlying retail e-commerce. The Census Bureau of the U.S. Department of Commerce estimates that e-commerce sales in the fourth quarter of 2010 accounted for 4.3% of total U.S. retail sales.

Bottom line: Taking a revenue-based approach to defining cloud services shows how critical the application and system infrastructure is to overall market growth.  Gartner predicts the fastest growing revenue generating segment of public clouds will be storage services (89.5%) followed by Compute Services (47.8%) and supply management (39.5%).

%d bloggers like this: