Skip to content
Advertisements

Posts tagged ‘Zero Trust Security’

How To Secure Mobile Devices In A Zero Trust World

  • 86% of enterprises are seeing mobile threats growing the fastest this year, outpacing other threat types.
  • 48% say they’ve sacrificed security to “get the job done” up from 32% last year.
  • 41% of those affected say the compromise is having major with lasting repercussions and 43% said that their efforts to remediate the attacks were “difficult and expensive.”

Bottom Line: The majority of enterprises, 67%, are the least confident in the security of their mobile assets than any other device or platform today according to Verizon’s Mobile Security Index 2019.

Why Mobile Devices Are the Fastest Growing Threat Surface Today     

Verizon found that 86% of enterprises see an upswing in the number, scale, and scope of mobile breach attempts in 2019. When broken out by industry, Financial Services, Professional Services, and Education are the most commonly targeted industries as the graphic below shows:

The threat surfaces every organization needs to protect is exponentially increasing today based on the combination of employee- and company-owned mobile devices. 41% of enterprises rate mobile devices as their most vulnerable threat surface this year:

Passwords and Mobile Devices Have Become A Hacker’s Paradise

“The only people who love usernames and passwords are hackers,” said Alex Simons, corporate vice president at Microsoft’s identity division in a recent Wall Street Journal article, Username and Password Hell: Why the Internet Can’t Keep You Logged In. Verizon found that mobile devices are the most vulnerable, fastest-growing threat surface there is, making it a favorite with state-sponsored and organized crime syndicates. How rapidly mobile devices are proliferating in enterprises today frequently outpace their ability to secure them, falling back on legacy Privileged Access Management (PAM) approaches that hacking syndicates know how to get around easily using compromised passwords and privileged access credentials. Here’s proof of how much of a lucrative paradise it is for hackers to target passwords and mobile devices first:

  • Hacker’s favorite way to gain access to any business is by using privileged access credentials, which are increasingly being harvested from cellphones using malware. Hacking organizations would rather walk in the front door of any organizations’ systems rather than expend the time and effort to hack in. It’s by far the most popular approach with hackers, with 74% of IT decision makers whose organizations have been breached in the past say it involved privileged access credential abuse according to a recent Centrify survey, Privileged Access Management in the Modern Threatscape. Only 48% of the organizations have a password vault, and just 21% have multi-factor authentication (MFA) implemented for privileged administrative access. The Verizon study found that malware is the most common strategy hackers use to gain access to corporate networks. MobileIron’s Global Threat Report, mid-year 2018 found that 3.5% of Android devices are harboring known malware. Of these malicious apps, over 80% had access to internal networks and were scanning nearby ports. This suggests that the malware was part of a larger attack.

Securing Mobile Devices In A Zero Trust World Needs To Happen Now

Mobile devices are an integral part of everyone’s identity today. They are also the fastest growing threat surface for every business – making identities the new security perimeter. Passwords are proving to be problematic in scaling fast enough to protect these threat surfaces, as credential abuse is skyrocketing today. They’re perennial best-sellers on the Dark Web, where buyers and sellers negotiate in bitcoin for companies’ logins and passwords – often with specific financial firms, called out by name in “credentials wanted” ads. Organizations are waking up to the value of taking a Zero Trust approach to securing their businesses, which is a great start. Passwords are still the most widely relied-on security mechanism – and continue to be the weakest link in today’s enterprise security.  That needs to change. According to the Wall Street Journal, the World Wide Web Consortium has recently ratified a standard called WebAuthN, which allows websites to authenticate users with biometric information, or physical objects like security keys, and skip passwords altogether.

MobileIron is also taking a unique approach to this challenge by introducing zero sign-on (ZSO), built on the company’s unified endpoint management (UEM) platform and powered by the MobileIron Access solution. “By making mobile devices your identity, we create a world free from the constant pains of password recovery and the threat of data breaches due to easily compromised credentials,” wrote Simon Biddiscombe, MobileIron’s President and Chief Executive Officer in his recent blog post, Single sign-on is still one sign-on too many. Simon’s latest post MobileIron: We’re making history by making passwords history, provides the company’s vision going forward with ZSO. Zero sign-on eliminates passwords as the primary method for user authentication, unlike single sign-on, which still requires at least one username and password. MobileIron paved the way for a zero sign-on enterprise with its Access product in 2017, which enabled zero sign-on to cloud services on managed devices.

Conclusion

Mobile devices are the most quickly proliferating threat surface there are today and an integral part of everyone’s identities as well. Thwarting the many breach attempts attempted daily over mobile devices and across all threat surfaces needs to start with a solid Zero Trust framework. MobileIron’s introduction of zero sign-on (ZSO) eliminates passwords as the method for user authentication, replacing single sign-on, which still requires at least one username and password. ZSO is exactly what enterprises need to secure the proliferating number of mobile devices they rely on to operate and grow in a Zero Trust world.

Advertisements

CIO’s Guide To Stopping Privileged Access Abuse – Part 2

Why CIOs Are Prioritizing Privileged Credential Abuse Now

Enterprise security approaches based on Zero Trust continue to gain more mindshare as organizations examine their strategic priorities. CIOs and senior management teams are most focused on securing infrastructure, DevOps, cloud, containers, and Big Data projects to stop the leading cause of breaches, which is privileged access abuse.

Based on insights gained from advisory sessions with CIOs and senior management teams, Forrester estimates that 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates. In another survey completed by Centrify, 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access abuse. Furthermore, 65% of organizations are still sharing root or privileged access to systems and data at least somewhat often. Centrify’s survey, Privileged Access Management in the Modern Threatscape, is downloadable here.

The following are the key reasons why CIOs are prioritizing privileged access management now:

  • Identities are the new security perimeter for any business, making privileged access abuse the greatest challenge CIOs face in keeping their businesses secure and growing. Gartner also sees privileged credential abuse as the greatest threat to organizations today, and has made Privileged Account Management one of the Gartner Top 10 Security Projects for 2018, and again in 2019Forrester and Gartner’s findings and predictions reflect the growing complexity of threatscapes every CIO must protect their business against while still enabling new business growth. Banking, financial services, and insurance (BFSI) CIOs often remark in my conversations with them that the attack surfaces in their organizations are proliferating at a pace that quickly scales beyond any trust but verify legacy approach to managing access. They need to provide applications, IoT-enabled devices, machines, cloud services, and human access to a broader base of business units than ever before.
  • CIOs are grappling with the paradox of protecting the rapidly expanding variety of attack surfaces from breaches while still providing immediate access to applications, systems, and services that support their business’ growth. CIOs I’ve met with also told me access to secured resources needs to happen in milliseconds, especially to support the development of new banking, financial services, and insurance applications in beta testing today, scheduled to be launched this summer. Their organizations’ development teams expect more intuitive, secure, and easily accessible applications than ever before, which is driving CIOs to prioritize privileged access management now
  • Adapting and risk-scoring every access attempt in real-time is key to customer experiences on new services and applications, starting with response times. CIOs need a security strategy that can flex or adapt to risk contexts in real-time, assessing every access attempt across every threat surface and generating a risk score in milliseconds. The CIOs I’ve met with regularly see a “never trust, always verify, enforce least privilege” approach to security as the future of how they’ll protect every threat surface from privileged access abuse. Each of their development teams is on tight deadlines to get new services launch to drive revenue in Q3. Designing in Zero Trust with a strong focus on Zero Trust Privilege is saving valuable development time now and is enabling faster authentication times of the apps and services in testing today.

Strategies For Stopping Privileged Credential Abuse – Part 2  

Recently I wrote a CIO’s Guide To Stopping Privileged Access Abuse – Part 1 detailing five recommended strategies for CIOs on how to stop privileged credential abuse. The first five strategies focus on the following: discovering and inventorying all privileged accounts; vaulting all cloud platforms’ Root Accounts; auditing privileged sessions and analyzing patterns to find privileged credential sharing not found during audits; enforcing least privilege access now within your existing infrastructure as much as possible; and adopting multi-factor authentication (MFA) across all threat surfaces that can adapt and flex to the risk context of every request for resources.

The following are the second set of strategies CIOs need to prioritize to further protect their organizations from privileged access abuse:

  1. After completing an inventory of privileged accounts, create a taxonomy of them by assigning users to each class or category, personalizing privileged credential access to the role and entitlement level for each. CIOs tell me this is a major time saver in scaling their Privileged Access Management (PAM) strategies. Assigning every human, machine and sensor-based identity is the goal with the overarching objective being the creation of a Zero Trust-based enterprise security strategy. Recommended initial classes or categories include IT administrators who are also responsible for endpoint security; developers who require occasional access to production instances; service desk teams and service operations; the Project Management Office (PMO) and project IT; and external contractors and consultants.
  2. By each category in the taxonomy, automate the time, duration, scope, resources, and entitlements of privileged access for each focusing on the estimated time to complete each typical task. Defining a governance structure that provides real-time access to resources based on successful authentication is a must-have for protecting privileged access credentials. By starting with the attributes of time, duration, scope and properties, organizations have a head start on creating a separation of duties (SOD) model. Separation of duties is essential for ensuring that privileged user accounts don’t have the opportunity to carry out and conceal any illegal or unauthorized activities.
  3. Using the taxonomy of user accounts created and hardened using the separation of duties model, automate privileged access and approval workflows for enterprise systems. Instead of having administrators approve or semi-automate the evaluation of every human- and machine-based request for access, consider automating the process with a request and approval workflow. With time, duration, scope, and properties of privileged access already defined human- and machine-based requests for access to IT systems and services are streamlined, saving hundreds of hours a year and providing a real-time log for audit and data analysis later.
  4. Break-glass, emergency or firecall account passwords need to be vaulted, with no exceptions. When there’s a crisis of any kind, the seconds it takes to get a password could mean the difference between cloud instances and entire systems being inaccessible or not. That’s why administrators often only manually secure root passwords to all systems, cloud platforms and containers included. This is the equivalent of leaving the front door open to the data center with all systems unlocked. The recent Centrify survey found that just 48% of organizations interviewed have a password vault. 52% are leaving the keys to the kingdom available for hackers to walk through the front door of data centers and exfiltraticate data whenever they want.
  5. Continuous delivery and deployment platforms including Ansible, Chef, Puppet, and others need to be configured when first installed to eliminate the potential for privileged access abuse. The CIOs whose teams are creating new apps and services are using Chef and Puppet to design and create workloads, with real-time integration needed with customer, pricing, and services databases and the systems they run on. Given how highly regulated insurance is, CIOs are saying they need to have logs that show activity down to the API level in case of an audit. The more regulated and audited a company, the more trusted and untrusted domains are seen as the past, Zero Trust as the future based on CIO’s feedback.

Conclusion

The CIOs I regularly meet with from the banking, financial services, and insurance industries are under pressure to get new applications and services launched while protecting their business’ daily operations. With more application and services development happening in their IT teams, they’re focusing on how they can optimize the balance between security and speed. New apps, services, and the new customers they attract are creating a proliferation of new threat surfaces, making every new identity the new security perimeter.

CIO’s Guide To Stopping Privileged Access Abuse – Part I

CIOs face the paradox of having to protect their businesses while at the same time streamlining access to the information and systems their companies need to grow. The threatscape they’re facing requires an approach to security that is adaptive to the risk context of each access attempt across any threat surface, anytime. Using risk scores to differentiate between privileged users attempting to access secured systems in a riskier context than normal versus privileged credential abuse by attackers has proven to be an effective approach for thwarting credential-based breaches.

Privileged credential abuse is one of the most popular breach strategies organized crime and state-sponsored cybercrime organizations use. They’d rather walk in the front door of enterprise systems than hack in. 74% of IT decision makers surveyed whose organizations have been breached in the past say it involved privileged access credential abuse, yet just 48% have a password vault. Just 21% have multi-factor authentication (MFA) implemented for privileged administrative access. These and many other insights are from Centrify’s recent survey, Privileged Access Management in the Modern Threatscape.

How CIOs Are Solving the Paradox of Privileged Credential Abuse

The challenge to every CIO’s security strategy is to adapt to risk contexts in real-time, accurately assessing every access attempt across every threat surface, risk-scoring each in milliseconds. By taking a “never trust, always verify, enforce least privilege” approach to security, CIOs can provide an adaptive, contextually accurate Zero Trust-based approach to verifying privileged credentials. Zero Trust Privilege is emerging as a proven framework for thwarting privileged credential abuse by verifying who is requesting access, the context of the request, and the risk of the access environment.

By taking a least privilege access approach, organizations can minimize attack surfaces, improve audit and compliance visibility, and reduce risk, complexity, and the costs of operating a modern, hybrid enterprise. CIOs are solving the paradox of privileged credential abuse by knowing that even if a privileged user has entered the right credentials but the request comes in with risky context, then stronger verification is needed to permit access.

Strategies For Stopping Privileged Credential Abuse

The following are five strategies CIOs need to concentrate on to stop privileged credential abuse. Starting with an inventory of privileged accounts and progressing through finding the gaps in IT infrastructure that create opportunities for privileged credential abuse, CIOs and their teams need to take preemptive action now to avert potential breaches in the future.

In Part 1 of a CIO’s Guide to Stopping Privileged Access Abuse, below are the steps they can take to get started:

  1. Discover and inventory all privileged accounts and their credentials to define who is accountable for managing their security and use. According to a survey by Gartner, more than 65% of enterprises are allowing shared use of privileged accounts with no accountability for their use. CIOs realize that a lack of consistent governance policies creates many opportunities for privileged credential abuse. They’re also finding orphaned accounts, multiple owners for privileged credentials and the majority of system administrators having super user or root user access rights for the majority of enterprise systems.
  2. Vault your cloud platforms’ Root Accounts and federate access to AWS, Google Cloud Platform, Microsoft Azure and other public cloud consoles. Root passwords on each of the cloud platforms your business relies on are the “keys to the kingdom” and provide bad actors from inside and outside the company to exfiltrate data with ease. The recent news of how a fired employee deleted his former employer’s 23 AWS servers is a cautionary tale of what happens when a Zero Trust approach to privileged credentials isn’t adopted. Centrify’s survey found that 63% or organizations take more than a day to shut off privilege access for an employee after leaving the company. Given how AWS root user accounts have the privilege to delete all instances immediately, it’s imperative for organizations to have a password vault where AWS root account credentials are stored. Instead of local AWS IAM accounts and access keys, use centralized identities (e.g., Active Directory) and enable federated login. By doing so, you obviate the need for long-lived access keys.
  3. Audit privileged sessions and analyze patterns to find potentially privileged credential sharing or abuse not immediately obvious from audits. Audit and log authorized and unauthorized user sessions across all enterprise systems, especially focusing on root password use across all platforms. Taking this step is essential for assigning accountability for each privileged credential in use. It will also tell you if privileged credentials are being shared widely across the organization. Taking a Zero Trust approach to securing privileged credentials will quickly find areas where there could be potential lapses or gaps that invite breaches. For AWS accounts, be sure to use AWS CloudTrail and Amazon CloudWatch to monitor all API activity across all AWS instances and your AWS account.
  4. Enforce least privilege access now within your existing infrastructure as much as possible, defining a security roadmap based on the foundations of Zero Trust as your future direction. Using the inventory of all privileged accounts as the baseline, update least privilege access on each credential now and implement a process for privilege elevation that will lower the overall risk and ability for attackers to move laterally and extract data. The days of “trust but verify” are over. CIOs from insurance and financial services companies recently spoken with point out that their new business models, all of them heavily reliant on secured Internet connectivity, are making Zero Trust the cornerstone of their future services strategies. They’re all moving beyond “trust but verify” to adopt a more adaptive approach to knowing the risk context by threat surface in real-time.
  5. Adopt multi-factor authentication (MFA) across all threat surfaces that can adapt and flex to the risk context of every request for resources. The CIOs running a series of insurance and financial services firms, a few of them former MBA students of mine, say multi-factor authentication is a must-have today for preventing privileged credential abuse. Their take on it is that adding in an authentication layer that queries users with something they know (user name, password, PIN or security question) with something they have (smartphone, one-time password token or smart card), something they are (biometric identification like fingerprint) and something they’ve done (contextual pattern matching of what they normally do where) has helped thwart privileged credential abuse exponentially since they adopted it. This is low-hanging fruit: adaptive MFA has made the productivity impact of this additional validation practically moot.

Conclusion

Every CIO I know is now expected to be a business strategist first, and a technologist second. At the top of many of their list of priorities is securing the business so it can achieve uninterrupted growth. The CIOs I regularly speak with running insurance and financial services companies often speak of how security is as much a part of their new business strategies as the financial products their product design teams are developing. The bottom line is that the more adaptive and able to assess the context of risks for each privilege access attempt a company’s access management posture can become, the more responsive they can be to employees and customers alike, fueling future growth.

5 Things Every Executive Needs To Know About Identity And Access Management

  • For new digital business models to succeed, customers’ privacy preferences need to be secure, and that begins by treating every identity as a new security perimeter.
  • Organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks, provides no protection against identity and credential-based threats. Until they start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches.
  • 74% of data breaches start with privileged credential abuse that could have been averted if the organizations had adopted a Privileged Access Management (PAM) strategy, according to a recent Centrify survey.
  • Just 48% of organizations have a password vault, and only 21% have multi-factor authentication (MFA) implemented for privileged administrative access.

New digital business models are redefining organizations’ growth trajectories and enabling startups to thrive, all driven by customer trust. Gaining and strengthening customer trust starts with a security strategy that can scale quickly to secure every identity and threat surface a new business model creates. Centrify’s recent survey, Privileged Access Management in the Modern Threatscape, found 74% of data breaches begin with privileged credential abuse. The survey also found that the most important areas of IT infrastructure that new digital business models rely on to succeed — including Big Data repositories, cloud platform access, containers, and DevOps — are among the most vulnerable. The most urgent challenges executives are facing include protecting their business, securing customer data, and finding new ways to add value to their business’ operations.

Why Executives Need to Know About Identity and Access Management Now  

Executives have a strong sense of urgency to improve Identity and Access Management (IAM) today to assure the right individuals access the right resources at the right times and for the right reasons. IAM components like Access Management, Single Sign-On, Customer Identity and Access Management (CIAM), Advanced Authentication, Identity Governance and Administration (IGA), IoT-Driven IAM, and Privileged Access Management address the need to ensure appropriate access to resources across an organization’s entire attack surface and to meet compliance requirements. Considering that privileged access abuse is the leading cause of today’s breaches, they’re especially prioritizing Privileged Account Management as part of their broader cybersecurity strategies to secure the “keys to their kingdom.” Gartner supports this view by placing a high priority on Privileged Account Management, including it in its Gartner Top 10 Security Projects for 2018, and again in 2019.

During a recent conversation with insurance and financial services executives, I learned why Privileged Access Management is such an urgent, high priority today. Privileged access abuse is the leading attack vector, where they see the majority of breach attempts to access the company’s most sensitive systems and data. It’s also where they can improve customer data security while also making employees more productive by giving them access systems and platforms faster. All of them know instances of hackers and state-sponsored hacking groups offering bitcoin payments in exchange for administrative-level logins and passwords to their financial systems.

Several of the executives I spoke with are also evaluating Zero Trust as the foundation for their cybersecurity strategy. As their new digital business models grow, all of them are focused on discarding the outdated, “trust, but verify” mindset and replacing it with Zero Trust, which mandates a “never trust, always verify” approach. They’re also using a least privilege access approach to minimize each attack surface and improve audit and compliance visibility while reducing risk, complexity, and costs.

The following are the five things every executive needs to know about Identity and Access Management to address a reality that every company and consumer must recognize exists today: attackers no longer “hack” in, they log in.

  1. Designing in the ability to manage access rights and all digital identities of privileged users require Privileged Access Management (PAM) and Identity Governance and Administration (IGA) systems be integrated as part of an IAM strategy. For digital business initiatives’ security strategies to scale, they need to support access requests, entitlement management, and user credential attestation for governance purposes. With identities being the new security perimeter, provisioning least privileged access to suppliers, distributors, and service organizations is also a must-have to scale any new business model. Natively, IGA is dealing only with end users – not privileged users. Therefore integration with PAM systems is required to bring in privileged user data and gain a holistic view of access entitlements.
  2. IAM is a proven approach to securing valuable Intellectual Property (IP), patents, and attaining regulatory compliance, including GDPR. The fascinating digital businesses emerging today also function as patent and IP foundries. A byproduct of their operations is an entirely new business, product and process ideas. Executives spoken with are prioritizing how they secure intellectual property and patents using an Identity and Access Management strategy.
  3. Knowing with confidence the identity of every user is what makes every aspect of an IAM strategy work. Having Multi-Factor Authentication (MFA) enabled for every access session, and threat surface is one of the main processes that make an IAM strategy succeed. It’s a best practice to reinforce Zero Trust principles through multi-factor authentication enforcement on each computer that cannot be circumvented (or bypassed) by malware.
  4. Designing in transaction verification now for future e-commerce digital business models is worth it. Think of your IAM initiative as a platform to create ongoing customer trust with. As all digital business initiatives rely on multi-channel selling, designing in transaction verification as part of an IAM strategy is essential. Organizations are combining verification and MFA to thwart breaches and the abuse of credential access abuse.
  5. In defining any IAM strategy focus on how Privileged Access Management (PAM) needs to be tailored to your specific business needs. PAM is the foundational element that turns the investments made in security into business value. It’s a catalyst for ensuring customer trust turns into revenue. Many organizations equate PAM with a password vault. But in a modern threatscape where humans, machines, applications, and services dynamically require access to a broadening range of attack surfaces such as cloud, IoT, Big Data, and containers, that outdated legacy approach won’t effectively secure the leading attack vector: privileged access abuse. Vendors such as Centrify and others are looking beyond the vault and offering Zero Trust solutions for PAM that address these modern access requestors and attack surfaces.

Conclusion

Insurance and financial services executives realize, and even predict, that there’s going to be an increase in the number and intensity of efforts to break into their systems using compromised credentials. Prioritizing Privileged Access Management as part of the IAM toolkit is proving to be an effective cybersecurity strategy for protecting their businesses and customers’ data while also making a valuable contribution to its growth. The bottom line is that Identity and Access Management is the cornerstone of any effective Zero Trust-based strategy, and taking an aggressive, pre-emptive approach to Privileged Access Management is the new normal for organizations’ cybersecurity strategies.

5 Ways To Demystify Zero Trust Security

Bottom Line: Instead of only relying on security vendors’ claims about Zero Trust, benchmark them on a series of five critical success factors instead, with customer results being key.

Analytics, Zero Trust Dominated RSA

Analytics dashboards dominated RSA from a visual standpoint, while Zero Trust Security reigned from an enterprise strategy one. Over 60 vendors claimed to have Zero Trust Security solutions at RSA, with each one defining the concept in a slightly different way.

RSA has evolved into one of the highest energy enterprise-focused conferences today, and in 2019 Zero Trust was center stage in dozens of vendor booths. John Kindervag created the Zero Trust Security framework while at Forrester in 2010. Chase Cunningham, who is a Principal Analyst at Forrester today, is a leading authority on Zero Trust and frequently speaks and writes on the topic. Be sure to follow his blog to stay up to date with his latest research. His most recent post, OK, Zero Trust Is An RSA Buzzword — So What?, captures the current situation on Zero Trust perfectly. Becca Chambers’ blog post, Talking All Things Zero Trust at RSA Conference 2019, includes an insightful video of how the conferences’ attendees define Zero Trust.

With so many vendors claiming to offer Zero Trust solutions, how can you tell which ones have enterprise-ready, scalable solutions?  The following are five ways to demystify Zero Trust:

  1. Customer references are willing to talk and case studies available. With the ambitious goal of visiting every one of the 60 vendors who claimed to have a Zero Trust solution at RSA, I quickly realized that there’s a dearth of customer references. To Chase Cunningham’s point, more customer use cases need to be created, and thankfully that’s on his research agenda. Starting the conversation with each vendor visited by asking for their definition of Zero Trust either led to a debate of whether Zero Trust was needed in the industry or how their existing architecture could morph to fit the framework. Booth staffs at the following companies deserve to be commended for how much they know about their customers’ success with Zero Trust: AkamaiCentrifyCiscoMicrosoftMobileIronPalo Alto NetworksSymantec, and Trend Micro. The team at Ledios Cyberwho was recently acquired by Capgemini, was demonstrating how Zero Trust applied to Industrial Control Systems and shared a wealth of customer insights as well.
  2. Defines success by their customers’ growth, stability and earned trust instead of relying on fear. A key part of de-mystifying Zero Trust is seeing how effective vendors are at becoming partners on the journey their customers are on. While in the Centrify booth I learned of how Interval International has been able to implement a least privilege model for employees, contractors, and consultants, streamline user onboarding, and enable the company to continue its rapid organic growth. At MobileIron, I learned how NASDAQ is scaling mobile applications including CRM to their global sales force on a Zero Trust platform. The most customer-centric Zero Trust vendors tend to differentiate on earned trust over selling fear.
  3. Avoid vendors who have a love-hate relationship with Zero Trust. Zero Trust is having an energizing effect on the security landscape as it provides vendors with a strategic framework they can differentiate themselves in. Security vendors are capitalizing on the market value right now, with product management and engineering teams working overtime to get new applications and platforms ready for market. I found a few vendors who have a love-hate relationship with Zero Trust. They love the marketing mileage or buzz, yet aren’t nearly as enthusiastic about changing product and service strategies. If you’re looking for Zero Trust solutions, be sure to watch for this and find a vendor who is fully committed.
  4. Current product strategies and roadmaps reflect a complete commitment to Zero Trust. Product demos at RSA ranged from supporting the fundamentals of Zero Trust to emulating its concepts on legacy architectures. One of the key attributes to look for is how perimeterless a given security application is that claims to support Zero Trust. How well can a given application protect mobile devices? An IoT device? How can a given application or security platform scale to protect privileged credentials? These are all questions to ask of any vendor who claims to have a Zero Trust solution. Every one of them will have analytics options; the question is whether they fit with your given business scenario. Finally, ask to see how Zero Trust can be automated across all user accounts and how privileged access management can be scaled using Identity Access Management systems including password vaults and Multi-Factor Authentication (MFA).
  5. A solid API strategy for scaling their applications and platforms with partner successes that prove it. One of the best questions to gauge the depth of commitment any vendor has to Zero Trust is to ask about their API strategy. It’s interesting to hear how vendors with Zero Trust-based product and services strategies are scaling inside their largest customers using APIs. Another aspect of this is to see how many of their services, system integration, technology partners are using their APIs to create customized solutions for customers. Success with an API strategy is a leading indicator of how reliably any Zero Trust vendor will be able to scale in the future.

Conclusion

RSA is in many ways a microcosm of the enterprise security market in general and Zero Trust specifically. The millions of dollars in venture capital invested in security analytics and Zero Trust made it possible for vendors to create exceptional in-booth experiences and demonstrations – much the same way venture investment is fueling many of their roadmaps and sales teams. Zero Trust vendors will need to provide application roadmaps that show their ability to move beyond prevention of breaches to more prediction, at the same time supporting customers’ needs to secure infrastructure, credentials, and systems to ensure uninterrupted growth.

74% Of Data Breaches Start With Privileged Credential Abuse

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. Photo credit: iStock

Enterprises who are prioritizing privileged credential security are creating a formidable competitive advantage over their peers, ensuring operations won’t be interrupted by a breach. However, there’s a widening gap between those businesses protected from a breach and the many who aren’t. In quantifying this gap consider the typical U.S.-based enterprise will lose on average $7.91M from a breach, nearly double the global average of $3.68M according to IBM’s 2018 Data Breach Study.

Further insights into how wide this gap is are revealed in Centrify’s Privileged Access Management in the Modern Threatscape survey results published today. The study is noteworthy as it illustrates how wide the gap is between enterprises’ ability to avert and thwart breaches versus their current levels of Privileged Access Management (PAM) and privileged credential security. 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access credential abuse, yet just 48% have a password vault, just 21% have multi-factor authentication (MFA) implemented for privileged administrative access, and 65% are sharing root or privileged access to systems and data at least somewhat often.

Addressing these three areas with a Zero Trust approach to PAM would make an immediate difference in security.

“What’s alarming is that the survey reveals many organizations, armed with the knowledge that they have been breached before, are doing too little to secure privileged access. IT teams need to be taking their Privileged Access Management much more seriously, and prioritizing basic PAM strategies like vaults and MFA while reducing shared passwords,” remarked Tim Steinkopf, Centrify CEO. FINN Partners, on behalf of Centrify, surveyed 1,000 IT decision makers (500 in the U.S. and 500 in the U.K.) online in October 2018. Please see the study here for more on the methodology.

How You Choose To Secure Privileged Credentials Determines Your Future 

Identities are the new security perimeter. Threats can emerge within and outside any organization, at any time. Bad actors, or those who want to breach a system for financial gain or to harm a business, aren’t just outside. 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000, and 24% of employees know of someone who has sold privileged credentials to outsiders, according to a recent Accenture survey.

Attackers are increasingly logging in using weak, stolen, or otherwise compromised credentials. Centrify’s survey underscores how the majority of organizations’ IT departments have room for improvement when it comes to protecting privileged access credentials, which are the ‘keys to the kingdom.’ Reading the survey makes one realize that forward-thinking enterprises who are prioritizing privileged credential security gain major cost and time advantages over their competitors. They’re able to keep their momentum going across every area of their business by not having to recover from breaches or incur millions of dollars on losses or fines as the result of a breach.

One of the most promising approaches to securing every privileged identity and threat space within and outside an organization is Zero Trust Privilege (ZTP). ZTP enables an organizations’ IT team to grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Key Lessons Learned from the Centrify Survey

How wide the gap is between organizations who see identities as the new security perimeter and are adopting a Zero Trust approach to securing them and those that aren’t is reflected in the results of Centrify’s Privileged Access Management in the Modern Threatscape surveyThe following are the key lessons learned of where and how organizations can begin to close the security gaps they have that leave them vulnerable to privileged credential abuse and many other potential threats:

  • Organizations’ most technologically advanced areas that are essential for future growth and attainment of strategic goals are often the most unprotected. Big Data, cloud, containers and network devices are the most important areas of any IT infrastructure. According to Centrify’s survey, they are the most unprotected as well. 72% of organizations aren’t securing containers with privileged access controls. 68% are not securing network devices like hubs, switches, and routers with privileged access controls. 58% are not securing Big Data projects with privileged access controls. 45% are not securing public and private cloud workloads with privileged access controls. The study finds that UK-based businesses lag U.S.-based ones in each of these areas as the graphic below shows:

  • Only 36% of U.K. organizations are very confident in their company’s current IT security software strategies, compared to 65% in the U.S. The gap between organizations with hardened security strategies that have a higher probability of withstanding breach attempts is wide between U.K. and U.S.-based businesses. 44% of U.K. respondents weren’t positive about what Privileged Access Management is, versus 26% of U.S. respondents. 60% of U.K. respondents don’t have a password vault.

  • Just 35% of U.S. organizations and 30% of those in the UK are relying on Privileged Access Management to manage partners’ access to privileged credentials and infrastructure. Partners are indispensable for scaling any new business strategy and expanding an existing one across new markets and countries. Forward-thinking organizations look at every partner associates’ identity as a new security perimeter. The 35% of U.S.-based organizations doing this have an immediate competitive advantage over the 65% who aren’t. By enforcing PAM across their alliances and partnerships, organizations can achieve uninterrupted growth by eliminating expensive and time-consuming breaches that many businesses never fully recover from.
  • Organizations’ top five security projects for 2019 include protecting cloud data, preventing data leakage, analyzing security incidents, improving security education/awareness and encrypting data. These top five security projects could be achieved at scale by having IT teams implement a Zero Trust-based approach to Privileged Access Management (PAM). The time, cost and scale advantages of getting the top five security projects done using Zero Trust would free up IT teams to focus on projects that deliver direct revenue gains for example.

Conclusion

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. It also reveals that there is a strong desire to adhere to best practices when it comes to PAM (51% of respondents) and that the reason it is not being adequately implemented rarely has to do with prioritization or difficulty but rather budget constraints and executive buy-in.

The survey also shows U.K. – and U.S.-based organizations need to realize identity is the new security perimeter. For example, only 37% of respondents’ organizations are able to turn off privileged access for an employee who leaves the company within one day, leaving a wide-open exposure point that can continue to be exploited.

There are forward-thinking organizations who are relying on Zero Trust Privilege as a core part of their digital transformation efforts as well. The survey found that given a choice, respondents are most likely to say digital transformation (40%) is one of the top 3 projects they’d prefer to work on, followed by Endpoint Security (37%) and Privileged Access Management (28%). Many enterprises see digital transformation’s missing link being Zero Trust and the foundation for redefining their businesses by defining every identity as a new security perimeter, so they can securely scale and grow faster than before.

What IoT Leaders Do To Drive Greater Results

  • IoT Leaders are achieving cost and revenue gains of at least 15% or more, while laggards see less than 5%.
  • Pursuing 80% more IoT use cases compared to their peers, IoT Leaders are progressing faster down the learning curve of monetizing their application areas.
  • IoT Leaders anticipate that their IoT use cases will boost their gross profits by 13% over the next three years, three times as much as IoT laggards.

What IoT leaders do to excel and drive greater results compared to their peers is explored in the recent McKinsey report, What separates leaders from laggards in the Internet of Things. The study is based on interviews with 300 IoT executive-level practitioners from companies with more than $500M revenues which are implementing large-scale IoT strategies with projects that have progressed from pilot to production. Enterprises from 11 major industry segments from Canada, China, Germany, and the United States were included in the survey.

McKinsey found 16% of enterprises have IoT programs in production, delivering aggregate cost and revenue impacts of at least 15%. The study also found 16% of enterprises are lagging, attaining aggregate revenue and cost improvements of less than 5%. The following graphic compares companies by the level of financial impact from IoT initiatives:

Nine practices differentiate IoT Leaders from laggards, and the study provides a fascinating look into each based on the survey data. Key insights into IoT Leader’s practice areas is provided here:

  • Leaders are more aggressive about pursuing a greater number, scope, and variety of IoT applications and use cases than their less successful peers. What IoT Leaders learn quickly is how steep the IoT learning curve is, and how it’s essential to run as many IoT pilots as possible to learn more. Leaders discover the first 15 or so IoT use cases typically have a modest payback, with the average payback rising until approximately 30 use cases have been achieved. IoT Leaders anticipate that their IoT use cases will boost their gross profits by 13% over the next three years, three times as much as IoT laggards. The following graphic illustrates the financial impact per IoT use case by the cumulative number of IoT use cases enterprises initiate.

  • Leaders are more willing than their peers to change business processes to unlock IoT’s value. McKinsey found IoT Leaders are three times more likely than their peers to say that managing changes to business processes is one of the three most important capabilities for implementing IoT. CEOs who champion their company’s IoT initiatives make strong contributions in this area, removing barriers and roadblocks quickly to keep IoT programs moving forward.
  • Leaders design, pilot and move to production IoT use cases that rely on advanced endpoints far more than their peers. McKinsey finds that IoT Leaders are more visionary and aggressive than peers in developing applications with advanced endpoints.  Leaders are gaining expertise and mastery of how to creatively use advanced endpoints today, reporting higher levels of satisfaction and positive results.

  • Leaders clearly define how IoT will create value and excel in building effective business cases. McKinsey found that IoT Leaders are 75% more likely than their peers to cite the preparation of a strong business case as a critical success factor for their IoT programs. The study’s respondents who have an IoT vision that includes a strong value proposition, a proven delivery model, and a business model that drives revenue are getting results faster than their peers. 35% of Leaders rate the importance of “strong business case and vision for value creation” as one of the top three success factors versus 20% of laggards. Leaders leave nothing to chance when it comes to defining how IoT will deliver business value either in the form of greater revenue or reduced costs.

  • A CEO’s involvement and support are essential for any enterprise to succeed with  IoT. Based on personal experience with IoT pilots, C-level executives are indispensable in removing barriers and making process-level changes necessary for success. 72% of the surveyed executives agree. A vital catalyst of any enterprise succeeding with IoT is a clear, unequivocal time commitment on the part of the CEO. Enterprises in the Leaders quintile were 2.4 more likely than laggards to report that their CEO serves as the champion of IoT efforts as the following graphic illustrates:

  • Leaders credit strong alignment with IoT strategies and priorities enterprise-wide as a critical factor in their success. IoT initiatives and pilots on their way to production require executives, managers, and frontline workers to learn fresh skills and collaborate across business and functional boundaries in new ways. Enterprises need to have a strong unifying vision of where they’re going with IoT, with the CEO championing the change management required to make sure they succeed.
  • Leaders begin by adding IoT capability to existing products and services first. McKinsey found that Leaders are three times more likely than their peers to make their top priority adding IoT capabilities to existing products. They focus on how to turn the current scale they’ve achieved with suppliers, selling and service networks into a formidable competitive advantage. They’re also more adept at cross-selling and up-selling IoT-enabled products by capitalizing on current customer relationships. The following graphic compares enterprises’ single highest-priority IoT effort:

  • Leaders excel at tapping into, scaling and relying on an ecosystem of partners for innovation versus doing it all themselves. McKinsey finds that IoT Leaders excel at scaling their partner ecosystems faster and more strategically than their peers. IoT Leaders also rely more on partners for the latest technology innovations instead of attempting to create them entirely on their own. They’re also deliberately choosing IoT platforms that support third-party developers and the advanced endpoints as the graphic below shows:

  • Leaders prepare for cyber attacks, so they don’t slow things down. McKinsey found that 30% of enterprises from both IoT Leaders and their peers say that they’ve experienced cyber attacks that have resulted in high to severe damage. 57% of Leaders had been the target of cyber attacks compared to 44% of their peers. The higher number of cyber attacks happening for Leaders is due to the broader threat surface their many pilots, and production-level use cases create. The more distributed and varied IoT use cases are the greater the risk of privileged credential abuse as well. Thwarting privileged credential abuse needs to start with a least privilege access approach, minimizing each attack surface, improving audit and compliance visibility while reducing risk, complexity, and costs. Leaders in Zero Trust include CentrifyMobileIronPalo Alto Networks, and others.

Digital Transformation’s Missing Link Is Zero Trust

    • Enterprises will invest $2.4T by 2020 in digital transformation technologies including cloud platforms, cognitive systems, IoT, mobile, robotics, and integration services according to the World Economic Forum.
    • Digital transformation software and services revenue in the U.S. is predicted to reach $490B in 2025, soaring from $190B in 2019, attaining a Compound Annual Growth Rate (CAGR) of 14.49% according to Grand View Research published by Statista.
    • IDC predicts worldwide spending on the technologies and services that enable the digital transformation of business practices, products, and organizations will reach $1.97T in 2022.
    • Legacy approaches to Privileged Access Management (PAM) don’t protect the new threatscapes digital transformation initiatives create, making Zero Trust Privilege essential for enterprises.

B2B customers, including manufacturers looking to replace legacy production equipment with smart, connected machines, have high expectations when it comes to product quality, ease of integration, and intuitive user experiences. Replacing factories full of legacy assets with smart, connected machinery is one of the most powerful catalysts driving digital transformation today. Innovative smart, connected machinery and the performance gains they provide are the oxygen that keeps customer relationships alive. That’s why digital transformation forecasts from the World Economic Forum, Grand View ResearchIDC, and many others predict perennial growth. The many forecasts reflect a fundamental truth: digital transformation done with intensity creates a customer-driven renaissance for any business.

Businesses digitally transforming themselves are succeeding because they’ve made themselves accountable and transparent to customers. Earning and protecting that trust is the heartbeat of any business’ growth. 51% of enterprises invest in digital transformation to capture growth opportunities in new markets, with 46% investing to stay in front of evolving customer behaviors and preferences. Brian Solis’ excellent report, The State of Digital Transformation, 2018 – 2019 Edition (31 pp., PDF, opt-in) shows how digitally transforming any business with the customer first leads to greater growth. The graphic from his study illustrates this point:

 

Closing The Digital Transformation Gap With Zero Trust

Gaps exist between the results digital transformation initiatives are delivering today, and the customer-driven value they’re capable of. According to Gartner, 75% of digital transformation projects are not aligned internally today, leading to delayed new product launches, mediocre experiences, and greater security risks than ever before. Interactive, IoT-enabled experiences and products are expanding the threatscape of enterprises to include Big Data, cloud, containers, DevOps, IoT systems, and more. With that comes a host of new exposure points, many of which allow access to sensitive data that must be protected with modern Privileged Access Management solutions that reduce risk in these modern enterprise use cases.

The new security perimeter is identity. Forrester estimates that 80% of data breaches are caused by privileged access abuse. Every smart, connected machine that replaces legacy production equipment is another identity that defines a manufacturer’s security perimeter.

As the use cases and adoption of smart, connected machines proliferate, so too does the urgency that manufacturers need to replace their legacy approaches to Privileged Access Management (PAM). Relying on outdated strategies for protecting administrative access to all machines needs to be replaced with a “never trust, always verify, enforce least privilege” approach.

IT needs to improve how they’re protecting the most privileged access credentials, the ‘keys to the kingdom,’ by granting just-enough, just-in-time privilege. Of the many cybersecurity approaches available today, Zero Trust Privilege (ZTP) enables IT to grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

The more diverse any digital transformation strategy, the greater the risk of privileged credential abuse. Thwarting privileged credential abuse needs to start with a least privilege access approach, minimizing each attack surface, improving audit and compliance visibility while reducing risk, complexity, and costs. Leaders in Zero Trust include CentrifyMobileIronPalo Alto Networks, and others. Of these companies, Centrify’s approach to Zero Trust to prevent privileged access abuse shows the greatest potential for securing digital transformation initiatives and strategies.

How To Secure Digital Transformation Strategies

IDG Research found in their Security Priorities for 2018 study that 71% of security-focused IT decision-makers are aware of the Zero Trust model and 18% of enterprises are either running pilots or have implemented Zero Trust.

Zero Trust Privilege (ZTP) is the force multiplier digital transformation initiatives need to reach their true potential by securing administrative access to the complex mix of machinery and infrastructure – and the sensitive data they hold and use – that manufacturers rely on daily.

Starting with a strategic perspective, ZTP’s contribution to securing digital transformation deployments apply to every area of planning, pilots, platforms, product, and service data being designed to stop the leading cause of breaches, which is privileged credential abuse. The following graphic illustrates how ZTP needs to span every aspect of an enterprise’s digital transformation capabilities.

Source: World Economic Forum, Digital Transformation Initiative, May 2018

Conclusion

By 2020, 30% of Global 2000 companies will have allocated capital budget equal to at least 10% of revenue to fuel their digital transformation strategies according to IDC.  European spending on technologies and services that enable the digital transformation of business practices, products, and organizations is forecasted to reach $378.2B in 2022. The perennial growth these forecasts promise is predicated on enterprises delivering new experiences and innovative products, which create the oxygen that keeps their customer relationships alive.

Amidst all the potential for growth, enterprises need to realize every new infrastructure element, machine, or connected production asset is a new identity that collectively comprises the fabric of their security perimeter. Legacy cybersecurity approaches won’t scale to protect the proliferating number of smart machines being put into use today. Relying entirely on legacy approaches to PAM, where privileged access to systems and resources only inside the network are secure, is failing today. Smart, connected machinery and the products and experiences they deliver require an entirely new cybersecurity strategy, one based on a “never trust, always verify, enforce least privilege” approach. Centrify Zero Trust Privilege shows potential to meet this challenge by granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Predicting The Future Of Next-Gen Access And Zero Trust Security In 2019

Bottom Line:  The most valuable catalyst all digital businesses need to continue growing in 2019 is a Zero Trust Security (ZTS) strategy based on Next-Gen Access (NGA) that scales to protect every access point to corporate data, recognizing that identities are the new security perimeter.

The faster any digital business is growing, the more identities, devices and network endpoints proliferate. The most successful businesses of 2019 and beyond are actively creating entirely new digital business models today. They’re actively recruiting, and onboarding needed experts independent of their geographic locations and exploring new sourcing and patent ideas with R&D partners globally. Businesses are digitally transforming themselves at a faster rate than ever before. Statista projects businesses will spend $190B on digital transformation in 2019, soaring to $490B by 2025, attaining a 14.4% Compound Annual Growth Rate (CAGR) in six years.

Security Perimeters Make Or Break A Growing Business

80% of IT security breaches involve privileged credential access according to a recent Forrester study. The Verizon Mobile Security Index 2018 Report found that 89% of organizations are relying on just a single security strategy to keep their mobile networks safe. A typical data breach cost the average company $3.86M in 2018, up 6.4% from $3.62M in 2017 according to IBM Security’s latest  2018 Cost of a Data Breach Study.

The hard reality for any digital business is realizing that their greatest growth asset is how well they protect the constantly expanding perimeter of their business. Legacy approaches to securing infrastructure that relies on trusted and untrusted domains can’t scale to protect every identity and device that comprises a company’s rapidly changing new security perimeter. All these factors and more are why Zero Trust Security (ZTS) enabled by Next-Gen Access (NGA) is as essential to digital businesses’ growth as their product roadmaps, pricing strategies, and services with Idaptive being an early leader in the market. To learn more about Identity-as-a-Service please see the Forrester report, The Forrester Wave™: Identity-As-A-Service, Q4 2017 (client access required)

Predicting The Future Of Next-Gen Access And Zero Trust Security

The following are predictions of how Next-Gen Access (NGA) powered by Zero Trust Security (ZTS) will evolve in 2019:

  • Behavior-based scoring algorithms will improve markedly in 2019, improving the user experience by calculating risk scores with greater precision than before. Thwarting attacks start with a series of behavior-based algorithms that calculate a risk score based on a wide variety of variables including past access attempts, device security posture, operating system, location, time of day, and many other measurable factors. Expect to see these algorithms and the risk scores they generate using machine learning techniques improve from accuracy and contextual intelligence standpoint in 2019. Leading companies in the field including Idaptive are actively investing in machine learning technologies to accomplish this today.
  • Multifactor Authentication (MFA) adoption soars as digital businesses seek to protect new R&D projects, patents in progress, roadmaps, and product plans. State-sponsored hacking organizations and organized crime see the intellectual property in fast-growing digital businesses as among the most valuable assets they can exfiltrate and sell on the Dark Web. MFA, one of the most effective single defenses against compromised passwords, will be adopted by the most successful businesses in AI, aerospace & defense, chip design for cellular and IoT devices, e-commerce, enterprise software and more.
  • Smart, connected products without adequate security designed in will proliferate in 2019, further challenging the security perimeters of the digital businesses. The era of smart, connected products is here, with Capgemini estimating the size of the connected products market will be $519B to $685B by 2020. Manufacturers expect close to 50% of their products to be smart, connected products by 2020, according to Capgemini’s Digital Engineering: The new growth engine for discrete manufacturers. The study is downloadable here (PDF, 40 pp., no opt-in). With every smart, connected device creating a new threat surface for a company, expect to see at least one device manufacturer design Zero Trust Security (ZTS) support to the board level to increase their sales into enterprises by reducing the threat of a breach starting from their device.
  • Looking for greater track and traceability, healthcare and medical products supply chains will adopt Zero Trust Security (ZTS). What’s going to make this an urgent issue in healthcare and medical products are the combined effects of greater regulatory reporting and compliance, combined with the pressure to improve time-to-market for new products and delivery accuracy for current customers. The pillars of ZTS are a perfect fit for healthcare and medical supply chains’ need for track and traceability. These pillars are real-time user verification, device validation, and intelligently limiting access, while also learning and adapting to verified user behaviors.
  • Real-time Security Analytics Services is going to thrive in 2019 as digital businesses seek insights into how they can fine-tune their ZTS strategies across every threat surface and machine learning algorithms improve. Many enterprises are in for an epiphany in 2019 when they see just how many potential breaches they’ve stopped using a combination of security strategies including Single Sign-On (SSO) and Multi-factor Authentication (MFA). Machine learning algorithms will continue to improve using behavior-based scoring, further improving the user experience. Leaders in the field include Idaptive who is setting a rapid pace of innovation in Real-Time Security Analytics Services.   

Conclusion

Security is at an inflection point today. Long-standing methods of protecting IT systems and a businesses’ assets can’t scale to protect every new identity, device or threat surface. When every identity is a new security perimeter, a new approach is needed to securing any digital business. The pillars of ZTS including real-time user verification, device validation, and intelligently limiting access, while also learning and adapting to verified user behaviors are proving to be effective at thwarting breaches and securing company’ digital assets of all kinds. It’s time for more digital businesses to see security as the growth catalyst it is and take action now to ensure their operations continue to flourish.

6 Best Practices For Increasing Security In AWS In A Zero Trust World

  • Amazon Web Services (AWS) reported $6.6B in revenue for Q3, 2018 and $18.2B for the first three fiscal quarters of 2018.
  • AWS revenue achieved an impressive 46% year-over-year net sales growth between Q3, 2017 and Q3, 2018 and 49% year-over-year growth for the first three quarters of the year.
  • AWS’ 34% market share is bigger than its next four competitors combined with the majority of customers taken from small-to-medium sized cloud operators according to Synergy Research.
  • The many announcements made at AWS Re:Invent this year reflect a growing focus on hybrid cloud computing, security, and compliance.

Enterprises are rapidly accelerating the pace at which they’re moving workloads to Amazon Web Services (AWS) for greater cost, scale and speed advantages. And while AWS leads all others as the enterprise public cloud platform of choice, they and all Infrastructure-as-a-Service (IaaS) providers rely on a Shared Responsibility Model where customers are responsible for securing operating systems, platforms and data.  In the case of AWS, they take responsibility for the security of the cloud itself including the infrastructure, hardware, software, and facilities. The AWS version of the Shared Responsibility Model shown below illustrates how Amazon has defined securing the data itself, management of the platform, applications and how they’re accessed, and various configurations  as the customers’ responsibility:

Included in the list of items where the customer is responsible for security “in” the cloud is identity and access management, including Privileged Access Management (PAM) to secure the most critical infrastructure and data.

Increasing Security for IaaS in a Zero Trust World

Stolen privileged access credentials are the leading cause of breaches today. Forrester found that 80% of data breaches are initiated using privileged credentials, and 66% of organizations still rely on manual methods to manage privileged accounts. And while they are the leading cause of breaches, they’re often overlooked — not only to protect the traditional enterprise infrastructure — but especially when transitioning to the cloud.

Both for on-premise and Infrastructure-as-a-Service (IaaS), it’s not enough to rely on password vaults alone anymore. Organizations need to augment their legacy Privileged Access Management strategies to include brokering of identities, multi-factor authentication enforcement and “just enough, just-in-time” privilege, all while securing remote access and monitoring of all privileged sessions. They also need to verify who is requesting access, the context of the request, and the risk of the access environment. These are all essential elements of a Zero Trust Privilege strategy, with Centrify being an early leader in this space.

6 Ways To Increase Security in AWS

The following are six best practices for increasing security in AWS and are based on the Zero Trust Privilege model:

  1. Vault AWS Root Accounts and Federate Access for AWS Console

Given how powerful the AWS root user account is, it’s highly recommended that the password for the AWS root account be vaulted and only used in emergencies. Instead of local AWS IAM accounts and access keys, use centralized identities (e.g., Active Directory) and enable federated login. By doing so, you obviate the need for long-lived access keys.

  1. Apply a Common Security Model and Consolidate Identities

When it comes to IaaS adoption, one of the inhibitors for organizations is the myth that the IaaS requires a unique security model, as it resides outside the traditional network perimeter. However, conventional security and compliance concepts still apply in the cloud. Why would you need to treat an IaaS environment any different than your own data center? Roles and responsibilities are still the same for your privileged users. Thus, leverage what you’ve already got for a common security infrastructure spanning on-premises and cloud resources. For example, extend your Active Directory into the cloud to control AWS role assignment and grant the right amount of privilege.

  1. Ensure Accountability

Shared privileged accounts (e.g., AWS EC2 administrator) are anonymous. Ensure 100% accountability by having users log in with their individual accounts and elevate privilege as required. Manage entitlements centrally from Active Directory, mapping roles, and groups to AWS roles.

  1. Enforce Least Privilege Access

Grant users just enough privilege to complete the task at hand in the AWS Management Console, AWS services, and on the AWS instances. Implement cross-platform privilege management for AWS Management Console, Windows and Linux instances.

  1. Audit Everything

Log and monitor both authorized and unauthorized user sessions to AWS instances. Associate all activity to an individual, and report on both privileged activity and access rights. It’s also a good idea to use AWS CloudTrail and Amazon CloudWatch to monitor all API activity across all AWS instances and your AWS account.

  1. Apply Multi-Factor Authentication Everywhere

Thwart in-progress attacks and get higher levels of user assurance. Consistently implement multi-factor authentication (MFA) for AWS service management, on login and privilege elevation for AWS instances, or when checking out vaulted passwords.

Conclusion

One of the most common reasons AWS deployments are being breached is a result of privileged access credentials being compromised. The six best practices mentioned in this post are just the beginning; there are many more strategies for increasing the security in AWS.  Leveraging a solid Zero Trust Privilege platform, organizations can eliminate shared Amazon EC2 key pairs, using auditing to define accountability to the individual user account level, execute on least privilege access across every login, AWS console, and AWS instance in use, enforce MFA and enable a common security model.

%d bloggers like this: