Skip to content

Posts tagged ‘Zero Trust Security’

How To Build A Business Case For Endpoint Security

How To Build a Business Case for Endpoint Security

Bottom Line:  Endpoint security business cases do much more than just quantify costs and benefits; they uncover gaps in endpoint and cyber protection that need urgent attention to avert a breach.

Bad actors and hackers prefer to attack threat surfaces that are isolated, vulnerable with out-of-date security patches, yet integrated into a corporate network to provide access. For these reasons and more, endpoints are now the popular choice for hacking attempts. Ponemon Institute’s Third Annual Study on the State of Endpoint Security Risk published in January of this year found that 68% of organizations were victims of successful endpoint attacks in 2019 that compromised data assets and IT infrastructure. Since 2017, successful endpoint attacks have spiked by 26 percent. The Ponemon study also found that it takes the typical organization 97 days to test and deploy patches to each endpoint. When the average endpoint is three months behind on updates, it’s understandable why breaches are increasing. In 2019 the average endpoint breach inflicted $8.94M in losses. The following graphic compares the escalating number of breaches and economic losses for the last three years:

How To Build A Business Case For Endpoint Security

Exploring Endpoint Security’s Many Benefits

Think of building a business case for endpoint security as the checkup every company needs to examine and identify and every threat surface that can be improved. Just as all efforts to preserve every person’s health is priceless today, organizations can’t let their guard down when it comes to keeping endpoint security strong.

The economic fallout of COVID-19 is hitting IT budgets hard. That’s why now is the time to build a business case for endpoint security. CIOs and CISOs have to make budget cuts due to revenue shortfalls. One area no one wants to compromise on, however, is allowing endpoint agents to degrade over time. Absolute Software’s  Endpoint Security Trends Report found that the more complex and layered the endpoint protection, the greater the risk of a breach. Overloading every endpoint with multiple agents is counterproductive and leaves endpoints less secure than if fewer agents were installed.  Additionally, Absolute just launched a Remote Work and Distance Learning Insights Center, providing insights into the impact of COVID-19 on IT and security controls. An example of the dashboard shown below:

How To Build A Business Case For Endpoint Security

 

Business Case Benefits Need To Apply To  IT and Operations

Absolute and Ponemon’s studies suggest that autonomous endpoints are the future of endpoint security. Activating security at the endpoint and having an undeletable tether to every device solves many of the challenges every business’s IT and Operations teams face. And with the urgency to make IT and Operations as virtual as possible with budgets impacted by COVID-19’s economic fallout, team leaders in each area are focusing on the following shared challenges. COVID-19’s quarantine requirements make hybrid workforces instantly appear and make the budgets needed to support them vanish at the same time.  The following are the shared benefits for IT and Operations that need to anchor any endpoint security business case:

  • The most urgent need is for greater IT Help Desk efficiency. While this is primarily an IT metric, the lack of real-time availability of resources is slowing down remote Operations teams from getting their work done.
  • Both IT and Operations share asset utilization, loss reduction, and lifecycle optimization ownership in many organizations today. Having a persistent, undeletable tether to every device at the hardware level is proving to be an effective approach IT, and Operations teams are relying on to track and improve these metrics. The Absolute and Ponemon studies suggest that the more resilient the endpoint, the better the asset efficiency and lifecycle optimization. Autonomous endpoints can self-heal and regenerate themselves, further improving shared metric performance for IT and Operations.
  • The more autonomous endpoints an organization has, the quicker Operations and IT can work together to pivot into new business models that require virtual operations. Education, Healthcare, Financial Services, Government, and Professional Services are all moving to hybrid remote workplaces and virtual operations as fast as they can. Using the business case for endpoint security as a roadmap to see where threat surfaces need to be improved for new growth is key.

Endpoint Security Benefits 

The following are the benefits that need to be included in creating a business case for endpoint security:

  • Reduce and eventually eliminate IT Help Desk backlogs by keeping endpoints up-to-date. Reducing the call volume on IT Help Desks can potentially save over $45K a year, assuming a typical call takes 10 minutes and the cumulative time savings in 1,260 hours saved by the IT help desk annually.
  • Reduce Security Operations staff interruptions and emergency security projects that require IT’s time to run analytics reports and analyses. Solving complex endpoint security problems burns thousands of dollars and hours over a year between Security, IT, and Operations. Having a persistent, unbreakable connection to every endpoint provides the device visibility teams need to troubleshoot problems. Assuming the 2,520 hours IT Security teams alone spend on emergency endpoint security problems could be reduced, organizations could save approximately $130K a year. 
  • Autonomous endpoints with an undeletable tether improve compliance, control, and visibility and is a must-have in the new hybrid remote workplace. For endpoint security to scale across every threat surface, having an undeletable tether to every device is a must-have for scalable remote work and hybrid remote work programs in the enterprise. They also contribute to lowering compliance costs and improve every aspect of asset management from keeping applications current to ensuring autonomous endpoints can continue to self-heal.
  • Reducing IT asset loss, knowing asset utilization, and system-level software installed by every device can save a typical organization over $300K a year. Autonomous endpoints that can heal themselves and provide a constant hardware connection deliver the data in real-time to have accurate IT asset management and security data teams need to keep software configurations up to date. It’s invaluable for IT teams to have this level of data, as it averts having endpoint patches conflict with one another and leave an endpoint vulnerable to breach.
  • Accurate asset lifecycle planning based on solid data from every device becomes possible. Having autonomous endpoints based on a hardware connection delivers the data needed to increase the accuracy of asset life cycle planning and resource allocation, giving IT and Operations the visibility they need to the device level. IT and Operations teams look to see how they can extend the lifecycle of every device in the field. Cost savings vary by the number of devices in the field and their specific software configurations. The time savings alone is approximately $140K per year in a mid-size financial services firm.
  • The more autonomous and connected an endpoint is, the more automated audit and compliance reporting can become. A key part of staying in compliance is automating the audit process to save valuable time. The Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) all require ongoing audits. The time and cost savings of automating audits by organizations vary significantly. It’s a reasonable assumption to budget at least a $67K savings per year in audit preparation costs alone.

Evaluating Endpoint Security Costs

The following are the endpoint security costs that need to be included in the business case:

  • Annual, often multi-year endpoint security licensing costs. Endpoint security providers vary significantly in their pricing models, costs, and fees. Autonomous endpoint security platforms can range in licensing costs from $750K to over $1,2M, depending on the size of the organization and the number of devices.
  • Change management, implementation, and integration costs increase with the complexity of IT security, Operations, and IT Service Management (ITSM) integration. Expect to see an average price of between $40K to over $100K to integrate endpoint security platforms with existing ITSM and security information and event management (SIEM) systems.

Creating A Compelling Business Case For Endpoint Security

The best endpoint security business cases provide a 360-degree view of costs, benefits, and why taking action now is needed.

Knowing the initial software and services costs to acquire and integrate endpoint security across your organization, training and change management costs, and ongoing support costs are essential. Many include the following equation in their business cases to provide an ROI estimate. The Return on Investment (ROI) for endpoint security initiative is calculated as follows:

ROI on Endpoint Security (ES) = (ES Initiative Benefits – ES Initiative Costs)/ES Initiative Costs x 100.

A financial services company recently calculated their annual benefits of ES initiative will be $475,000, and the costs, $65,000, will yield a net return of $6.30 for every $1 invested.

Additional factors to keep in mind when building a business case for endpoint security:

  • The penalties for non-compliance to industry-specific laws can be quite steep, with repeated offenses leading to $1M or more in fines and long-term loss of customer trust and revenue. Building a business case for endpoint security needs to factor in the potential non-compliance fees, and penalties companies face for not having autonomous endpoint security. The Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), California Consumer Privacy Act (CCPA), and other laws require audit reporting based on accurate endpoint security data.
  • Endpoint Security ROI estimates fluctuate, and it’s best to get started with a pilot to capture live data with budgets available at the end of a quarter. Typically organizations will allocate the remaining amounts of IT security budgets at the end of a quarter to endpoint security initiatives.
  • Succinctly define the benefits and costs and gain C-level support to streamline the funding process. It’s often the CISOs who are the most driven to achieve greater endpoint security the quickest they can. Today with every business having their entire workforces virtual, there’s added urgency to get endpoint security accomplished.
  • Define and measure endpoint security initiatives’ progress using a digitally-enabled dashboard that can be shared across any device, anytime. Enabling everyone supporting and involved in endpoint security initiatives needs to know what success looks like. Having a digitally-enabled dashboard that clearly shows each goal or objective and the company’s progress toward them is critical to success.

Conclusion

The hard economic reset COVID-19 created has put many IT budgets into freefall at a time when CIOs and CISOs need more funding to protect proliferating hybrid remote workforces. Endpoint security business cases need to factor in how they can create an undeletable resilient defense for every device across their global fleets. And just as every nation on the planet isn’t letting its guard down against the COVID-19 virus, every IT and cybersecurity team can’t let theirs down either when it comes to protecting every endpoint.

Autonomous endpoints that can self-heal and regenerate operating systems and configurations are the future of endpoint security management. The race to be an entirely virtual enterprise is on, and the most autonomous endpoints can be, the more cost-effective and valuable they are. The best business cases bridge the gap between IT and Operations needs. CIOs need endpoint security solutions to be low-cost, low maintenance, reliable yet agile. Operations want an endpoint solution that has a low cost of support, minimal if any impact of IT Service Help Desks, and always-on monitoring. Building a business case for endpoint security gives IT and Operations the insights they need to protect the constantly changing parameters of their businesses.

 

Protecting Privileged Identities In A Post-COVID-19 World

Protecting Privileged Identities In A Post-COVID-19 World

Bottom Line: Every organization needs to digitally reinvent their business, starting at the system level to safely sell and serve customers with minimal physical interaction.

The hard reset every business is going through creates a strong sense of urgency to increase the agility, speed, and scale of selling, as well as customer service options that protect the health of employees, customers, and partners. Customer experience needs to be the cornerstone of digital transformation, with the customers’ health and welfare being the highest priority. Businesses need to realize that digitally reinventing themselves is no longer optional. Every customer-facing system is going to need the best infrastructure, security, and stability for any business to survive and grow.

Securing Infrastructure Needs To Come First

COVID-19 was a wake-up call that companies need to operate as multi-channel players, allowing for physical but, more importantly, virtual presence. For instance, in retail, only those that will step up their efforts in building on-line ordering and associated nation-wide logistics networks will survive in the longer-term. If the cloud was considered an option in the past, it now is mandatory. In turn, the need for security has increased.

Starting with infrastructure, hybrid- and multi-cloud environments need to be augmented with additional system support, new apps, and greater security to support the always-on nature of competing in a virtual world. Providing self-service sales and support across any device at any time and keeping all systems synchronized is going to take more real-time integration, better security, more precise pricing, and so much more.

Consumer electronics manufacturers’ biggest challenge is reinventing their infrastructure while selling and serving customers at the same time. Part of their biggest challenge is protecting privileged access credentials that have become fragmented across hybrid- and multi-cloud environments. Everyone I’ve spoken with is balancing the urgent need for new revenue through new channels on the one hand with intensity to secure infrastructure and the most valuable security assets of all, privileged access credentials.

According to a 2019 study by Centrify among 1,000 IT decision-makers, 74% of respondents whose organizations have been breached acknowledged that it involved access to a privileged account. These are typically used by a small set of technical personnel to access the most critical systems in the IT estate, including modern technologies such as cloud, DevOps, microservices, and more. The CIO of a local financial services and insurance company, who is a former student and friend, told me that “it’s often said that privileged access credentials are the keys to the kingdom, and in these turbulent times they’re the keys to keeping any business running.”

CIOs, CISOs, and their teams are focusing on four key areas today while digitally reinventing themselves to provide more flexible options for customers:

  • Secure every new self-service selling and service channel from breaches.
  • Fast-track cloud projects to become 100% virtual and available.
  • Simplify infrastructure management by integrating IT and Operations Management across hybrid and multi-cloud environments.
  • Improve compliance reporting as well as reduce audit costs and associated fines.

Legacy Privileged Access Management (PAM) Can’t Scale For Today’s Threats

Sophisticated social engineering and breach attempts are succeeding in misdirecting human responses to cyber threats, gaining access to valuable privileged access credentials in the process. Legacy PAM systems based on vaulting away shared and root passwords aren’t designed to protect hybrid cloud and multi-cloud environments. These DevOps systems include containers and microservices, APIs, machines, or services. Furthermore, multi-cloud environments create additional challenges because access management tools used for one vendor cannot be used with another.

Switching from in-person to self-service selling and service creates new challenges and an entirely new series of requirements for identity and access management. These requirements include securing a continually-increasing number of workloads that cause the amount of data in the cloud to grow exponentially. There’s also the need to centralize identities for consistent access controls across hybrid and multi-cloud environments – all happening while a business is busy digitally reinventing itself. Compounding all of these challenges is the need to excel at delivering an excellent user experience without sacrificing security in an increasingly self-service, always-on, 24/7 world.

Securing Privileged Access In A Post-COVID-19 World

If you’re looking for a sure sign any business will be around and growing in twelve months, look at how fast they are digitally reinventing themselves at the infrastructure level and protecting privileged access credentials first. Digital-first businesses are taking a more adaptive approach to consistently controlling access to hybrid infrastructure for both on-premises and remote users now.

Centrify and others are making rapid progress in this area, with Centrify’s Identity-Centric PAM taking a “never trust, always verify, enforce least privilege” approach to securing privileged identities. Centrify’s approach to Identity-Centric PAM establishes per-machine trust so it can defend itself from illegitimate users – whether human or machine  – or those without the right entitlements. It then grants least privilege access just-in-time based on verifying who is requesting access, the context of the request, and the risk of the access environment as is illustrated in the graphic below:

Protecting Privileged Identities In A Post-COVID-19 World

Conclusion

Improving customer experiences needs to be at the center of any digital transformation effort. As every business digitally transforms itself to survive and grow in a post-COVID-19 world out of necessity, they must also improve how they secure access to their cloud and on-premises infrastructure. Legacy PAM was designed for a time when all privileged access was constrained to resources inside the network, accessed by humans, using shared/root accounts.

Legacy PAM was not designed for cloud environments, DevOps, containers, or microservices. Furthermore, privileged access requesters are no longer limited to just humans, but also include machines, services, and APIs.

Privileged access requesters need greater agility, adaptability, and speed to support DevOps’ growing roadmap of self-service and increasingly safer apps and platforms. While privileged identities must be protected, DevOps teams need as much agility and speed as possible to innovate at the rapidly changing pace of how customers choose to buy in a post-COVID-19 world.

Machines Protecting Themselves Is The Future Of Cybersecurity

Machines Protecting Themselves Is The Future Of Cybersecurity

Bottom Line: Existing approaches to securing IT infrastructure are proving unreliable as social engineering and breach attempts succeed in misdirecting human responses to cyber threats, accentuating the need for machines to protect themselves.

Any nations’ digital infrastructure and the businesses it supports are its most vital technology resources, as the COVID-19 pandemic makes clear. Cybercriminal and advanced persistent threat (APT) groups are attempting to capitalize on the disruption that COVID-19 is creating to engage in malicious cyber activity. It’s become so severe that the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert, COVID-19 Exploited by Malicious Cyber Actors earlier this month.

“If you’re in the Department of Defense, your doctrine says land, sea, air, space, cyber. An entirely new domain of warfare, but fundamentally, an entirely new domain of human existence. That’s really disruptive,” said General Michael Hayden during his keynote at the 2017 Institute for Critical Infrastructure Technology (ICIT) Winter Summit. General Hayden’s comments are prescient of the world in 2020.

In the same keynote, he said that it’s essential that cyber-threats and the actors carrying them out be treated as invading armies and cyber-attacks be considered an act of war. “We self-organize and use business models to guide our self-organization,” General Hayden said. “We will have to rely on ourselves and the private sector in a way that we have not relied on ourselves for security.”

General Hayden’s’ comments are a call to action to the private sector to take the initiative and innovate quickly to secure the cyber-domain. Machines protecting themselves is an area noteworthy for its innovative technologies for securing IT infrastructures and the networks that comprise them.

Exploring An Approach to How Machines Protect Themselves

Wanting to learn more about how machines would be able to protect themselves automatically, I spoke with Centrify’s Chief Strategy Officer, David McNeely. He explained that one of the best ways is to have a client that is an integral part of any operating system act as an intermediary that establishes a trusted identity for each client system on a network. The client would then be able to authenticate every login attempt and request for resources by verifying each login through an authoritive security management platform such as Active Directory (AD).

McNeely explained how Centrify’s approach to having machines protect themselves using clients integrated with operating systems. “The client is designed to enable the computer to authenticate users. It must have a trusted relationship with the authoritative identity service in the organization that manages user accounts, this is usually Active Directory. The computer account and trust relationship is what enables strong authentication of user login requests” he said.

He continued, “Self-defending machines address the paradigm shift occurring in cybersecurity today where protection cannot be enforced at the network boundary. In the past, trusted networks were defined by administrators using network protection tools such as VLANs, firewalls and VPNs in order to protect a group of machines on that network. With self-defending machines, it’s possible to implement a true Zero Trust approach more fully where the network cannot be trusted.”

The following is a graphic of how Centrify is approaching machine-to-machine Zero Trust across distributed environments:

Machines Protecting Themselves Is The Future Of Cybersecurity

Centrify’s approach is based on servers protecting themselves by enforcing a policy defined by IT administrators as stored in Active Directory (AD) or Centrify’s Privileged Access Service. Clients then carry out the orders, enforcing centrally managed policies for each of the following scenarios:

  • Define who can login, making sure only authorized personnel are allowed access.
  • Whether clients should initiate the process of enforcing MFA or not, to make sure the login attempt isn’t a bot, fake ID, or incorrect human.
  • Whether audit is required or not of the login session and if so, what conditions define if it should be recorded or not.
  • Which privileges are granted to each user and for how long once they’ve gained access to systems.

Why The NIST 800-207 Standard Matters

The National Institute of Standards and Technology (NIST) has defined Zero Trust architecture as a set of guiding principles that organizations can use to improve their security posture. You can view the publication online here: NIST Zero Trust Special Publication 800-207, Zero Trust Architecture (PDF, 58 pp., no opt-in).

Organizations need to continually evaluate their existing cybersecurity defenses in light of the Tenets of Zero Trust in order to continually improve their security postures. The NIST standard underscores the importance of how security architecture matters. For example, defenses to protect assets need to be as close to the asset as possible, much like in a war. In this new era of cyberwarfare, soldiers will need their own body armor and tools to defend against an adversary. Similarly, it is important to arm each server with appropriate defenses to protect against cyberthreats.

Conclusion

General Hayden’s challenge to private industry to pick up the pace of innovation so the nations’ cyber-domain is secure resonates with every cybersecurity company I’ve spoken with. One of the most noteworthy is Centrify, who has devised an enterprise-ready approach for machines to protect themselves across infrastructure and network configurations. It’s Identity-Centric approach to authenticating every login attempt and request for resources by verifying each login – through Active Directory (AD) or the cloud-based, FedRAMP-authorized Centrify Privileged Access Service – differentiates its approach from other cybersecurity vendors attempting to empower machine self-defense.

 

Why Your Biometrics Are Your Best Password

Why Your Biometrics Are Your Best Password

Bottom Line: Biometrics are proving to be better than passwords because they’re easier to use, provide greater privacy and security, and are gaining standardization across a broad base of mobile, desktop, and server devices that users rely on to access online services.

In keeping with the theme of this year’s RSA Conference of Human Element, vendors offering passwordless authentication were out in force. Centrify, Entrust Datacard, HID Global, Idaptive, ImageWare, MobileIron, Thales, and many others promoted their unique approaches to passwordless authentication, leveraging the FIDO2 standard. FIDO2 is the latest set of specifications from the FIDO Alliance, an industry standards organization that provides interoperability testing and certification for servers, clients, and authenticators that meet FIDO2 specifications.

The Alliance has introduced a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, WebAuthn, and CTAP). The following graphic explains how the FIDO2 architecture authenticates every account requesting access to resources on a secured system:

Why Your Biometrics Are Your Best Password

The security industry has been trying to kill the password for decades. It has long been viewed as a weakness, primarily because of the human element: people continue to use weak passwords, on multiple accounts, at work, and in their personal lives. 81% of data breaches involve weak, stolen, default, or otherwise compromised credentials, according to a Verizon Data Breach Investigations Report.

Usernames and passwords (“something you know”) was the best factor of authentication available for decades yet didn’t provide enough of a barrier to hackers. Then came two-factor authentication, which added “something you have” as a second factor, such as a smartphone, key card, token, or other tangible item associated with the user.

Today everyone lives in a multi-factor authentication (MFA) world where cybersecurity technologists have added another factor: “something you are.” This is where biometrics come in, and facial recognition, fingerprint scanning, retinal scanning, and other forms of bio-identification have become normal thanks to technologies like Apple’s Touch ID and Face ID. Many people have already been using these technologies for years on their iPhones.

The reality is that these additional factors based on “something you have” or “something you are” are both much stronger than “something you know,” such as a password or PIN. Not only can the latter be easily stolen, guessed, or phished for, but authentication based on biometrics is very hard to fake or duplicate.

In short, by using the two newer factors of authentication, everyone who uses an electronic device daily is moving closer to a passwordless reality. Cybersecurity technologists are going to continue making authentication easier and more secure to improve user experiences and reduce the threat of a breach.

Privileged Admin Passwords Need To Be The First To Go  

Key lessons learned from visiting with the 30 or so vendors who claimed to support passwordless authentication include the following:

  • Centrify was the only vendor who prioritized enforcing FIDO2-based privileged administrator logins. It was also one of the few that specifically mentioned support for Apple’s Touch ID and Face ID, as well as Windows Hello, showing full support for the FIDO2 standard.
  • Windows Hello and Windows Hello for Business are table stakes in passwordless authentication, all vendors claim and can demo this capability.
  • Combining multiple forms of biometrics is proving problematic for the majority of vendors, as evidenced by the inconsistent demos on the show floor. No one could conclusively demo multiple types of biometrics for their solutions on the fly in a demo environment while at RSA. Of the many vendors claiming this capability, Centrify’s approach is the most unique in that privileged user identities are verified, satisfying a valuable pillar of its Identity-Centric PAM approach.
  • All vendors claiming FIDO2 compliance were able to demonstrate Apple’s Touch ID electronic fingerprint recognition, while Apple Face ID facial recognition product demos were hit or miss. If you are evaluating biometrics vendors who claim FIDO2 compliance be sure to stress-test facial recognition, as the demos on the show floor made it clear there’s work to do in this area.
  • Product management teams have been studying the NIST 800-53 high-assurance authentication controls standard and integrating it into their roadmaps. The 170 controls that comprise the NIST 800-53 standard are being adopted quickly across the vendors who claim passwordless authentication as a core strength in their product strategies. Using biometrics eliminates the risk of credential theft techniques and provides better alignment with the NIST 800-53 high-assurance authentication controls standard.
  • Vendors are at varying levels of maturity when it comes to being able to capitalize on the metadata biometrics provides, with a few claiming to have real-time analytics. Every vendor had a different response to how they manage the massive amount of metadata being generated by their biometrics, which all claim also to support analytics. After speaking with the vendors at RSA, analytics used to authenticate rather than just report activity is far more effective. I had a chance to talk to Dr. Torsten George, Cybersecurity Evangelist at Centrify, who said, “Centrify’s support for the FIDO2 standard is a direct result of our ongoing commitment to our customers and their requests for biometric authentication of privileged user identities. Combining our support for the FIDO2 standard with our existing multi-factor authentication and real-time analytics capabilities, we’re able to greatly reduce the risk of security breaches that might exploit weak, default, or stolen privileged credentials.”

Conclusion

RSA’s theme Human Element was prescient from the heavy emphasis on passwordless authentication at this year’s conference. FIDO2 is getting solid support across the cybersecurity vendors who chose to exhibit there, which is great for enterprises, organizations, and small businesses who need to defend themselves. Of the many vendors there, Centrify’s approach stood out based on its unique approach to authenticating privileged user identities for its Identity-Centric PAM platform.

FIDO2 ultimately makes security stronger and less disruptive because it can not only eliminate passwords but also make the user experience more seamless and less likely to be circumvented. Passwordless authentication ensures that login credentials are unique across every website, never stored on a server, and never leave the user’s device. This security model helps eliminate the risks of phishing, as well as all forms of password theft and replay attacks.

We’re closer than ever before to the elusive goal of a passwordless future.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • 60% of security and IT professionals state that security is the leading challenge with cloud migrations, despite not being clear about who is responsible for securing cloud environments.
  • 71% understand that controlling privileged access to cloud service administrative accounts is a critical concern, yet only 53% cite secure access to cloud workloads as a key objective of their cloud Privileged Access Management (PAM) strategies.

These and many other fascinating insights are from the recent Centrify survey, Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments, downloadable here. The survey is based on a survey of over 700 respondents from the United States, Canada, and the UK from over 50 vertical markets, with technology (21%), finance (14%), education (10%), government (10%) and healthcare (9%) being the top five. For additional details on the methodology, please see page 14 of the study.

What makes this study noteworthy is how it provides a candid, honest assessment of how enterprises can make cloud migrations more secure by a better understanding of who is responsible for securing privileged access to cloud administrative accounts and workloads.

Key insights from the study include the following:

  • Improved speed of IT services delivery (65%) and lowered total cost of ownership (54%) are the two top factors driving cloud migrations today. Additional factors include greater flexibility in responding to market changes (40%), outsourcing IT functions that don’t create competitive differentiation (22%), and increased competitiveness (17%). Reducing time-to-market for new systems and applications is one of the primary catalysts driving cloud migrations today, making it imperative for every organization to build security policies and systems into their cloud initiatives.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • Security is the greatest challenge to cloud migration by a wide margin. 60% of organizations define security as the most significant challenge they face with cloud migrations today. One in three sees the cost of migration (35%) and lack of expertise (30%) being the second and third greatest impediments to cloud migration project succeeding. Organizations are facing constant financial and time constraints to achieve cloud migrations on schedule to support time-to-market initiatives. No organization can afford the lost time and expense of an attempted or successful breach impeding cloud migration progress.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • 71% of organizations are implementing privileged access controls to manage their cloud services. However, as the privilege becomes more task-, role-, or access-specific, there is a diminishing interest of securing these levels of privileged access as a goal, evidenced by only 53% of organizations securing access to the workloads and containers they have moved to the cloud. The following graphic reflects the results.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • An alarmingly high 60% of organizations incorrectly view the cloud provider as being responsible for securing privileged access to cloud workloads. It’s shocking how many customers of AWS and other public cloud providers are falling for the myth that cloud service providers can completely protect their customized, highly individualized cloud instances. The native Identity and Access Management (IAM) capabilities offered by AWS, Microsoft Azure, Google Cloud, and others provide enough functionality to help an organization get up and running to control access in their respective homogeneous cloud environments. Often they lack the scale to adequately address the more challenging, complex areas of IAM and Privileged Access Management (PAM) in hybrid or multi-cloud environments, however. For an expanded discussion of the Shared Responsibility Model, please see The Truth About Privileged Access Security On AWS and Other Public Clouds. The following is a graphic from the survey and Amazon Web Services’ interpretation of the Shared Responsibility Model.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • Implementing a common security model in the cloud, on-premises, and in hybrid environments is the most proven approach to making cloud migrations more secure. Migrating cloud instances securely needs to start with Multi-Factor Authentication (MFA), deploying a common privileged access security model equivalent to on-premises and cloud systems, and utilizing enterprise directory accounts for privileged access. These three initial steps set the foundation for implementing least privilege access. It’s been a major challenge for organizations to do this, particularly in cloud environments, as 68% are not eliminating local privilege accounts in favor of federated access controls and are still using root accounts outside of “break glass” scenarios. Even more concerning, 57% are not implementing least privilege access to limit lateral movement and enforce just-enough, just-in-time-access.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • When it comes to securing access to cloud environments, organizations don’t have to re-invent the wheel. Best practices from securing on-premises data centers and workloads can often be successful in securing privileged access in cloud and hybrid environments as well.

Conclusion

The study provides four key takeaways for anyone working to make cloud migrations more secure. First, all organizations need to understand that privileged access to cloud environments is your responsibility, not your cloud providers’. Second, adopt a modern approach to Privileged Access Management that enforces least privilege, prioritizing “just enough, just-in-time” access. Third, employ a common security model across on-premises, cloud, and hybrid environments. Fourth and most important, modernize your security approach by considering how cloud-based PAM systems can help to make cloud migrations more secure.

7 Signs It’s Time To Get Focused On Zero Trust

7 Signs It’s Time To Get Focused On Zero Trust

When an experienced hacker can gain access to a company’s accounting and financial systems in 7 minutes or less after obtaining privileged access credentials, according to Ponemon, it’s time to get focused on Zero Trust Security. 2019 is on its way to being a record year for ransomware attacks, which grew 118% in Q1 of this year alone, according to McAfee Labs Threat Report. Data breaches on healthcare providers reached an all-time high in July of this year driven by the demand for healthcare records that range in price from $250 to over $1,000 becoming best-sellers on the Dark Web. Cybercriminals are using AI, bots, machine learning, and social engineering techniques as part of sophisticated, well-orchestrated strategies to gain access to banking, financial services, healthcare systems, and many other industries’ systems today.

Enterprises Need Greater Urgency Around Zero Trust

The escalating severity of cyberattacks and their success rates are proving that traditional approaches to cybersecurity based on “trust but verify” aren’t working anymore. What’s needed is more of a Zero Trust-based approach to managing every aspect of cybersecurity. By definition, Zero Trust is predicated on a “never trust, always verify” approach to access, from inside or outside the network. Enterprises need to begin with a Zero Trust Privilege-based strategy that verifies who is requesting access, the context of the request, and the risk of the access environment.

How urgent is it for enterprises to adopt Zero Trust? A recent survey of 2,000 full-time UK workers, completed by Censuswide in collaboration with Centrify, provides seven signs it’s time for enterprises to get a greater sense of urgency regarding their Zero Trust frameworks and initiatives. The seven signs are as follows:

  1. 77% of organizations’ workers admit that they have never received any form of cybersecurity skills training from their employer. In this day and age, it’s mind-blowing that three of every four organizations aren’t providing at least basic cybersecurity training, whether they intend to adopt Zero Trust or not. It’s like freely handing out driver’s licenses to anyone who wants one so they can drive the freeways of Los Angeles or San Francisco. The greater the training, the safer the driver. Likewise, the greater the cybersecurity training, the safer the worker, company and customers they serve.
  2. 69% of employees doubt the cybersecurity processes in place in their organizations today. When the majority of employees don’t trust the security processes in place in an organization, they invent their own, often bringing their favorite security solutions into an enterprise. Shadow IT proliferates, productivity often slows down, and enterprise is more at risk of a breach than ever before. When there’s no governance or structure to managing data, cybercriminals flourish.
  3. 63% of British workers interviewed do not realize that unauthorized access to an email account without the owner’s permission is a criminal offense. It’s astounding that nearly two-thirds of the workers in an organization aren’t aware that unauthorized access to another person’s email account without their permission is a crime. The UK passed into law 30 years ago the Computer Misuse Act. The law was created to protect individuals’ and organizations’ electronic data. The Act makes it a crime to access or modify data stored on a computer without authorization to do so. The penalties are steep for anyone found guilty of gaining access to a computer without permission, starting with up to two years in prison and a £5,000 fine. It’s alarming how high the lack of awareness is of this law, and an urgent call to action to prioritize organization-wide cybersecurity training.
  4. 27% of workers use the same password for multiple accounts. The Consensus survey finds that workers are using identical passwords for their work systems, social media accounts, and both personal and professional e-mail accounts. Cybersecurity training can help reduce this practice, but Zero Trust is badly needed to protect privileged access credentials that may have identical passwords to someone’s Facebook account, for example.
  5. 14% of employees admitted to keeping their passwords recorded in an unsecured handwritten notebook or on their desk in the office.  Organizations need to make it as difficult as possible for bad actors and cybercriminals to gain access to passwords instead of sharing them in handwritten notebooks and on Post-It notes. Any organization with this problem needs to immediately adopt Multi-Factor Authentication (MFA) as an additional security measure to ensure compromised passwords don’t lead to unauthorized access. For privileged accounts, use a password vault, which can make handwritten password notes (and shared passwords altogether) obsolete.
  6. 14% do not use multi-factor authentication for apps or services unless forced to do so. Centrify also found that 58% of organizations do not use Multi-Factor Authentication (MFA) for privileged administrative access to servers, leaving their IT systems and infrastructure unsecured. Not securing privileged access credentials with MFA or, at the very least, vaulting them is like handing the keys to the kingdom to cybercriminals going after privileged account access. Securing privileged credentials needs to begin with a Zero Trust-based approach that verifies who is requesting access, the context of the request, and the risk of the access environment.
  7. 1 out of every 25 employees hacks into a colleague’s email account without permission. In the UK, this would be considered a violation of the Computer Misuse Act, which has some unfortunate outcomes for those found guilty of violating it. The Censuswide survey also found that one in 20 workers have logged into friend’s Facebook accounts without permission. If you work in an organization of over 1,000 people, for example, 40 people in your company have most likely hacked into a colleague’s email account, opening up your entire company to legal liability.

Conclusion

Leaving cybersecurity to chance and hoping employees will do the right thing isn’t a strategy; it’s an open invitation to get hacked. The Censuswide survey and many others like it reflect a fundamental truth that cybersecurity needs to become part of the muscle memory of any organization to be effective. As traditional IT network perimeters dissolve, enterprises need to replace “trust but verify” with a Zero Trust-based framework. Zero Trust Privilege mandates a “never trust, always verify, enforce least privilege” approach to privileged access, from inside or outside the network. Leaders in this area include Centrify, who combines password vaulting with brokering of identities, multi-factor authentication enforcement, and “just enough” privilege, all while securing remote access and monitoring of all privileged sessions.

What’s New On The Zero Trust Security Landscape In 2019

What’s New On The Zero Trust Security Landscape In 2019

  • Forrester added in Checkpoint, Forescout, Google, illumio, MobileIron, Proofpoint, Symantec, and Unisys in their latest Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers this year.
  • Forrester’s 2019 scorecard increased the weight on network security, automation and orchestration, and portfolio growth rate compared to last year, adding in Zero Trust eXtended (ZTX) ecosystem advocacy to the scorecard for the first time.
  • Microsoft and VMWare are no longer included in the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers this year.

These and many other interesting insights are from what’s new in the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019, written by Chase Cunningham and published on October 29, 2019. Chase is a leading authority on Zero Trust Security, and I was fortunate to have the opportunity to interview him earlier this year. You can read the interview here,10 Questions With Chase Cunningham On Cybersecurity. Forrester included 14 vendors in this assessment: Akamai Technologies, Check Point, Cisco, Cyxtera Technologies, Forcepoint, Forescout, Google, illumio, MobileIron, Okta, Palo Alto Networks, Proofpoint, Symantec, and Unisys. The following is the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 graphic from the free reprint offered by MobileIron here.

Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019

 

Summary of What’s New In Forrester’s Zero Trust Wave This Year

The latest Forrester Wave adds in and places high importance on Zero Trust eXtended (ZTX) ecosystem advocacy, allocating 25% of the weight associated with the Strategy section on the scorecard. Forrester sees Zero Trust as a journey, with vendors who provide the greatest assistance and breadth of benefits on a unified platform being the most valuable. The Wave makes it clear that Zero Trust doesn’t refer to a specific technology but rather the orchestration of several technologies to enable and strengthen their Zero Trust framework. Key insights from what’s new this year in the Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 include the following:

  • Platforms are powering the Zero Trust landscape and delivering the greatest value to organizations on their Zero Trust journey. Forrester notes that organizations are getting the greatest benefits from choosing a single vendor who can deliver integrated, real-world capabilities instead of marketing hype.
  • Ease of use and excellent usability need to be the new normal when it comes to Zero Trust Solutions. Forrester sees a widening gap between Zero Trust solutions that take administrator and end-user experience into account and deliver the critical capabilities that make ZTX frameworks successful and those that don’t. It’s common knowledge of how challenging Zero Trust solutions and platforms are to deploy. Raising the issue of improving usability will help expand the total available market for Zero Trust solutions and increase the effectiveness of every platform installed.
  • A much stronger focus on Application Programmer Interfaces (APIs) and integration. This year’s Wave places much greater emphasis on APIs and the need to integrate every application and Web Service across a Zero Trust platform. The greater the integration expertise of any Zero Trust vendor, the faster an organization adopting their systems and platforms will attain secured stability across every threat surface.
  • Forrester advises Zero Trust vendors to concentrate on four key aspects of their strategy if they’re going to deliver overwhelming value to organizations they’re selling to. These four key aspects include actively advocating for Zero Trust as evidenced by driving product strategies that prioritize needed capabilities; supporting micro-segmentation; enforcing policy everywhere by first enabling extensive, proven integrations using well-documented and tested APIs that make it possible to enable policy definition and enforcement across enterprises; and provide identity beyond identity and access management (IAM).
  • Cyxtera Technologies, MobileIron, and Proofpoint are new to the Zero Trust World, each bringing valuable contributions to enterprises on their Zero Trust journey. Of the three, MobileIron is the most noteworthy as their approach to Zero Trust begins with the device and scales across mobile infrastructures. Forrester observes that “MobileIron’s recently released authenticator, which enables passwordless authentication to cloud services, is a must for future-state Zero Trust enterprises and speaks to its innovation in this space.” MobileIron’s product suite also includes a federated policy engine that enables administrators to control and better command the myriad of devices and endpoints that enterprises rely on today. Forrester sees all three vendors as having excellent integration at the platform level, a key determinant of how effective they will be in providing support to enterprises pursuing Zero Trust Security strategies in the future.

Conclusion

The latest Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019, reflects the growing maturity of the Zero Trust eXtended (ZTX) Ecosystem. Adding in Zero Trust eXtended (ZTX) ecosystem advocacy and weighing it at 25% reflects how serious Forrester is about evaluating vendors on solid, real product features over marketing claims. The increased focus on platforms, APIs and integration also reflect the growing maturity of enterprises adopting Zero Trust frameworks today.

10 Charts That Will Change Your Perspective Of AI In Security

10 Charts That Will Change Your Perspective Of AI In Security

Rapid advances in AI and machine learning are defining cybersecurity’s future daily. Identities are the new security perimeter and Zero Trust Security frameworks are capitalizing on AI’s insights to thwart breaches in milliseconds. Advances in AI and machine learning are also driving the transformation of endpoint security toward greater accuracy and contextually intelligence.

69% of enterprise executives believe artificial intelligence (AI) will be necessary to respond to cyberattacks with the majority of telecom companies (80%) saying they are counting on AI to help identify threats and thwart attacks according to Capgemini. Gartner predicts $137.4B will be spent on Information Security and Risk Management in 2019, increasing to $175.5B in 2023, reaching a CAGR of 9.1%. Cloud Security, Data Security, and Infrastructure Protection are the fastest-growing areas of security spending through 2023. The following ten charts illustrate the market and technological factors driving the rapid growth of AI in security today:

  • AI shows the greatest potential for fraud detection, malware detection, assigning risk scores to login attempts on networks, and intrusion detection. Supervised and unsupervised machine learning algorithms are proving to be effective in identifying potentially fraudulent online transaction activity. By definition, supervised machine learning algorithms rely on historical data to find patterns not discernible with traditional rule-based approaches to fraud detection. Finding anomalies, interrelationships, and valid links between emerging factors and variables is unsupervised machine learning’s core strength. Combining each is proving to be very effective in identifying anomalous behavior and reducing or restricting access. Kount’s  Omniscore relies on these technologies to provide an AI-driven transaction safety rating. Source: Capgemini Research Institute, Reinventing Cybersecurity with Artificial Intelligence – The new frontier in digital security (28 pp., PDF, no opt-in).
  • 80% of telecommunications executives stated that they believe their organization would not be able to respond to cyberattacks without AI. Across all seven industries studied in a recent Capgemini survey, 69% of all senior executives say they would not be able to respond to a cyberattack without AI. 75% of banking executives realize they’ll need AI to thwart a cyberattack. Interestingly, 59% of Utilities executives, the lowest response to this question on the survey, see AI as essential for battling a cyberattack. Utilities are one of the more vulnerable industries to attacks given their legacy infrastructure. Source: Statistica, Share of organizations that rely on artificial intelligence (AI) for cybersecurity in selected countries as of 2019, by industry
  • 51% of enterprises primarily rely on AI for threat detection, leading prediction, and response. Consistent with the majority of cybersecurity surveys of enterprises’ AI adoption for cybersecurity in 2019, AI is relied the majority of the time for detecting threats. A small percentage of enterprises have progressed past detection to prediction and response, as the graphic below shows. Many of the more interesting AI projects today are in prediction and response, given how the challenges in these areas expand the boundaries of technologies fast. Source: Capgemini Research Institute, Reinventing Cybersecurity with Artificial Intelligence – The new frontier in digital security (28 pp., PDF, no opt-in).
  • Enterprises are relying on AI as the foundation of their security automation frameworks. AI-driven security automation frameworks are designed to flex and support new digital business models across an organization. Existing security automation frameworks can crunch and correlate threat patterns on massive volumes of disparate data, which introduces opportunities for advanced cybersecurity without disrupting business. Using alerts and prescriptive analytics for dynamic policies to address identified risks, enterprises can speed deployment of threat-blocking measures, increasing the agility of security operations. Source: Cognizant, Combating Cybersecurity Challenges with Advanced Analytics (PDF, 24 pp., no opt-in).
  • Cybersecurity leads all other investment categories this year of TD Ameritrade’s Registered Investment Advisors (RIA) Survey. The survey found RIAs are most interested in investment opportunities for their clients in AI-based cybersecurity new ventures. Source: TD Ameritrade Institutional 2019 RIA Sentiment Survey (PDF, 35 pp., no opt-in)
  • 62% of enterprises have adopted and implemented AI to its full potential for cybersecurity, or are still exploring additional uses. AI is gaining adoption in U.S.-based enterprises and is also being recommended by government policy influencers. Just 21% of enterprises have no plans for using AI-based cybersecurity today.  Source: Oracle, Security In the Age Of AI (18 pp., PDF. no opt-in
  • 71% of today’s organizations reporting they spend more on AI and machine learning for cybersecurity than they did two years ago. 26% and 28% of U.S. and Japanese IT professionals believe their organizations could be doing more. Additionally, 84% of respondents believe cyber-criminals are also using AI and ML to launch their attacks. When considered together, these figures indicate a strong belief that AI/ML based cybersecurity is no longer simply nice to have; it’s crucial to stop modern cyberattacks.   Source: Webroot, Knowledge Gaps: AI and Machine Learning in CyberSecurity Perspectives from the U.S. and Japanese IT Professionals (PDF, 9 pp., no opt-in)
  • 73% of enterprises have adopted security products with some form of AI integrated into them. Among enterprises that receive more than 1,000 alerts per day, the percentage that has AI-enabled products in their security infrastructure jumps to 84%. The findings suggest that some decision makers view AI as useful capability in dealing with the flood of alerts that they receive. Source: Osterman Research, The State of AI in Cybersecurity: The Benefits, Limitations and Evolving Questions (PDF, 10 pp., opt-in).
  • AI’s greatest benefit is the increase in the speed of analyzing threats (69%) followed by an acceleration in the containment of infected endpoints/devices and hosts (64%). Because AI reduces the time to respond to cyber exploits organizations can potentially save an average of more than $2.5 million in operating costs. Source: The Value of Artificial Intelligence in Cybersecurity – Sponsored by IBM Security Independently conducted by Ponemon Institute LLC, July 2018.

Financial Services Rely On BYOD – How Do They Stay Secure?

Financial Services Rely On BYOD – How Do They Stay Secure?

Bottom Line: 2020 is going to be the year companies launch more digital business initiatives that depend on BYOD than ever before, making Zero Trust Security a key contributor to their success.

Financial Services firms are at an inflection point going into 2020. Mobile-first products and services now dominate their product roadmaps for next year, with applications’ speed and security being paramount. In fintech, DevOps teams have been working with AngularJS for years now, and the scale and speed of their applications reflect their expertise. How well existing IT infrastructure flexes to support the new mobile-first product and services strategies depends on how quickly members of IT, customer service, and customer success teams can respond. BYOD is proving invaluable in achieving the speed of response these new digital business models require.

In 2020 more employees of Financial Services firms will rely on their mobile devices as their primary form of digital ID than has ever been the case before. A recent survey conducted by IDG in association with MobileIron found that 89% of security leaders believe mobile devices will be the primary digital ID employees use to gain access to resources and get work done. The CIOs I’ve spoken agree. A copy of the IDG and MobileIron study, Say Goodbye to Passwords, can be downloaded here.

Counting On BYOD To Deliver Responsiveness And Speed

CIO and IT bonuses are often indexed to the revenue contributions their new products and services deliver, making speed, scale, security, and responsiveness the most important features of all. Fintech CIOs are saying that BYOD is proving indispensable in scaling IT in support of new digital business initiatives as a result. By 2022, 75% of smartphones used in the enterprise will bring your own device (BYOD), up from 35% in 2018, forcing a migration from device-centric management to app- and data-centric management, according to Gartner’s Competitive Landscape: Managed Mobility Services.

Two factors continue to propel BYOD adoption in financial services, fueling the need for Zero Trust Security across every mobile device. The first is the need for real-time responsiveness from internal team members and the second is having every threat surface protected without degrading the time to respond to customers. Every CIO, IT and Product Management leader I’ve spoken with mention the race they are in to deliver mobile-first products and services early in 2020 that redefine their business.  With every identity being a new security perimeter, Financial Services firms are relying on Unified Endpoint Management (UEM), multi-factor authentication (MFA), and additional zero trust-enabling technologies as an integral part of their Enterprise Mobility Management (EMM) strategy. Their goal is to create a Zero Trust Security framework that protects every mobile device endpoint. Leaders in this field include MobileIron, who also provides zero sign-on (ZSO), and mobile threat defense (MTD) in addition to UEM and EMM solutions today.  The following are the key features every BYOD program needs to offer to stay secure, scale and succeed in 2020:

  •  Separation of business and personal data is a must-have in any BYOD security strategy. FinTechs who have the greatest success with BYOD as part of their digital initiatives are relying on Enterprise Mobility Management (EMM) to selectively wipe only the business data from a device in the event it is compromised.
  • An interactive, intuitive user experience that can be quickly customized at scale by role, department, and workflow requirements without impacting user productivity. Too often BYOD users have had to trade off having stronger security on their own devices versus using a company-provided smartphone to get remote work done. The best EMM and UEM solutions in the market today enable Zero Trust by treating every identity as a new security perimeter.
  • Define the success of a BYOD security strategy by how well it immediately shuts down access to confidential data and systems first. Being able to immediately block access to confidential systems and data is the most important aspect of securing any BYOD across a network.
  • Limit access to internal system resources based on the employee’s department, role, and function to eliminate the risk of confidential data ending up in a personal app. EMM solutions have progressed quickly, especially on the dimension of providing Zero Trust Security across BYOD networks. Look for an EMM solution that gives the administrator the flexibility of limiting mobile device access to a specific series of services and access points based on an employees’ role in a specific department and the scope of data they need access to.
  • Proven multi-operating system expertise and support for legacy internally created mobile applications and services. One of the main reasons BYOD is succeeding today as an enablement strategy is the freedom it gives users to select the device they prefer to work with. Supporting Android and IOS is a given. Look for advanced EMM and UEM solutions that also support legacy mobility applications. The best BYOD security solutions deliver device and application compatibility with no degradation in security or performance.

Conclusion – Why BYOD Strategies Need Zero Trust Now

Trust-but-verify isn’t working today. Attackers are capitalizing on it by stealing or buying privileged access credentials, accessing any system or database they choose. Financial Services firms fully expect their new products and services launching in 2020 to face an onslaught of breach and hacking attempts. Trust-but-verify approaches that are propagated across an enterprises’ BYOD base of devices using Virtual Private Networks and demilitarized zones (DMZ) impede employee’s productivity, often force login authentication. Trust-but verify doesn’t scale well into BYOD scenarios, leaving large gaps attackers can gain access to valuable internal data and systems. For BYOD users, trust-but-verify reduces productivity, delivers poor user experiences, and for new business models, slower customer response times.

By going to a Zero Trust Framework, Financial Services firms will be able to treat every identity and the mobile device they are using as their new security perimeter. Basing a BYOD strategy on a Zero Trust Framework enables any organization to find the correlation between the user, device, applications, and networks in milliseconds, thwarting potential threats before granting secure access to the device. Leaders delivering Zero Trust for BYOD include MobileIron, who provides endpoint management (UEM) capabilities with enabling technologies of zero sign-on (ZSO) user and device authentication, multi-factor authentication (MFA), and mobile threat detection (MTD).

Securing Multi-Cloud Manufacturing Systems In A Zero Trust World

Securing Multi-Cloud Manufacturing Systems In A Zero Trust World

Bottom Line: Private equity firms are snapping up manufacturing companies at a quick pace, setting off a merger and acquisition gold rush, while leaving multi-cloud manufacturing systems unprotected in a Zero Trust world.

Securing the Manufacturing Gold Rush of 2019

The intensity private equity (PE) firms have for acquiring and aggregating manufacturing businesses is creating an abundance of opportunities for cybercriminals to breach the resulting businesses. For example, merging formerly independent infrastructures often leads to manufacturers maintaining — at least initially — multiple identity repositories such as Active Directory (AD), which contain privileged access credentials, usernames, roles, groups, entitlements, and more. Identity repository sprawl ultimately contributes to maintenance headaches but, more importantly, security blind spots that are being exploited by threat actors regularly. A contributing factor is a fact that private equity firms rarely have advanced cybersecurity expertise or skills and therefore don’t account for these details in their business integration plans. As a result, they often rely on an outdated “trust but verify” approach, with trusted versus untrusted domains and legacy approaches to identity access management.

The speed PE firms are driving the manufacturing gold rush is creating a sense of urgency to stand up new businesses fast – leaving cybersecurity as an afterthought, if even a consideration at all. Here are several insights from PwC’s Global Industrial Manufacturing Deals Insights, Q2 2019 and Private Equity Trend Report, 2019, Powering Through Uncertainty:

  • 39% of all PE investors rate the industrial manufacturing sector as the most attractive for acquiring and rolling up companies into new businesses.
  •  The manufacturing industry saw a 31% increase in deal value from Q1 2019 to Q2 2019 with industrial manufacturing megadeals driving deal value to $27.4B in Q2, 2019, on 562 deals.
  • Year-to-date North American manufacturing has generated 184 deals worth $15.2B in 2019.
  •  Worldwide and North American cross-sector manufacturing deal volumes increased by 32% and 30% in Q2, 2019 alone.

PE firms are also capitalizing on how many family-run manufacturers are in the midst of a generational change in ownership. Company founders are retiring, and their children, nearly all of whom were raised working on the shop floor, are ready to sell. PE firms need to provide more cybersecurity guidance during these transactions to secure companies in transition. Here’s why:

How To Secure Multi-Cloud Manufacturing Systems in a Zero Trust World

To stop the cybercriminals’ gold rush, merged manufacturing businesses need to take the first step of adopting an approach to secure each acquired company’s identity repositories, whether on-premises or in the cloud. For example, instead of having to reproduce or continue to manage the defined rights and roles for users in each AD, manufacturing conglomerates can better secure their combined businesses using a Multi-Directory Brokering approach.

Multi-Directory Brokering, such as the solution offered by Privileged Access Management provider Centrify, empowers an organization to use its existing or preferred identity directory as a single source of truth across the organization, brokering access based on a single identity rather than having to manage user identities across multiple directories. For example, if an organization using AD acquires an organization using a different identity repository or has multiple cloud platforms, it can broker access across the environment no matter where the “master” identity for an individual exists. This is particularly important when it comes to privileged access to critical systems and data, as “identity sprawl” can leave gaping holes to be exploited by bad actors.

Multi-Directory Brokering is public cloud-agnostic, making it possible to support Windows and Linux instances in one or multiple Infrastructure-as-a-Service (IaaS) platforms to secure multi-cloud manufacturing systems. The following diagram illustrates how Multi-Directory Brokering scales to support multi-cloud manufacturing systems that often rely on hybrid multi-cloud configurations.

Manufacturers who are the most negatively impacted by the trade wars are redesigning and re-routing their supply chains to eliminate tariffs, so they don‘t have to raise their prices. Multi-cloud manufacturing systems are what they’re relying on to accomplish that. The future of their business will be heavily reliant upon how well they can secure the multi-cloud configurations of their systems. That’s why Multi-Directory Brokering makes so much sense for manufacturers today, especially those looking for an exit strategy with a PE firm.

The PE firms driving the merger and acquisition (M&A) frenzy in specific sectors of manufacturing need to take a closer look at how Identity and Access Management (IAM) is being implemented in the manufacturing conglomerates they are creating. With manufacturing emerging as a hot industry for PE, M&A, and data breaches, it’s time to move beyond replicating Active Directories and legacy approaches to IAM. One of the most important aspects of a successful acquisition is enabling administrators, developers, and operations teams to access systems securely, without massive incremental cost, effort, and complexity.

Conclusion

The manufacturing gold rush for PE firms doesn’t have to be one for cybercriminals as well. PE firms and the manufacturing companies they are snapping up need to pay more attention to cybersecurity during the initial integration phases of combining operations, including how they manage identities and access. Cybercriminals and bad actors both within and outside the merged companies are lying in wait, looking for easy-exploitable gaps to exfiltrate sensitive data for monetary gain, or in an attempt to thwart the new company’s success.

Sources:

Global industrial manufacturing deals insights: Q2 2019, PwC, 2019. A PDF of the study is accessible here (6 pp., no opt-in).

Private Equity Trend Report, 2019, Powering Through Uncertainty, PwC, February 2019, 80 pp., PDF, no opt-in.

%d bloggers like this: