By Bhagwat Swaroop, President and General Manager, One Identity
The long wait is finally over; people everywhere are getting vaccinated and organisations are beginning to prepare for a mass return to the office. The new ‘normal’ has shifted and while many companies will welcome their employees back full-time, others will be introducing a new hybrid working-environment, in which employees have the option to continue logging onto their networks remotely. This, however, produces ample opportunity for cyber-criminals to exploit an expanded attack surface, which will potentially be riddled with new vulnerabilities. Consequently, companies will need to race to secure their perimeters, accounts and data sufficiently in order to avoid a breach. Their best tactic, in this case, is to revisit their privileged access policies.
Access to privileged credentials must be limited only to the specific employees that need it. If this last year has taught us anything, it’s that cybercriminals will always take advantage of excess entry points to gain unauthorised access to a company’s network. In fact, credential-based attacks have seen a massive surge over the past year, due to the shift to remote working. Therefore, when companies begin implementing their hybrid work-model, it is vital they assess which employees have privileged access, as well as how long for.
Granted, privileged credentials are necessary for employees to be able to execute their tasks. It is important, though, that this access doesn’t extend beyond the necessary time for the employee to complete their work. In a report published by ForcePoint, is it clear that many companies are guilty of exactly this. As a matter of fact, is shows that nearly half of privileged users access confidential company data merely out of curiosity. This is exacerbated by approximately the same number of employees being pressured into sharing their access rights with their organisation. As a result, unnecessary access is creating a security gap within a company’s network that makes it simpler for hackers to complete a successful breach.
With the inevitable return to the office closer than ever, there are several best practices for companies to implement in order to more sufficiently protect themselves and improve their identity centric security:
Education: The first step is to educate employees on the importance of strong passwords. The more complicated a password, the more difficult it will be for an attacker to gain access to an individual account. This is an easy yet efficient way for organisations to secure their companies, as individual accounts can contain a lot of sensitive data and information. Passwords must be unique for all individuals, and authentication apps can be used for an extra layer of security.
Multi-factor Authentication (MFA): MFA should be a minimum requirement. This can be used in the form of a pin, a physical key or even biometric verification, however it is vital to securing accounts. In the situation of a breached account, MFA can prevent unauthorised access to company data and sensitive information, whereby a company stands a better chance at keeping cyber criminals out.
Zero Trust and Least Privilege: A zero trust framework is designed to eliminate vulnerable permissions, specifically unnecessary and excessive access. Instead it delegates specific-rights and provisioning with granularity. This goes hand in hand with least privilege, as that is the keystone to achieving zero trust, in which only specific individuals are given specific privileges to do their jobs. All permissions must be time bound, and only grant access to the absolutely necessary credentials. Companies should never give their employees, and more importantly cyber criminals, room to take advantage of excess permissions. Instead they should have flexible solutions, which make it easier for these permissions to be managed.
Last but not least, Identity-centric Security: Already, many companies have made the decision to make the switch to the cloud to make it easier for employees to access their accounts, files and data from anywhere. However, this complicates the provision of sufficient security measures. This is where identity-centric security comes in to aid organisations in implementing a zero-trust framework. Security teams should create a unified identity model, which regulates employees’ identities in the company. It’s important that they remember that identities aren’t limited to human entities, but can also be tied to applications and data, as well as bots, and that these permissions must be restricted as well. Most importantly, companies should use solutions that will help them in identifying unauthorised access on their company’s network and manage all permissions efficiently.
Achieving Zero-trust should be the end goal for all organisations as society moves toward a hybrid working model. While security teams must reassess the employees’ privileged access, all employees must take an active role in company security, by learning how they can contribute to creating a more secure environment and prevent attackers from breaching their systems. Identity-centric security will be the binding factor, by allowing companies to reach a Zero-Trust, least privilege framework, that will protect the entire organisation from unauthorised access and potential breache