When COVID-19 hit, many organisations had to accelerate digital transformation overnight and security strategies were placed under the spotlight. Now with privileged access management giving malicious hackers more opportunity to exploit organisational vulnerabilities, businesses are repeatedly putting themselves at the risk of having exposed assets, costly damage and a difficult path to recovery.
In a new era of cloud-first and movements to Azure Active Directory, 90% of organisations worldwide have concerns about storing access credentials in the cloud. In addition, many organisations struggle with complexity of environments, leaving gaps that are vulnerable to attack. Members gathered on Zoom to discuss how to utilise zero trust frameworks and how to streamline access processes to drive business continuity and operational agility.
OUTLINING THE ZERO TRUST FRAMEWORK
Rob Byrne, Field Strategist at One Identity, set the scene for the morning by outlining the concept of zero trust and least privilege access. For many organisations today, there is a tension between security and agility with a mindset that you can’t have both: if agility goes up, security has to come down and vice versa. The challenge that organisations face today is getting both security and agility to a high level. Developing an agile security policy not only minimises security risks, but facilitates ease of user access and operational efficiency. In order to do this however, the business needs to view security as a business enabler, and not a strait-jacket.
When it comes to Zero Trust Architecture (ZTA), the strategy is to assume a breach and subsequently focus on containment. Key features of this framework include:
- Least privilege access: privileges are reduced to a minimum
- Dynamic: access is constantly changing based on what is necessary
- High risk: dealing with a multiplicity of identities means that there are more risks associated with activity
- Audit and monitoring: constant monitoring is required to ensure that systems are running as they should
For CISOs in 2021, the problem is not a lack of resources: 30% say that their budget is higher than expected and 50% say that their current security technologies are not fully utilised. The core issues for CISOs are breaches (prevention or containment? Reducing breach duration), cloud adoption (what is the best SaaS model for us to adopt? Is the cloud secure?), navigating change (assuming risk, remote work, innovation), and operational excellence (automation, AI, data quality). The key is the need to be agile, but understanding that there is a lot at stake.
Next, we heard from Joe Matthewson, Senior Identity Access Manager at Sky Betting and Gaming, who shared his story of leading an InfoSec team of 3 identity specialists to onboard tens of thousands of users onto an identity management system. As a team, they aimed to:
- Implement, maintain and monitor the user lifecycle
- Identity, perform and report on risk assessments across the business
- Continually seek ways to automate the manual process.
When it came to seeing these activities come to fruition, 78% of all requests were automated. Frequent requests within the One Identity platform were AD password resets, Next SG to PG, OpenBet password reset, creating a PG group and AD account unlock. By August 2020, all of these bar one had automated responses. Joe outlined how automation was key to their success, as well as the ease of use for business users within the organisation. There was a significant reduction in the time taken to raise a request, as well as users having the ability to raise one request for multiple users.
Finally, in terms of reducing privileged access, Joe explained that they worked on a time-based access model. A user would submit a request for access, the system would then wait for the right time to give access, then when they’d had access for a certain amount of time, the system would remove the access. It demonstrates agile business enablement as well as reduced risk of breach.
MAINTAINING AGILITY AND SCALE IN HYBRID ENVIRONMENTS
Members then went into discussion groups to delve into these areas further. One group focused on securing access in cloud, hybrid and on-prem environments while the other group explored how to maintain agility through least privilege access.
For the group looking at cloud, several members highlighted the impact that complexity of environments have on their security strategies. When asked what their cloud setups were, most of the group said that they were using hybrid cloud, rather than exclusively on-prem or private/public cloud. This complexity creates huge challenges for when security teams are trying to instigate change, as well as the issues already raised by cloud migration/adoption across the organisation.
A reactive approach to security also seemed to be a common issue faced, with many organisations only addressing security risks when something actually goes wrong. As Rob had outlined in his presentation, an attitude that assumes breach and puts measures in place accordingly is the most effective when it comes to fully covering all potential issues in the organisation.
For the group looking at agility, the key issues were how to achieve security at scale and leveraging automation. Many members faced the challenge of working in global organisations, and navigating different jurisdictions when it comes to data protection and access. On the automation side of things, members discussed the importance of getting away from unreliable manual processes. One member highlighted how ad hoc activity, third-party contractors, and other personas dipping in and out of the system can create “nothing short of chaos!” - a sentiment met with nods of agreement.
For cybersecurity leaders, changing mindsets towards security is the biggest challenge faced, as well as maximising the potential of the investment made into identity access and management tools. As organisations emerge from lockdown and return to the office, security teams will be faced with a new era to adapt to and bring business users with them on that journey.
This event was in partnership with One Identity, a solution provider for identity and access management tools.