Protecting agency assets begins with identity-centric security

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Craig McCullough,
Vice President of Public Sector
 

Connecting state and local government leaders

By Craig McCullough

|

A privileged-access management platform applies a unified and automated approach to identity, securing privileged sessions, users and assets.

The more IT environments become distributed, cloud-based and mobile, the more securing identities gravitates to the center of infosec strategy.

As Jay Gazlay, a technical strategist at the Cybersecurity and Infrastructure Security Agency recently summed up for members of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board: “Identity is everything now. We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really, identity has become the boundary, and we need to start readdressing our infrastructures in that manner.”

No identities are more imperative to secure than those with privileged access to systems, data, applications and other resources. With the power to install and remove software, upgrade operating systems and modify and configure applications, privileged credentials and access can fast-track access to sensitive assets for an attacker or give malware the foothold it needs to spread and escalate an attack.

This calendar year kicked off with a succession of spectacular cyberattacks on government agencies and enterprises with implications that will ripple for years through the industry. The extent of the damage in the SolarWinds, Verkada and other attacks -- in many cases, perpetrated by nation-state actors -- may be not be fully grasped for years. Inadequate identity and access controls have continuously surfaced as a key theme of these breaches, just as they have in most breaches in the last decade.

In 2019, the Office of Management and Budget issued its Identity, Credentialing, and Access Management (ICAM) policy. It requires that agencies “shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems.” Now, identity-centric security, along with zero trust, can no longer be ignored. In fact, identity-centric security, particularly privileged-access management (PAM) controls, are also an essential piece of enabling a zero-trust architecture.

What is identity-centric security?

In an industry overstuffed with jargon, let’s back up for a moment and clarify what identity-centric security refers to. An identity-centric security approach encompasses both human and machine (application, software bots, etc.) identities and focuses on enabling the five As: authentication, authorization, access to data, auditing and accountability. This entails centrally managing roles, policies, access control and privileges across the disparate, far-flung pieces of today’s enterprises.

Identity-centric security is not meant to promote an identity-only security approach. Data security, application security and network security all remain important pieces and overlap each other. However, this approach recognizes identity security as the keystone of IT security in the modern computing environment.

Success with an identity-centric security strategy absolutely demands the knocking down of organizational silos and barriers to streamline identity management throughout the IT environment. Only with the integration of various directory services, applications, databases, networks and resources can organizations understand and enforce who users are, what they are allowed to do, where and with what they can do it and whether their actions are appropriate or not given the context.

PAM clarifies privileged identity and activity

Identity governance spans everything -- from onboarding and offboarding employees and contractors to managing privileged account credentials and derived cryptographic credentials, automated processes and multifactor authentication. It is also one of the main focus areas in the government’s Continuous Diagnostics and Mitigation program and ICAM architecture.

Although privileged-access management is arguably the most important technology area of this domain, protecting privileged credentials granularly enforces least privilege and monitors and manages every session involving privileged access -- whether human, machine, employee or vendor. After all, almost every attack today requires privilege for the initial exploit or to laterally move within a network.

PAM solutions can protect agencies by:

  • Implementing credential management best practices to prevent credentials from being stolen or misused.
  • Enforcing least-privilege across users, applications, systems, etc. to drastically reduce the attack surface and minimize potential lateral access pathways.
  • Ensuring elevated access is only given when contextual parameters are met and is immediately revoked after the activity is performed or the context has changed.
  • Securing remote access for employees or contractors -- without a VPN -- and enabling agencies to lock down access to cloud, virtual and DevOps control planes and other consoles.
  • Monitoring and managing every privileged session, providing an unimpeachable audit trail and the ability to pause or terminate suspicious sessions.

Identity-centric security with a PAM platform applies a unified and automated approach to identity, securing privileged sessions, users and assets. This reduces the attack surface and limits lateral movement from user- and device-impersonation attacks. It protects against any type of threat actor: nation-state, inside, external, human, machine and malware.

The path of least resistance is shifting

Managing the digital identity lifecycle of devices, human and machine identities and automated technologies is critical for mitigating risk because it helps ensure all digital identities are distinguishable, auditable and consistently managed across the agency.

Bad actors typically go after easy targets: unsuspecting users and unpatched and misconfigured systems. They target credentials that give them access to the data they want. When they pursue privileged credentials, they can gain broad access to critical systems, applications and even storage systems.

While threat actors have always taken the path of least resistance, that strategy has been shifting in the wake of digital transformation and the massive increase in remote work that have multiplied the number of privileges agencies need to manage. Yet here again, an identity-centric approach, leaning heavily on PAM, best positions agencies to address these risks. Agencies that have closed the paths of least resistance will find threat actors choosing an easier target.

NEXT STORY: Report: Phishing behind 70% of government breaches

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.