Pokémon Go is all the rage with my three kids: a tween, a teen and a young adult. At first I didn’t get the appeal. I would ask them, “What is the point of Pokémon?” And, they would answer, “Daaaad, you capture Pokémon with Poké Balls and there are ultra-rare ones like the Squirtle or the Mewtwo and you get berries and level them …(I sorta glaze over at this point).” Am I just being curmudgeonly (and, can you be curmudgeonly in your forties?), or could my kids break it down for me in a way that I would more easily relate to?
In a very similar way I believe that we, as IT security specialists, often answer the simple question of “What is the point of spending all of this money on enterprise security?” with a laundry list of enterprise boogeymen (hackers, attackers and state-actors oh my!) and complete with acronymic run-on sentences describing our grand plan of securing the enterprise with the likes IAM, IDaaS, AV, MDM, MFA, SSO, PUM, etc.
In the end, isn’t it much simpler to say, “We help reduce the (very real) risk to the enterprise.” Then, you can elaborate more clearly in what the risks are, why they are real to the business and what can be done to reduce them. This simple framework will provide you with a means to more effectively communicate the required security efforts to reduce risk to your enterprise:
The fact is, we live in a world where there are too many passwords that represent too much privileged access that are only protected by the very most basic authentication. The very first thing to acknowledge is the fact that too many passwords and too much privilege represent real risk to your enterprise. Facts:
- 43% of business experienced a data breach in the past year (Ponemon Cost of Data Breach Study).
- 63% of data breaches involved weak, default or stolen passwords (Verizon 2016 Data Breach Investigations Report).
- 80% of security breaches involve privileged credential misuse (Forrester Wave™: Privileged Identity Management, Q3 2016).
So you may be hacked, and it will likely involve passwords and privileged access. What are the next steps? Optimize your risk profile by implementing the following five best practices:
Reducing Cyber Risk Best Practice #1: Establish Identity Assurance
The Verizon report has a great quote: “Don’t get us wrong—passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”
The facts are that passwords are no longer effective as a means to secure anything of importance.
- Use two-factor authentication everywhere: This can limit the damage that can be done with lost or stolen credentials.
- Consolidate identities: Reduce disparate identity silos and leverage the existing technologies and skill sets you have in-house like Active Directory.
- Get SSO everywhere: Give secure access across apps and devices — based on a single identity for each user and a centralized policy from IT.
Reducing Cyber Risk Best Practice #2: Limit Lateral Movement
- Mitigate VPN risk: Look for solutions that allow VPN-less access to individual apps and systems versus granting broad access to corporate network.
- Automate app provisioning: Automate provisioning and de-provisioning to as many apps and systems as you can to ensure that no one has more access than he or she needs to do his or her job, thus reducing the potential impact of a breach.
- Automate access approval and move toward JIT access: Automate the request/approval cycle to speed provisioning/de-provisioning. This closes the loop and allows you to move toward a state where no user has access to until/unless they need it and only for as long as they need it.
Reducing Cyber Risk Best Practice #3: Enforce Least Privilege
- Implement Comprehensive Privileged Identity Management: Move beyond broad access to systems with privilege to a more granular system of command filtering and privilege elevation on demand. Users log in as themselves and only raise their privilege level for individual tasks when required.
- Grant just enough privilege and move toward JIT privilege: In the same way as controlling broad access, automate the request/approval cycle for privilege elevation thus moving toward a state of zero privilege granted only as needed in a time bound manner.
Reducing Cyber Risk Best Practice #4: Log and Monitor
- Record privileged user sessions: Capture everything a user did with privileged access and make it searchable and repayable. This helps with not only forensics but also documentation and training.
- Integrate with SIEM and related systems: Leverage existing systems for trouble ticket automation, security event alerting and threat analytics.
By using a simple framework in relatively business-oriented terms you are more likely to be effective in communicating where those precious dollars are being spent, which can lead to better alignment with business executives and their goals.
Now, if I could just level-up, I would be better at aiming those gosh darn Poké Balls and finally capture that dang Lickitung.
For more information on how Centrify can help you with reducing access risk across your apps and infrastructure check out our Centrify Identity Platform page.