Five security steps for CISOs now that everyone is a privileged user

By Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic

Mention the term “privileged user” to most IT professionals, and they might think of someone high up in an organisation, such as the CEO or another executive. Or they may think it’s something limited to IT or security admins. Until recently, this would be a fair assumption. Privileged users were once administrators with specific privileged access to folders and files within a corporate network off-limits to anyone else within the organisation. The arrival of cloud computing has changed all this. Cloud applications and infrastructure have accelerated, boosted this year by the pandemic, which has forced businesses to accommodate a dramatic rise in remote workers. Research by IT asset management firm Snow Software found that eight out of 10 businesses have increased their use of the cloud since the beginning of lockdown in March. These cloud applications contain, in many cases, sensitive information, such as financial or customer data. Now, virtually everyone in a business uses applications that can access sensitive data via the cloud. It’s time to extend the term privileged users to include all business users and remote workers. Cloud apps often confer on ordinary users the capacity to not only look at confidential information, but also carry out tasks traditionally reserved for IT administrators. This includes changing passwords, adding and removing programs, or even changing IT infrastructure. If threat actors compromise any of these accounts, they could have a significant foothold on an IT network that will enable them to steal highly valuable assets.

As such, businesses should take action to ensure key corporate assets are available only to authorised users. To do this, there are five simple steps organisations can take:

1. Implement a least privilege approach

The first step is to adopt a least privilege approach where users are only permitted to access assets needed for their job. If a user needs expanded privileges to carry out a one-off task, this can be provided with Just in Time (JIT) access. The individual user is granted access for a specific amount of time. When time is up, access automatically expires. This greatly reduces the chances of a threat actor gaining substantial privileges from stealing the credentials of ordinary business users. Third-party supply chain partners are also a data breach risk, so businesses are applying the same least privilege principles here. Indeed, research by Thycotic found that a third of those implementing least privilege were doing so due to security threats from employees and third parties, such as contractors and suppliers.

2. Automate privileged user verification

The IT security team at an average mid-sized organisation receives several privilege access requests a day. However, the same team must assimilate and respond to many hundreds of threat alerts in a day. Consequently, it is more productive to automate the process of granting access than to do it manually every time.

Joseph Carson

Another problem with granting temporary permissions manually is that with so many distractions and higher priorities the rescinding of temporary access privileges is easily forgotten. Machine learning can help automate the process and eliminate human error. Permissions are granted based on specific rules for a limited period which expire when time is up. This frees up the IT security team to work on higher level activities, while ensuring privileged access is locked down tight.

3. Consider an adaptive risk-based trust model

Although the least privilege approach is very effective at limiting access to sensitive information, it can adversely affect productivity. An adaptive risk-based trust model uses contextual information to assess whether to grant access to a particular user. This is especially useful when employees need to access a corporate system from an external device that least privilege policies would normally block. Instead of having to request permission from IT security, the system automatically decides to eliminate any need for human interaction.

4. Avoid complex security solutions

Key advantages for moving business to the cloud are improved productivity and ease of use. It is important that security measures are imperceptible and don’t get in the way of business users doing their jobs. They must also be intuitive for time-pressed security teams to use. Desirable characteristics include a comprehensive user interface, enhancements to existing systems, as well as adaptability and scalability.

5. Implement flexible solutions

An organisation’s cloud infrastructure is constantly changing. Security measures must be able to keep up. Platforms meant for conventional on-premise use are typically not designed to do this. Cloud-based security infrastructures must be interoperable with a security ecosystem that protects an ever-evolving and expanding cloud environment. Now that everyone is effectively a privileged user, organisations need to take action to prevent cloud-based accounts belonging to remote workers from becoming a security risk. Using automation to determine who can access what, when and for how long ensures that these accounts remain safe without putting an extra burden on security teams or presenting unnecessary barriers to users.