Identity Security Tips to Protect Your Turf

March 31, 2022 CyberArk Blog Team

Identity Security and Lawncare

You spent the entire afternoon manicuring your front lawn. But within an hour three kids, your neighbor and the DoorDash guy all trampled over it to get to your door. That’s despite the KEEP OFF sign in the middle of the lawn. So next time, you post two signs … then three … then four … Same result.

Enterprise IT security teams can experience similar frustration when working to manage identities and protect privileged access across their ever-expanding, hybrid IT estates.

Logical and physical barriers simply can’t keep cyber attackers from entering the network. Warning signs haven’t stopped workers who just want to: Get. Things. Done. To revisit our lawn metaphor, menacing signs haven’t kept visitors off your grass. So, what can you do? Stop with the signs and get proactive and comprehensive about your lawncare — and Identity Security — regimen.

Rethink who and what needs to come and go. You want honeybees to meander through your prized rose bushes. Bunnies are welcome to hop by anytime, so long as they keep out of the garden. But groundhogs? Nope. The problem is these creatures can’t read your signs.

The concept of “identity” has evolved. It used to be easy to pinpoint a group of IT administrators who needed privileged access. Once upon a time, these users worked in dedicated office locations protected by physical walls and firewalls. But nowadays, many non-IT users have direct access to sensitive data and systems, often through web applications, which they access from numerous devices and locations. “Identity” also encompasses the illogical: it’s not just about protecting human access. In zero-perimeter environments, machine identities need to be protected; applications must be authenticated; and DevOps secrets must be managed securely. In this landscape, any identity — human or machine — can become privileged under certain circumstances.

These considerations necessitate more granular defense-in-depth control over individual identities. An essential first step is to unify strong authentication mechanisms — such as adaptive single-sign on (SSO) and multi-factor authentication (MFA) — with Privileged Access Management (PAM) to consistently enforce least privilege security controls across all identities, devices and IT assets.

Remember your “rules” sometimes change. Your neighbors’ dog is a hole-digging menace and generally blocked from your yard. But his owners are great friends who often stop over, sometimes bringing their pooch over to play with yours. So, whether you like it or not, the neighboring dog’s “access permissions” to your yard sometimes change.

IT security processes should be just as dynamic as the IT processes they aim to protect. For instance, just-in-time (JIT) access provisioning makes it possible to grant an identity elevated access to only the right resource, at only the right time — making it a cornerstone of Zero Trust access initiatives. JIT access can be particularly useful in cloud and hybrid environments: by utilizing attribute-based access control (ABAC) policies from public cloud providers, JIT capabilities can intelligently provision access only to infrastructure assigned with a specific tag.

Solutions that provide granular Identity Security controls for all forms of access — shared and federated, standing and just in time — can help drive operational efficiencies for security programs. When coupled with behavior-based analytics, they can help eliminate unnecessary authentication steps to optimize user experiences for all human identities — internal employees and external third parties.

Anticipate areas of high foot traffic in your yard. Spend the bulk of your time and Home Depot budget strengthening the grass in these sections to make it more resilient.

A prime cybersecurity example: attackers seek out privileged users, not just IT administrators but also developers and other business users with high levels of access, as the path of least resistance. It’s important to first identify the internal and external parties that directly touch valuable company systems and data. Then focus on strengthening protections around these privileged users with risk-based credential management and session management controls, targeted cybersecurity training and other Privileged Access Management considerations.

Strengthen your lawn from the soil up by fertilizing, reducing thatch and mowing high.

Maintaining a healthy root system is a lot like securing an IT environment. At enterprise scale, Identity Security must be defense-in-depth. There are fundamental cybersecurity practices you just can’t skip over, like locking down endpoints — from employee workstations to servers — by removing local admin rights or adding credential theft VM protection and application control policies to block attackers from reaching their goals.

Reassess your landscape continuously. Maybe your fence and garden net system worked well last year, but this spring, the skunks have found new ways in and are digging holes everywhere in search of tasty grubs.

The security controls you rolled out three years ago may not be suited to handle your hybrid IT landscape today. Build in processes that allow you to constantly reassess Identity Security policies and considerations for all identities — from new employees to inactive third-party vendors — across on-premises systems, SaaS and public cloud environments.  Otherwise, you may quickly find more intruders digging around.

Take back your weekends. You want a pristine, healthy lawn. But you don’t want to spend your free time pushing a mower and keeping watch from your porch. Find ways to make life easier by automating the hard work: point a camera over your flowerbed, put in an irrigation system —you’ll save time and resources in the long run.

Comprehensive security doesn’t have to mean more work. Look for every opportunity to automate manual, time-intensive security tasks. Similarly, bring threat detection capabilities into the fold that can automatically alert on risky behavior such as an anomalous login attempt, the entry of a sensitive command in a privileged session or the creation of a new cloud IAM account with administrative privileges. These processes can help keep your Identity Security program and team focused and effective.

In a changing landscape, avoid “security theater.” Putting up more signs in your yard won’t change behavior — just as securing identities and managing privileged access can’t be reactive or piecemeal. It must be approached as a holistic effort with a consistent philosophy that encompasses all identities, from the endpoint to the cloud, throughout their lifecycle. Otherwise, you may as well shout “Get off my lawn!” at your computer screen.

Previous Article
4 Ways to Strengthen Your Identity Provider with Defense in Depth
4 Ways to Strengthen Your Identity Provider with Defense in Depth

Some of the world’s most technologically advanced enterprises have grappled with identity-related breaches ...

Next Article
CyberArk PAM Telemetry Tool
CyberArk PAM Telemetry Tool

The CyberArk PAM Telemetry tool enable customers to track their usage of the CyberArk Privileged Access Man...