Reduce Compliance Complexities by Securing All Identities

November 20, 2023 John Natale

When complying with regulations and frameworks, it’s hard to keep up when the rules keep evolving.

Auditors are no longer just seeking reports on what your identities can access – they now require proof that you have controls for securing those identities (like a math assignment, you have to show your work).

And if a framework or regulation’s requirements previously focused on highly privileged IT users’ access … that’s evolving too. While foundational PAM controls and reporting will always be essential, now you must apply the requirements to a broader range of human and non-human identities across any environment.

What does this expanded focus look like? Here are a few examples:

The NIS2 directive emphasizes strengthening security for critical infrastructure sectors, which are increasingly reliant on cloud infrastructure and operational technology (OT), two areas full of frequently-targeted identities.
The Digital Operational Resiliency Act (DORA) calls upon financial services companies to apply security oversight to internal users and third parties (e.g., vendors) with high-risk access.
The NIST Secure Software Development Framework requires that software developers and procurers attest to adequate and proper security features, including identity management.

Meanwhile, the stakes of security compliance keep rising. The average cost of a data breach increases by as much as 12.6% when an organization is found to be non-compliant:

Average cost overall: $4.45 million
Average cost when non-compliant: $4.67 million
Average cost when highly non-compliant: $5.05 million

The good news is that there’s a direct correlation between strong controls and strong compliance. With the right capabilities for discovering, securing and reporting high-risk access, you can achieve a proactive stance to meet regulatory demands. In this post, we’ll explore some key steps you can take.

Discovering and Assessing High-Risk Access

You can’t protect (or report on) what you can’t see. And that’s why it’s so concerning that 62% of security decision-makers lack a complete picture of human and non-human access to sensitive resources.

Let’s look at a few examples of how discovering high-risk access can bolster your visibility, security, and, in turn, compliance posture.

One place to start: conduct an inventory of all accounts with administrative or elevated privilege to systems, apps, servers, networks and more. Another critical step is discovering privilege across your organization’s myriad endpoints, like workstations and servers. These are fundamental types of visibility; many organizations are accustomed to them.

But when we delve into new types of identities and environments, compliance becomes more difficult.

For example, developers and cloud ops teams are often over-permissioned with direct access to sensitive resources as their organizations rush to innovate. A CyberArk analysis of the three major cloud service providers shows that a user can access approximately 1,400 native services that, collectively, have over 40,000 access controls.

As part of their compliance programs, security teams should lean into cloud complexities and discover the following:

Over-permissioned IAM roles and excessive permissions.
Toxic combinations of permissions allowing privilege escalation or lateral movement.
Unmanaged shared accounts and their myriad dependencies.
Hard-coded credentials for developers working in the cloud.
Everyday employees’ access to business applications.

In many cases, it’s up to you to interpret compliance requirements and guidelines in the context of new identities, environments and threats (these variables won’t necessarily be mentioned by name in a 100-page regulatory document). In other cases, the direction may be clear-cut, calling out specific areas like virtual infrastructure. Regardless, high-risk access – in all its shapes, forms and locations – requires fierce protection.

Security compliance is evolving. Any identity can become privileged based on what it can access. This graphic shows three examples of requirements and guidelines that call for a comprehensive identity security mindset.

Implementing and Demonstrating Identity Security Controls

As mentioned, giving auditors a report on what you’ve discovered is only part of the job. You must demonstrate that you have strong controls in place to reduce risk and build organizational resilience against attacks.

Let’s say you’ve completed an inventory of high-risk across privileged IT users and accounts. Your next step is securing that privileged access. This starts with creating policies and implementing controls around password length, complexity, storage and rotation schedules. The work continues with steps such as enabling just-in-time (JIT) access and requiring multi-factor authentication (MFA).

What comes next after you’ve finished discovering privilege across your organization’s endpoints, like workstations? Here, a near-term priority would be revoking local administrator rights. An essential next step would be implementing capabilities to elevate privileges for authorized applications or tasks. These are effective ways to protect against ransomware – and great proof points for auditors to demonstrate progress.

As mentioned, even if securing access in the cloud isn’t explicitly described in a regulation – you’re still on point to bring entitlements and roles into compliance. Where to start? Consider applying a fast-emerging security principle known as zero standing privileges (ZSP), which – among many benefits – can help your organization by:

Reducing the risk of credential theft by preventing standing access.
Enforcing real time least privilege in the cloud by granting only the relevant permissions a user needs – and only when required – to accomplish a given task.
Invalidating developer secrets that are embedded into code.

Gaining Nonstop Visibility Across Identities

You can build upon the findings from your initial discovery process with ongoing, real-time visibility into the access (and actions) of identities across your organization.

This is where it’s essential to look beyond siloed categories of controls or tools. We recommend an integrated identity security approach, where the underlying solutions can share information, act on insights and provide a unified view of audit data across all forms of human and non-human access.

With this approach, you can gain a comprehensive view of who has privileges and authorization to what resources, with capabilities for discovering, adjusting, certifying and revoking access.

With identity security, you can bring together:

Session recordings and audit trails for high-risk scenarios – applied to highly privileged IT users and third-party vendors or workforce users in web applications storing sensitive data.
User behavior analytics for building a knowledge of each user’s access behavior, authentication history, and anomalous activity.
Audit trails to track and analyze privilege elevation attempts for human users and applications, enabling continuous visibility and control over endpoints.
Integration with security information and event management (SIEM) tools for collecting/exporting log data.

Gaining Efficiencies to Help Overstretched Security Teams

Improved visibility and controls can help you build a proactive stance to meet auditors’ requirements. But how do you account for the limitations many organizations have regarding time, bandwidth and staffing?

For example, research shows that the mean time for organizations to identify a data breach is 204 days. And yet, the SEC now requires public companies to report attacks within four days of determining an incident is “material.”

How can organizations be proactive when timelines are tighter than ever?

Organizations can gain back time and potentially save money by applying automated capabilities to replace resource-intensive, manual tasks that often bog down security teams. This includes automating governance processes to ensure checks and balances are in place for maintaining compliance.

For example:

Continuously enforcing least privilege with access reviews and certifications scheduled for recurring dates.
Integrating access certification processes with your privileged access management (PAM) program and generating detailed logs and reports for audits.
Continuously discovering which identities have access to specific privileged accounts and sensitive resources.

Building Compliance Strategies to Earn Auditors’ Trust

Visibility and controls can’t exist in a vacuum; they need to be part of a strategy that you can communicate to auditors. Here are three key building blocks for developing a compliance program that reflects today’s realities.

1. Discover and Plan
As mentioned, you can only secure and protect what you know. This part goes beyond an inventory or system discovery process to include:

Engaging in dialogue with relevant teams (application, support, etc.) to understand how they currently work.
Documenting their systems and access – but also ensuring they’re on board early. Successful adoption requires winning hearts and minds.

2. Implement and Rollout
If you’re regulated or if external auditors have called out gaps in controls, focus your implementation on a combination of:

Prioritizing critical systems and reducing complexity, e.g., avoid getting bogged down by low-priority, high-complexity use cases.
Employing automation from the implementation, e.g., automated checks and balances, to ensure recurring access certifications.

3. Expand and Communicate
You can’t do everything on day one. But in the same breath, attackers only need one gap to breach and wreak havoc. A proactive approach means building:

A clear plan for how you intend to bridge gaps identified in your discovery process. Audits and reviews are always a work in progress.
An implementation roadmap for a) progression tracking and b) open dialogue with regulators to discuss plans, goals and gains.

Building a Proactive Compliance Approach Centered on Identity Security

The best practices we’ve discussed apply to a wide range of frameworks and regulations across industries and geographic regions. No matter what, the connection between a strong security posture and a strong compliance program is clear. If you have full visibility into what your identities can access, complemented by controls for securing that access, you’ll be in a much better place to meet auditors’ requirements.

If you’d like to learn more, here are two resources that can help you:

Watch our webinar, “How to Achieve Continuous Audit and Compliance with PAM.”
Download the CyberArk Blueprint for Identity Security Success.

John Natale is a senior content marketing manager at CyberArk.

Cybersecurity Predictions for 2024 and Beyond

Many of us took ChatGPT for a first-time spin just 12 months ago. Then someone hit the speed multiplier but...

How Telecom Providers Can Bolster Identity Security to Meet the UK TSA

As technology evolves, so do the threats that loom over our communication infrastructure. The rollout of 5G...

Up Your Security I.Q. by Checking Out Our Collection of Curated Resources.

Reduce Compliance Complexities by Securing All Identities

Discovering and Assessing High-Risk Access

Implementing and Demonstrating Identity Security Controls

Gaining Nonstop Visibility Across Identities

Gaining Efficiencies to Help Overstretched Security Teams

Building Compliance Strategies to Earn Auditors’ Trust

Building a Proactive Compliance Approach Centered on Identity Security

Previous Article

Next Article

STAY IN TOUCH

Reduce Compliance Complexities by Securing All Identities

Discovering and Assessing High-Risk Access

Implementing and Demonstrating Identity Security Controls

Gaining Nonstop Visibility Across Identities

Gaining Efficiencies to Help Overstretched Security Teams

Building Compliance Strategies to Earn Auditors’ Trust

Building a Proactive Compliance Approach Centered on Identity Security

Previous Article

Next Article

Recommended for You

Not too long ago, when I was designing, building, operating and defending networks, the government organizations I worked with were burdened with many tasks related to deploying a new capability....

In the past, many security teams considered securing secrets enough – if your secrets were secured, you were good. While you’re still kind-of-good staying on this course, security professionals...

In the throes of the Fourth Industrial Revolution, the manufacturing sector stands at the crossroads of groundbreaking innovation and an ever-growing shadow of cyberthreats. IT modernization has...

You’ve undoubtedly heard Michael Jordon’s famous quote, “Talent wins games, but teamwork and intelligence win championships.” Jordan’s words encapsulate the fruition of team spirit and strategic...

Simply put, APIs (short for application programming interface) are how machines, cloud workloads, automation and other non-human entities communicate with one another. They also represent an...

In the past few years, we have witnessed a significant shift in the attack landscape, from stealing clear text credentials to targeting session-based authentication. This trend is driven by the...

In the automotive industry’s fast lane, the fusion of digital innovation with vehicular engineering has revolutionized how we manufacture, drive and protect our vehicles. It also helps to ensure...

With over 50 countries heading to the polls this year, including major economies like the U.S., India and the U.K., 2024, one way or another, will be a defining year with over 4 billion voters...

Now is the time. It’s been over 30 years since the introduction of the first web browser. Since then, the browser has evolved into an application that allows us to stream entertainment, work and...

“It’s discouraging to try to be a good neighbor in a bad neighborhood.” –William Castle This quote from the late American horror film director has recently been running through my head as I think...

I’m honored to share that CyberArk is FedRAMP® High Authorized and ready to support U.S. federal agencies in securing access to critical government data and systems, meeting Zero Trust mandates...

After a decade in the making – or waiting, as the case may be – the National Institute of Standards and Technology (NIST) has released the first major revision to its Cybersecurity Framework...

In the modern digital landscape, cybersecurity isn’t just a technical challenge – it’s a business imperative. At the heart of cybersecurity is identity security – the principle that the right...

In today’s rapidly evolving digital landscape, organizations confront a formidable array of cyber threats, with attacks and data breaches becoming increasingly prevalent. As businesses embrace...

A popular topic of conversation in my day-to-day work is how to secure privileged access to cloud management consoles and workloads. And that’s no surprise, considering more and more applications...

Just like a snagged strand can ruin your garment, overlooking the security of machine identities can tear the very fabric of Zero Trust that protects your organization from bad actors. As a quick...

With new identities, environments and attack methods dominating today’s threat landscape, cybersecurity leaders are hyper-focused on securing identities to safeguard enterprises. However, a...

If the first month-plus of 2024 is any indication, this year is likely to be anything but ordinary in the cybersecurity realm. In January alone, a triad of events unfolded, each more riveting than...

A new and concerning chapter has unfolded in these troubled times of geopolitical chaos. The Cozy Bear threat actor has caused significant breaches targeting Microsoft and HPE, and more are likely...

Left to their own devices, your organization’s devices can be a significant source of risk. Consider operational technology (OT), which is crucial for organizations but is not engineered and...