Cybersecurity is one of many industries that love jargon. As in the medical and legal professions, complex topics often get crunched into digestible phrases, with the “stickiest” of terms eventually finding their way into our daily cyber speak. But along the way, meanings can get fuzzy.
“Defense-in-depth” can be one of those phrases. The overarching concept is well understood: Instead of relying heavily on one security tool or control, create multiple security layers. This way, controls intended for specific risks can complement one another’s strengths – and if one fails, another stands behind it. In other words, there’s strength in numbers. But what, exactly, does defense-in-depth look like in terms of enabling secure access – how companies verify each user’s identity and give that user secure access to its sensitive resources?
Identity and Access Risk by the Numbers
Let’s start with some numbers. Many cyberattackers have shifted attention from highly privileged IT admins to new workforce populations with direct access to valuable data and systems – business executives, software developers, HR professionals, finance managers, external consultants and others. According to the CyberArk 2022 Identity Security Threat Landscape Report:
- More than half of organizations’ workforces (52%) have direct access to sensitive corporate data as they work from a variety of locations and on many different devices.
- The average staff member accesses more than 30 applications and accounts. Any one of these identities can become privileged under certain conditions.
With this workforce identity deluge as a backdrop, we’re breaking down five common areas of access risk, and practical identity-centric defensive layers to help mitigate them.
How to Harden Five Risky Workforce Access Areas
1. Weak or disruptive authentication mechanisms. Since 80% of breaches begin with compromised passwords or credentials, it’s clear that single-factor authentication won’t cut it. Multifactor authentication (MFA) has become a baseline for verifying a user’s identity – traditional approaches require two or more authentication sets at login. But in their own pursuit of innovation, attackers are finding more ways to work around legacy MFA policies, such as tampering with QR codes, hijacking cookies and exploiting user authentication fatigue by “MFA bombing.”
Defensive security layer: Strengthening this security layer isn’t just about adding more controls, it’s about making them smarter and more autonomous. Consider how behavioral analytics and automation could be used to help security teams – and the MFA capabilities they use – better understand individual users’ access habits and build context on what constitutes risk over time. This way, users don’t have to jump through extra authentication hoops unless they’re necessary. And if your smart controls spot a potential threat, they can take action, from presenting extra MFA factors to shutting attackers out.
2. Unprotected endpoints. Less than half (43%) of IT security decision-makers say they apply Identity Security controls to company-supplied user machines. This leaves a wide variety of machines – including physical and virtual desktops and servers – vulnerable to ransomware, phishing and other attacks originating on the endpoint. For example, a user’s workstation could serve as a gateway for attackers to find poorly guarded credentials, exploit the identities of overly privileged users, infiltrate networks, and move through an environment to disable threat detection systems and cause damage.
Defensive security layer: Blending an adaptive form of MFA with endpoint privilege controls can help organizations address risks stemming from a hybrid work infrastructure in which any user’s workstation can be a target.
3. High-risk business applications. Today, 63% of organizations give their typical end user access to between five and 10 (or more) high-value applications, which contain sensitive resources such as financial data, customer information and intellectual property. However, with access comes risk: 80% have experienced end users misusing or abusing access to these applications in the past year. Most identity providers apply an authentication challenge at login to a web session, but what if the user steps away from their screen, leaving the session exposed?
Defensive security layer: Security controls here are most effective if they continue working to monitor, record and audit user actions after authentication. This enhanced visibility can benefit security teams on many fronts. For instance, 41% say it would enable them to identify the source of a security incident, such as data exfiltration, faster.
4. Third-party vendors. Outside vendors are integral extensions of enterprise teams, and many hold super-user access to internal systems. But with more than 90% of organizations experiencing a security incident linked to an external partner, it’s clear that third parties represent an ever-growing attack vector that requires as much attention as internal privileged users.
Defensive security layer: This layer requires a thoughtful balance between security and productivity, which can be tricky to strike since vendors typically use their own hardware in the process of accessing their enterprise clients’ systems. Finding a way to systematize third-party privileged access vetting and monitoring will go a long way – and the less you can rely on VPNs, passwords or agents to do this, the better.
5. Credentials “living” outside of single sign-on. Properly securing credentials is key to minimizing identity compromise. But that’s really difficult to do when workforce users are required to log in and out of numerous services and apps each day that use different passwords than corporate or single sign-on (SSO) credentials. Making matters worse, these passwords are often stored in unsecure locations or shared with colleagues in unsecure ways out of convenience.
Defensive security layer: In this layer, the password-based credentials of all users – not just the IT admins of the world – are protected by the strong privilege controls of enterprise-level, vault-based storage. Because today, any workforce user can become highly privileged. Not only does this enhance overall visibility and control for IT security teams, it also makes things easier for users who can automatically capture and retrieve credentials when they need them.
So, what security vulnerabilities will you uncover once you begin looking at your organization’s attack surface in the context of layers? Whether you see a need to better secure the SSH keys of third-party privileged users or shared app account passwords of everyday employees, it’s time to start thinking more holistically about protecting identities of all types, in all use cases, across the entire lifecycle.
As you uncover gaps, a defense-in-depth strategy can help you introduce multiple Identity Security layers and human-centric practices such as security awareness training, gamified exercises and frequent phishing tests, can help reduce vulnerabilities and mitigate risk.
Defense-in-depth is a concept that goes hand in hand with a Zero Trust philosophy. But that’s another cybersecurity buzzword for another day.
Read our white paper on how you can build a defense-in-depth approach that can help secure your organization against identity-focused attacks and data breaches.