Protecting Government Data in a Post-SolarWinds World

Duration: 1 hour
No Fee


The least-privilege model is limiting how much damage hackers can do in federal networks

When it comes to hacking into an organization, accessing a privileged account can be the Holy Grail.

Privileged accounts offer the keys to large parts of networks, software and other information that can expose a company and its employees.

Government agencies are now being extra cautious with the way they dole out privileges, but it’s not always easy to clamp down on who can access certain parts of an enterprise.

Paul Morris, the chief information officer for the Centers for Disease Control and Prevention says his agency uses the least-privilege model, which gives everyone a basic account where email and internet can be accessed.

Users who need more privileges are given separate accounts for higher administration roles.

“What we also do is we put specific technical controls on those accounts,” he said during the discussion Protecting Government Data in a Post-Solar Winds World, sponsored by CyberArk. “We don’t want admins to able to access the internet or check their email while they’re in that account. That keeps the threat vector of a bad person coming in, taking over the account and then getting access to that function that they’re doing low.”

Techniques like that keep an organization’s attack surface low. That’s something that Bryan Murphy, senior director of consulting services and incident response at CyberArk, says is important to protecting privileged accounts.

“One of the struggles that we see customers go through, especially the federal agencies, is they only know about certain accounts they have, they don’t have the whole scope or breadth of coverage,” he said. “We want to use tools and automation to discover, but also put in processes and procedures to make sure, that there’s not accounts being created without our knowledge within the organization.”

If a hacker can be stopped at the ground floor and only have access to the least-privileged accounts then they will not be able to do as much damage.

Morris said there are a handful of ways CDC is enforcing least privilege.

“As a user, I want to make sure I can’t install anything I want,” he said. “I don’t want to download and install things that that may be talking back home to another organization, providing a threat into the enterprise online. We are keeping track of what’s allowed, and then keeping control of applications that can be installed by user.”

For admin accounts, CDC builds accounts with purpose to ensure people who will only use the privileges given will get them.

“We define those groups and through those we have specific permissions and specific policies that allow them to be able to do the job that they’re doing,” Morris said. “The key there is we can apply those policies across the group or the role for that base access, and it doesn’t affect the general user, you are me. The average user is happy because they’re not being affected. We can quickly change those permissions. Another layer down from that is that local permissions, say in a different campus, are supported by approvals by supervisors and IT security officers. We put some technical constraints around it so that privileged user can only do those functions within that building. They couldn’t do that in any CDC facility.”

Murphy said those partitions are important because they limit the “blast radius” of what can happen if a hacker does get into one of the accounts.

“A lot of customers don’t have that granularity set up within their organization internally, which is what allows these attackers to move where they need to go,” he said.

Join moderator Scott Maucione, Morris and Murphy as they discuss:

  • Protection from bad actors
  • Cybersecurity in a telework environment
  • Incident response challenges
  • Least-privilege access enforcement

Complimentary Registration
Please register using the form on this page or call (202) 274-4830.

This program is sponsored by   

By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.


Featured speakers

  • Paul Morris

    Chief Information Security Officer, Centers for Disease Control and Prevention

  • Bryan Murphy

    Senior Director, Consulting Service & IR, CyberArk

  • Scott Maucione

    Defense Reporter, Federal News Network

Sign up for breaking news alerts