How federal agencies can more effectively enforce privileged access management

In a presentation to the Information Security and Privacy Advisory Board of the National Institute of Standards and Technology in March, Cybersecurity and Infrastructure Security Agency Technical Strategist Jay Gazlay provided a stark assessment of the state of identity management and cyber threats. Citing the exploitation of administrative privileged accounts and credentials in the SolarWinds attack, Gazlay stressed the urgency for tighter controls within the federal government.

“Identity is everything now,” Gazlay said. “We can talk about our network defenses. We can talk about the importance of firewalls and network segmentation, but really, identity has become the boundary.”

Behavior analysis capabilities would greatly enhance prevention and mitigation efforts, as adversaries are no longer primarily focused on targeting digital “crown jewels” directly.

“Instead of going after these data holdings, they’re going after the identities that give them access to all the data holdings — much broader campaigns,” Gazlay said. “That makes … identity management compromises much more impactful, and frankly, a much higher target. As we move into a cloud infrastructure where all that matters is the expectation that you are who you say you are to get access to cloud infrastructures, this becomes even more pernicious.”

Gazlay’s dire assessment underscores how the securing of user access – especially privileged access – has emerged as a critical priority. Cyber criminals consider the compromise of privileged credentials as the “keys to the kingdom,” providing entry to an agency’s most valuable digital assets. Nearly 100% of senior security executives say cyber criminals are increasingly attempting to steal one or more types of credentials, with 53% indicating that IT administrators are a top target. Given the trend, federal security executives rank privileged access management (PAM) as one of the leading approaches in reducing successful attacks, minimizing breach impact and shrinking the attack surface.

PAM solutions and services are expected to represent $2.9 billion in market value by 2024, up from $1.9 billion last year. As defined by Gartner, PAM tools enable organizations to secure access to digital assets and meet compliance requirements by managing and monitoring privileged accounts. They help security teams control these accounts by isolating, monitoring, recording and auditing the account sessions, commands and actions.

The White House has acknowledged the need for improved access management in its recent “Executive Order on Improving the Nation’s Cybersecurity,” calling for NIST to develop guidance on the establishment of “multi-factor, risk-based authentication and conditional access across the enterprise.” The order follows a Ponemon Institute research report in September which revealed that just 46% of agencies have the capability to effectively monitor privileged access.

The report documents what appears to be a precarious approach to the authorization of this access: Nearly one-half of privileged users in the government say they are not properly vetted or required to submit to background checks before receiving their access rights. About one-third of these users admit that privileged access isn’t necessary to do their jobs, but they have it anyway – and 44% say they have been pressured to share access with others. What’s more, one-quarter say privileged access is assigned at their agency “for no apparent reason.”

The findings illustrate that the oversight of privileged access isn’t simply a technology challenge – it’s a human one as well. With this in mind, here are two essential best practices which agencies need to implement to ensure the success of their PAM initiatives:

Enforce zero trust. The White House executive order directs agencies to adopt zero trust, which it describes as an architecture that “eliminates implicit trust in any one element, node or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a zero trust architecture allows users full access but only to the bare minimum they need to perform their jobs.”

The latter “bare minimum” component refers to “least privilege/just in time” principles, which are foundational to zero trust. With least privileged, users are given the access they need to satisfy their task assignments and nothing more. Of course, there will be special circumstances in which they must assist with an assignment that goes beyond their normal authorization. In this case, “just in time” gives them temporary, expanded access – but only for the time required to complete the specific task at hand.

Monitor, analyze and audit … everything. We typically think of privileged access targets as the administrators who run the “crown jewel” servers. But hackers often do not directly attempt to compromise these administrators. Instead, they go for lower-hanging fruit in the form of everyday users’ laptops or devices (as noted by 56% of senior security executives). Once they gain control of those machines, then they move laterally and vertically to work their way up to the higher-valued digital assets.

In addition, agency IT and security leaders and their teams must think of PAM in terms of their robotic process automation and other independently operating applications. With increasing activity in cloud and container environments, these applications are often “left alone to do their thing.” Hackers realize this, and view them as another readily exploitable gateway to the higher-valued assets in the enterprise cyber ecosystem.

Therefore, teams have to expand the coverage area of their PAM program, and monitor, analyze and audit all activity (of both humans and machines/apps) to identify and block unusual and/or risky behavior. This would include, as CISA’s Gazlay observed, “impossible logins” in which multiple users gain access through the same set of credentials at multiple places throughout the globe.

Zero trust is all about “never trust, always verify.” But agencies can no longer apply this level of vigilance to top administrators exclusively. They must take a broader view of their entire cyber landscape and deploy analysis and response at every conceivable area that presents an opportunity to eventually compromise privileged access. Identity really is everything now. By implementing PAM in a more comprehensive manner with zero trust principles firmly enforced, the crown jewels will remain out-of-reach for hackers.

Miguel Sian is Vice President of Technology at Merlin Cyber

Comments

Sign up for breaking news alerts