End points – smart phones, tablets, notebook PCs, even desktop PCs – form employees’ entry points to networks, applications and data. The rise in remote w...
End points – smart phones, tablets, notebook PCs, even desktop PCs – form employees’ entry points to networks, applications and data. The rise in remote working and teleworking has made end points particularly attractive to cyber hackers, especially using ransomware attacks delivered through phishing campaigns.
According to Bryan Murphy, the senior director for consulting services at CyberArk, that situation calls for systems of continuous verification and certification of users’ IDs throughout sessions, as users navigate across networks. This must occur in the context of zero trust, “meaning that we’re going to verify everything that you do, as you do it, instead of just giving you standing access to all the systems just because you’re an employee or a contractor within an organization.”
Making the zero trust architecture operative requires use of multi-factor authentication (MFA), Murphy said. This notion is expressed explicitly in the recent White House executive order on cybersecurity, so in a sense it is policy anyhow.
But in strengthening its approach to managing cyber identities and network privileges, an agency risks spoiling the user experience. Having users constantly re-enter credentials might be today’s paradigm, Murphy said, but it doesn’t have to be that way. With CyberArk’s platform, users can login with their passwords and second authentication factors, then have several minutes to open applications for which they are approved.
“So we can start to suppress some of those alerts,” Murphy said. “But at the same time, we can also have it where, if there’s a specific application or a certain configuration where you want them to [multi-factor authenticate] every time, we add this additional approval. We can configure the system to do that as well.” The challenge could be time-related, or geography related, thereby barring spoofed identities.
“So this is where it’s not a one size fits all,” Murphy said. “We really operate in the space of keeping the security high, while also keeping the user experience high, which is very challenging to do.”
He cautions against the use of codes coming to cell phones or via e-mail, both of which can be intercepted.
“We can do this several different ways. We can do it through biometrics or we can do it through a push notification, versus a text message that can be spoofed or replicated, or an email that could be stolen. So this is where there’s different elements, or different layers of security, to the way we do MFA to these users,” Murphy said.
The detailed, technical solutions to multi-factor authentication must operate within a framework that includes an identity governance solution.
“We need to have a map with a better way to link all this together, to know when we’re going to take which actions against certain either commands that are run, tasks that are done, systems we’re going to access from, and from which users,” Murphy said.
For example, if a known identity is coming in through an external portal, that might invoke different challenge-response routines than if the same identity logs on from with the corporate network. Behavioral anomalies – someone who normally works days logging on a 2 a.m., for example – can also trigger certain responses.
“The identity governance solution should be working to identify all the accounts privileges you have within your agency,” Murphy said. “We should know what they should have access to what they shouldn’t. As people move around and change roles and responsibilities, the identity should morph with that.”
He added, “What it also does is allow you to know if an additional account is created a rogue account or something random. You can be aware of that this is potentially something we need to investigate further, because that doesn’t follow our governance process.”
The security framework also encompasses the notion of non-repudiation, Murphy said. It means “whatever is done with an account or on a system, we can tie it back to a user, and the user has no way to say that wasn’t me.” Non-repudiation is enabled with strong ID enrollments and strong authentication.
Cloud hosted identity and authentication solutions can enhance security, Murphy said.
“The cloud has a lot of benefits to it around with the security, the configuration, the learning that we get from the data,” he said. The downside is that the agency may not have direct control over the network pathways to and from multiple clouds, nor have the visibility it has into its own network. Mitigating in favor of the cloud is the assurance that required patching and other upgrades will take place without requiring agency intervention.
What it comes back to is that user experience, and how do you make sure you're authenticating the user when you need to. And if you need them to interact, to approve something, you're doing it at the time that that they need, and not forcing them to do it at every step.
Senior Director, Consulting Services & IR, CyberArk
We tell our customers that work with us at CyberArk, it’s like a slider: You can slide it either towards security or towards operational efficiency, or we'll say user experience. It's not you can slide the both of them up simultaneously.
Senior Director, Consulting Services & IR, CyberArk
Listen to the full show:
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Senior Director, Consulting Services & IR, CyberArk
Host, The Federal Drive, Federal News Network
