“With the adoption of many cloud-based technologies delivered via software as a service or infrastructure as a service, privilege access is expanding beyond t...
PAM has typically applied to IT managers and others needing “keys to the kingdom,” with IAM applied to regular users. Kevin Jermyn, the area manager for customer success at CyberArk, said zero trust in the cloud computing era calls for IT staff so integrate PAM and IAM solutions.
“With the adoption of many cloud-based technologies delivered via software as a service or infrastructure as a service, privilege access is expanding beyond the traditional IT admin role,” Jermyn said. For example, human resources practitioners typically have access to personally identifiable information. Such users, he said, are increasingly falling under compliance requirements that their usage patterns be monitored.
The idea of treating, in essence, every logon and resource call subject to a zero trust challenge extends to automated processes like algorithms or bots that use applications and data, Jermyn said. And – in the most SolarWinds period – zero trust applies to the supply chain.
Jermyn said a good way to think of zero trust is as a way to protect data. Therefore guarding data assets leads to thinking differently about cybersecurity than traditional perimeter defense. And it gets an agency past a purely compliance approach to cybersecurity.
“Being 100% compliant and protecting everything at all times is kind of not really an effective strategy,” he said. More effective is a risk management approach, evaluating critical assets and determining the likely ways an attacker would go after them. This analysis, he said should take place in a context of “assumed breach” – a basic tenet of zero trust.
Then you can apply measures like multi-factor authentication where the measures will be most effective.
“If you take the approach of verifying every user, every identity with strong contextual risk based authentication,” Jermyn said, “and then enforce that just in time, just enough access at the right time, that’s a great way to reduce your attack surface and limit risk.”
Jermyn called that approach identity security. It focuses on securing each identity throughout its session, following it as it accesses critical assets. The approach erases the distinction between PAM and IAM, even as it accounts for differing permissions among various users.
Using strong passwords and, where required, multifactor authentication, agencies have largely secured themselves with respect to common identity challenges, Jermyn said.
“But,” he said, “I don’t think many agencies have the same level of security and audit fidelity into cloud, the DevSecOps pipeline, and endpoints.” He said cloud hosting of applications, data and workflows increases attack surfaces exponentially. As for DevSecOps, he said each deployed software module requires checking for what it can access. This must occur before deployment because the module will be interacting with existing systems. Moreover, identity controls must extend upstream to individual coders in a development pipeline.
Jermyn said the CyberArk Blueprint is a methodology that yields a risk-based and automated approach to limiting users’ lateral movement within networks and preventing privilege escalation. He said it helps cybersecurity staffs reduce the most amount of risk with the least amount of effort.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Area Manager, Customer Success, CyberArk
Host, The Federal Drive, Federal News Network
Area Manager, Customer Success, CyberArk
Kevin Jermyn has five years of experience with Federal Civilian and DoD customers and has worked with clients as a trusted advisor to ensure customers are following best practices deploying their privileged account security programs. He also gives advice on how solutions the customer owns can help reduce attack surface and close common attack vectors.
Kevin has worked directly on DHS CDM PRIVMGT Continuous Diagnostics & Mitigation and has experience with DoD LoE, 800-53, 800-171, D(FAR)S, NIAP and RMF.
Host, The Federal Drive, Federal News Network
Tom Temin has been the host of the Federal Drive since 2006 and has been reporting on technology markets for more than 30 years. Prior to joining Federal News Network, Tom was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines. Tom also contributes a regular column on government information technology.