Who goes there? Focus on identities to reduce business risk

According to the latest Global Risks Report from the World Economic Forum, data fraud or theft and cyber attacks are among the top five threats that we face globally in terms of their likelihood of occurring. They are also among the risks perceived to be growing the most rapidly.

Security is vital to any organisation in order to protect important data and confidential information. Today, every organisation is data-driven and failure to protect vital information and assets can lead to dire consequences, ranging from financial loss to reputational damage that can put a firm out of business. Criminals are constantly looking to attack information networks using ever more sophisticated methods and many succeed, as the growing number of attacks and breaches that are reported attests to. Regulators are also upping the ante, demanding higher standards of security and privacy safeguards be applied to sensitive information, especially that related to individuals. GDPR is just the tip of the iceberg; jurisdictions worldwide are enacting similar legislation designed to protect their own citizens.

Security risk and business risk

A recent survey by Thycotic found that 50% of CISOs state that the board thinks that their job is to keep the lights on and systems running. Security is often seen as reactive rather than proactive, and as a cost rather than an asset. But that needs to change.

Since lax security can have damning consequences for an organisation, security risks need to seen as being at least equally as important as other risks that organisations face, including financial and operational risks.

To enable this, the security function needs to take a business-first approach. The survey by Thycotic shows that 65% of board members do not understand the need for security investments, in large part because they cannot gauge the value that they bring. With a business-first approach, security executives must focus on how to overcome the risks to the business, stressing the financial and operational impacts. Knowing and being able to demonstrate how to align security to business needs, including achieving compliance objectives, is the best way to be granted the budget that is needed to address security risks.

Identity management to the fore

Interest in identity management has picked up considerably as organisations recognise a growing need to grapple with the proliferation of identities, devices and services such as those provided in the cloud, many of which are outside of the control of the organisation. More stringent data protection legislation that impacts almost every organisation is also driving increased interest. GDPR demands organisations take a least privilege approach to granting access to sensitive data and frameworks that include NIST, ISO 27001 and PCI DSS also demand tighter access controls to ensure greater security of sensitive information.

Privileged access management is one of the areas of identity management currently receiving the most interest. Accounts that provide a user with privileged access are favoured by hackers, providing them with credentials to access sensitive information and to hide their tracks within a network.

Privileged access management technologies and services enable organisations to enforce the principle of least privilege, ensuring that credentials that provide privileged access are available only as and when needed to those that need them for a particular task. They ensure that no one has blanket access to privileged credentials and that credentials are rotated regularly to ensure that hackers will have to go through the steps of obtaining them over and over again. Thycotic’s chief scientist Joseph Carson likens this to having the ability to change the keys to locks on cars regularly. Anyone needing to drive the car must take a new key out of the vault, one that has not been used before, thus reducing the chance of car theft.

Privileged access management provides similar capabilities, but in terms of credentials. Employees can be more productive since they no longer have to manage their own credentials—a major source of cyber fatigue and a serious security risk since users just want to get on with things and will take the path that requires the least effort, reusing the same credentials over and over again if they can get away with it. Most PAM systems also enforce the use of multifactor authentication according to context that includes the sensitivity of resources being accessed and potential for a security breach.

Humans are often said to be the weakest link in security. PAM systems will do much to take away the risks, reducing the likelihood of data breaches, helping users to be more secure and productive whilst doing so—reducing costs associated with credential management and recovering from breaches, as well as helping with compliance obligations.

With these benefits, security executives will find it easier to show the value of the investment, translating what this means in easy-to-understand business terms. Rather than merely selling to the board on fear of what could go wrong, PAM provides a way of presenting the need for investment in a positive manner that is more likely to be accepted.