CyberArk EMEA Technical Director David Higgins works closely with some of the world’s largest and most heavily regulated organizations in architecting Identity Security strategies that help mitigate cyber risk and confidently enable digital business. Higgins recently sat down with Cybernews to explain how Identity Security fits into organizations’ broader cybersecurity programs and helps enable Zero Trust.
Here are six of our favorite soundbites from the conversation, which we’ve edited for length and clarity:
1. Identity is almost always the ingress point in the cyber attack chain. “Identity remains the go-to for threat actors looking for an effective and swift entry point to a business,” Higgins explains. For every human identity, there are 45 machine identities — and over half of an organization’s workforce has access to sensitive corporate data. These identities represent an expanded attack surface that adds pressure to mounting cybersecurity insurance and compliance requirements. “It’s a problem that’s getting larger and more complex as digital IT environments change, and malicious actors continually find new ways into their targets through identity compromise,” Higgins continues.
2. Yet it’s not always a security priority. “Less than half (48%) of organizations have Identity Security controls in place for their business-critical applications, to name just one key environment,” says Higgins. As organizations continue to embrace the cloud and prioritize major transformation projects, the number of digital identities continues to grow while cybersecurity investment lags. This causes an accumulation of cybersecurity debt that exposes organizations to even greater risk.
3. Identity Security’s role in Zero Trust. “The age-old adage that those protecting themselves need to get it right 100% of the time, whereas attackers only need to get it right once to wreak havoc, still holds true. That’s why Zero Trust’s premise — never trust, always verify — is vital to any forward-thinking cybersecurity strategy,” says Higgins. Identity Security is not Zero Trust, but instead, it encompasses key security layers — such as privileged access management, identity management, cloud privilege security and secrets management — that organizations need to defend against attacks, measurably reduce cyber risk, and ultimately, enable Zero Trust.
4. Why the Log4j vulnerability highlighted inherent risks across the software supply chain. “One type of attack can rarely be universally applied to so many different targets, and that’s what makes Log4j so serious. It can be likened to a wobbly Jenga block holding a towering puzzle above: If one brick at the bottom falls, the whole thing comes down,” Higgins explains.
5. How organizations can strengthen cyber resilience in preparation for the next major software supply chain vulnerability, ransomware attack or emerging threat. “It’s impossible to keep out every attack, every time,” notes Higgins. “Instead, the focus and best practice should be around working to prevent attackers from moving to their objective – whether that is to spread malware, harvest data or shut down a critical service – once they are inside a system. This starts with identity … By securing routes to their most critical assets with intelligent privilege controls; seamlessly securing access for all identities with strong, adaptive authentication; and removing hard-coded secrets to protect credentials across the CI/CD pipeline, an organization can dramatically improve its overall security posture.”
6. Attackers never stop innovating. “Cybercriminal groups are increasingly operating like legitimate businesses. This way of working means large criminal groups have unwittingly created their own attack surfaces, opening themselves up to risk,” says Higgins. “It’s likely that the need to secure themselves internally will force security to revamp – as adversaries will increasingly get caught by defenders using their own attack methods against them. This change may bring with it plenty of new, innovative tactics, techniques and procedures that organizations need to be prepared to protect against.”
Today’s fast-evolving threat environment requires a security-first approach to protecting human and machine identities, one capable of outpacing attacker innovation. For more Identity Security perspectives, read the full Cybernews interview.