Why Intelligent Privilege Controls Are Essential for Identity Security

December 15, 2023 Amita Potnis

identity security intelligent privilege controls

 “If we can control identity, we can stop most modern attacks. And if you control identity, then you control every perimeter, application, container – effectively every part of the environment.” – Brian Miller, CISO at Healthfirst

Organizations are experiencing explosive growth in identities – both machine and human. This includes machine identities such as applications and workflows, which now outnumber human identities 45:1. With new norms such as hybrid work, new environments like hybrid cloud and the continuous flow of rapid innovation, the reality is that organizations are facing a constant onslaught of identity-related attacks like ransomware and phishing.

The solution for getting a handle on the chaos? Identity security.

Identity security is considered the bedrock of modern-day cyber resilience. It converges the strength of identity and access management (IAM), identity governance and administration (IGA) and privileged access management (PAM). This combination of capabilities enables least privilege from enterprise endpoints to data centers to the cloud, allowing organizations to secure their digital assets and conduct business with confidence.

Privilege Controls for Any Identity

Gone are the days when only the most privileged users had access to an organization’s most critical systems and sensitive data. Today, more than half (52%) of workforce identities have access to that level of information. Meanwhile, 77% of IT security decision-makers say developers have too many privileges, and only 25% say their organizations have secured sensitive access to bots and robotic process automation (RPA). This expansion of high-risk access across the enterprise can lead to greater cyber risk.

Looking back, 84% of organizations experienced an identity-related breach in the past year. Meanwhile, looking ahead, 99% of security decision-makers believe they’ll experience an identity compromise in the coming months.

This, of course, is not a new trend. In its FY22 Risk Vulnerability Assessment (RVA) report, the Cybersecurity Infrastructure and Security Agency (CISA) indicated that in over half (54%) of organizations it assessed, attackers used valid accounts to gain initial access and elevate privileges to access to critical resources and sensitive data.

The numbers are staggering, but organizations can take steps to secure all identities with intelligent privilege controls such as zero standing privileges (ZSP) and just-in-time (JIT) access, session recording and protection, session isolation and monitoring – and endpoint least privilege. These intelligent privilege controls must work in conjunction with one another to secure access for every identity. Continuous and constant monitoring and analysis of all activities of every identity allow organizations to detect and respond to unusual behavior.

 

Here’s a bit of a deeper look at the five critical intelligent privilege controls:

1. Zero Standing Privileges (ZSP) and Just-in-Time Access (JIT)

Many organizations provide users with powerful standing access that is always available to users, regardless of whether it’s required in the moment – or ever. This issue is prevalent in cloud environments, where organizations grant users far more entitlements than they actually need to ensure they can work quickly.

To reduce risk, your organization can implement JIT access provisioning, which grants users elevated access privileges in real time so that they can perform necessary tasks. In other words, a user can access required resources for a specific duration to complete a task at hand – and then the access is revoked.

Taking the JIT concept to the next level, ZSP is a fast-emerging security principle that elevates cloud power users just-in-time, with only the specific entitlements required for a given task – and only when needed. ZSP enables organizations to reduce the risk of credential theft and the potential impact of an account takeover by significantly limiting an attacker’s options.

2. Session Isolation

Session isolation creates separation between a user’s device and the resources they aim to access by routing traffic through a proxy server. In doing this, if an end user is attacked, the risk of compromising the system the user is accessing is reduced.

3. Session Recording and Protection

Session recording and monitoring, in contrast, is a searchable recording of every user’s actions – down to the clicks during sessions within web applications, cloud consoles and other devices. When security teams combine session isolation and monitoring, they can detect anomalous user activity and suspend risky sessions. This control can protect organizations’ most critical assets from malicious processes originating on endpoints. The more privileged (with higher access levels) the session, the more these controls become increasingly necessary in protecting an organization’s sensitive digital assets.

4. Endpoint Least Privilege

Comprehensive, conditional policy-based application control can help you create safe working environments for every user group in your organization, from HR to DevOps. Organizations can manage and secure their endpoints with controls that enable continuous least privilege and consider variables such as an application’s context, parameters and attributes to allow or block certain scripts, applications or operations.

This is especially important at a time when ransomware attacks are growing in frequency, consequence and cost. Within an integrated identity security approach, endpoint least privilege can significantly reduce an organization’s attack surface and ability to meet various regulatory requirements.

5. Credentials and Secrets Management

Credentials like usernames and passwords are pieces of evidence that confirm an entity’s claimed identity. Credential management includes password/key rotation, enforcing password policies and consistently validating the authenticity of the entity requesting the access. Secrets management allows organizations to enforce similar security policies for non-human (machine) identities. Typically, these credentials and secrets are used to gain elevated privileges to perform a business task.

The Benefits of Intelligent Privilege Controls

Identity-related attacks are also growing more sophisticated. While most businesses operate under the “assume breach” mentality, it is equally important to be cyber resilient with a proactive, reactive and predictive approach. The above-mentioned intelligent privilege controls enable security at scale, risk reduction and unmatched cyber resilience by securing access for any identity.

The results of a robust identity security strategy speak for themselves: CyberArk research indicates that 60% of 1,500 security decision-makers believe they can mitigate risk in an acceptable timeframe. Without a robust identity security strategy with the right tools, integrations, automation and continuous monitoring and reporting, 80% of the respondents state they would require up to 15 additional cybersecurity staff.

Beyond these measurable benefits, identity security based on intelligent privilege controls provides organizations with the added advantage of long-term durability, adaptability and recoverability in the face of potential attacks.

Don’t just manage identities. Secure them with a comprehensive identity security strategy based on intelligent privilege controls.

For more insights, download our identity security guide “When Every Identity is at Risk, Where Do You Begin?” The piece covers critical areas where intelligent privilege controls can help you reduce risk and gain efficiencies.

Amita Potnis leads thought leadership marketing at CyberArk.

Previous Article
Secure Identities With These Five Intelligent Privilege Controls
Secure Identities With These Five Intelligent Privilege Controls

If you’re reading this, a major part of your job is making the case for security-related issues that you kn...

Next Article
Exploring the Risks of Read-Only Access in the Cloud
Exploring the Risks of Read-Only Access in the Cloud

My career began with read-only access. In my first job, I worked night shifts in a data operations center. ...