WIXLIB

AccessSecurityThis is relevant to ‘insiders’ such as on-sitehave strong control, transparency, and audit loggingemployees and ‘outsiders’ such as third-partyof privileged users’ sessions. Having a strong accesscontractors or remote employees. Compromisedsecurity framework is the best way to stay on theuser credentials are often the entry point to aright side of regulations such as these, as well asnetwork for malicious activity such as ransomware,avoiding any penalties for not respecting regulatorymalware, or phishing making control of accessstandards.security a priority.Businesses shouldn’t wait for a data breach toSecuring the perimeterprotect themselves with robust access security. Theright solutions allow IT teams to support complianceIn the past, a business’ IT security perimeter endedwithout overburdening cybersecurity resources orwithin its walls. Now businesses have endpoints allovercomplicating business tasks. A well-run accessover the world, as both employees and contractorssecurity solution can help to streamline and speedcan access networks remotely from their ownup the implementation of compliance rules across adevices. The Internet of Things (IoT) is expanding,whole organization.opening up more avenues than ever into a network.It is also creating routes into industries that wereAccess security brings a number of benefits to anpreviously sheltered from the wider connected world.organization. But before exploring the specificsystems that put access security into action, it’sThese factors mean that endpoints outside of theimportant to understand some of the conceptscorporate network are not protected by traditionalbehind it; concepts such as insider threat, zero trust,perimeter security. Businesses therefore need anand Least Privilege are critical to keeping networksadditional layer of security for endpoints that cansecure.access sensitive assets from anywhere. An accessUnderstanding Access Securitymanagement solution can authenticate users from avariety of different endpoints, meaning those usersInsider Threatcan verify their identities remotely without anyimpact on their productivity.An insider can be defined as anyone who hasCompliance with regulationslegitimate access to a business’s sensitive data. Thismakesallfull-timeemployees,part-timeIt’s a sensible policy to know exactly who is enteringemployees, and 3rd-party contractors insiders, asand exiting a network – and what privileges theythey all have access rights to an organization’shave. But it’s not just nice to have – it’s an obligation.infrastructure at various times. In the age ofThis is reflected in compliance regulations such ascybercrime, this also makes all insiders a potentialISO 27001 and GDPR which require businesses toavenue of attack for hackers.7

AccessSecurityIt may seem strange to consider trusted and valuedyears ago. More businesses are taking steps towardsemployees as ‘threats’, but the reality is that aprotecting against this vulnerability.significant proportion of data breaches are linked toHow do we protect against it?insider access credentials. This does not mean everyinsider is treated as if he or she has maliciousintentions, but in terms of access security, each set ofPeople will always need access to IT resources inaccess credentials, no matter how trustworthy theorder to do their jobs. Organizations must protectuser, represents a new point of vulnerability. Eventheir assets from accidental misuses that createthough the vast majority ofemployeeswouldneverdeliberately jeopardize theircompany’ssecurity,theircredentials could be lost, stolen,or inadvertently shared withsomeone less trustworthy.How big of a problem isinsider threat?Insider threat is the leadingcause of cyberattack. Accordingvulnerabilities.According to a 2020report from ThePonemon Institute, thenumber of cybersecurityincidents caused byinsiders has increased by47% since 2018. Thereport also states that62% of incidents werecaused by negligence, asopposed to criminalactionsAsmoreexposure and vulnerabilities arecreated, the likelihood of amalicious attack increases.Here we’ll explore two principleswhich a business can apply toprotectitselfagainstdatabreaches. Firstly, by using a ZeroTrust policy of identification andauthentication to ensure theyknow who is accessing theirnetwork.Andsecondly,byto a 2020 report from Theauthorizing insiders with thePonemon Institute, the numberleast amount of privileges thatof cybersecurity incidents caused by insiders hasthey need to do their jobs.increased by 47% since 2018. The report also statesThe Zero Trust Modelthat 62% of incidents were caused by negligence, asopposed to criminal actions.It’s an unfortunate truth that any user can beInsider threat is a risk because even trustworthyconsidered a threat when it comes to access securityemployees can inadvertently cause a serious data– even trustworthy insiders. That’s why it makesbreach through email phishing scams, sharingsense to implement a Zero Trust approach for usersaccount credentials and root passwords, or simplyaccessing the corporate network. This doesn’t meanaccessing critical assets from endpoints outside thethat everyone should be treated with suspicion, orcorporateas though they’re an accident waiting to happen.network.ThePonemonInstitute’sresearch claims that organizations are spending onIt simply means that nobody is trusted implicitlyaverage 60% more on insider threat today than three8

AccessSecuritywhen it comes to accessing an organization’simportant part of a Zero Trust model is the Principlesensitive data. Instead of assuming that all activity isof Least Privilege. This ensures that if credentials arelegitimate until proven otherwise, a Zero Truststolen, the impact that a hacker can have is kept tosecurity model proactively requires proof of identitya minimum.before allowing access. Users need to prove thatThe Principle of Least Privilegethey have both the need and the authorization toaccess a network resource before entry is granted.Least Privilege means granting users access only toHow can we trust users?the minimum applications and files they need to dotheir jobs. Limiting access rights to only the bareUsing a Zero Trust approach to access managementminimum of what is required – no more, no less –does not eliminate insider threat, but it does help toeliminates overprivileged users and the risks theymitigate it. Trusting a user solely based on theirbring with them. A hacker can do greater damagepossession of a username and password login is notwith far-reaching admin rights than with a smallenough romised user. Least Privilege can also beThis is where multi-factor authentication (MFA)extended to the times and places that people needcomes in. As detailed above, MFA requires moreaccess to certain resources. For example, employeesthan one form of verification to prove that a would-may only be permitted to access files during specificbe user is who they say they are. It is far less likelyworking hours and from specific locations.(though not impossible) that a hacker gets hold oftwo forms of verification than one. For example, aWith Least Privilege policies in place, the potentialhacker would need to steal both a user’s password‘attack surface’ a hacker can exploit is reduced.and their security token, as opposed to just theConsider this physical analogy for a system withoutpassword. The more factors of authentication used,Least Privilege. It would be like visiting a hotel andthe more trust in a user’s identity.being given an access card that unlocked any doorin the building for as long as you wanted it for.Is multi-factor authentication enough?Instead, we get a card that works only for communalareas and our own room – and only for the durationof our stay.Employees are trusted – and that’s a good thing.However, when it comes to access security, trust byWhy is Least Privilege so important?default is a dangerous policy. Nobody should beimplicitly trusted when serious data breaches are at risk.Least Privilege limits users’ visibility of resources theyZero trust is the first line of defense when it comes todon’t need or are unauthorized to view. Therefore, ifpreventing hacks from stolen credentials. Ana hacker did steal a user’s credentials, they only gain9

AccessSecurityaccess to a limited number of resources and can Which regulations does the business needs totherefore inflict a limited amount of damage. Thecomply with?hacker would not be able to bounce between anyresource that they liked. By limiting the access thatLeast Privilege applied in tandem with a Zero Trustusers have, we limit the exposure in the event ofapproach comprise is a powerful access securitytheir credentials being compromised.methodology. Identifying users and administeringprivilege rights is much easier when managedFor example, a third-party provider contracted tothrough a centralized access security solution. Now,carry out administrative maintenance on a specificfor a more detailed look at the managementpiece of equipment does not need the same levelssystems that allow the Zero Trust and Least Privilegeof access and permissions as the head of IT. He/sheprinciples to be put into action.would only need access to the assets required inManaging Access Securityorder to do the job. All it would take would be for anoverprivileged contractor to click on a phishing linkIdentity and Access Management (IAM)that downloads malware – and then you have ahacker with admin rights to the organization’s mostsensitive assets. If an insider did need to haveCloud environments, remote working, ‘bring yourelevated access to a sensitive area of the network,own device’ policies (BYOD), and the Industrialthis can always be requested and granted asInternet of Things (IIoT) have made IT networks moreneeded, per task.complex than ever. This can make it even morechallenging to manage digital identities. Not havingHow can we implement Least Privilege?a centralized system to monitor and manage useraccess leaves organizations open to unnecessary risk.Least Privilege is simple in theory. However, it mightneed to be applied across hundreds or evenWe have seen how verifying the identity of athousands of users in an organization – all of whomnetwork’s users is an integral part of access security.may have different roles and access needs over time.Identity and Access Management is an umbrella ofThere would be plenty of leavers and joiners tosolutions which identify and authenticate any userconsider, too. In order to successfully, andwho needs access to an organization’s system. Thesesustainably, implement the Principle of Leastsystems allow businesses to define who each user isPrivilege, businesses need a clear understanding of:and what they can do within a network.What are the key features of IAM? What assets are considered sensitiveresources? Who genuinely needs to access theseIAM systems include a variety of tools which facilitatesensitive resources?the 3 pillars: identify, authenticate, authorize. With10

AccessSecuritythe right selection of solutions, an organization canThus, a strong IAM framework should include aestablish a robust defense to protect identities,Privileged Access Management (PAM) solution. PAMaccess, and corporate data.solutions provide a robust layer of security byfacilitating the implementation of Least Privilege andWhat is required of the solutions comprising thisZero Trust for elevated user access rights.IAM ecosystem? An identity management solutionPrivileged Access Managementneeds to be able to verify users, preferably throughmulti-factor authentication (MFA). This allowsorganizations to enforce a Zero Trust policyPrivileged Access Management, or PAM, is awhenever anyone attempts to access their network.solution that helps organizations monitor and auditall actions taken by privileged users. IdentityThe digital identities within an organization’ssolutions and MFA authenticate and authorize anyinfrastructure can change over time and thus needuser who needs access to a system, after which PAMto be flexibly managed as users move through theiris focused on streamlining management and‘lifecycle’, allowing for identities to be easily added,oversight of elevated users’ access rights, keepingremoved,organizations safe from the accidental or deliberateoramended.EffectiveAccessmisuse of privileged access.Management therefore allows super-admins toenable and disable accounts, grant and revokeaccess rights, and store user information inThe dangers of unconditionally trusting any user aredatabases. The system needs to be easy for ITclear due to insider threat, and the Zero Trustadmins to manage. If the administration of theapproach to security requires that every attempt atsystem is complicated or spread across severalprivileged access be validated and monitored. It isdifferent resources, it won’t be as effective.risky to give even super-admin users root privilegessuch as the ability to change system configurations,Similarly, the most effective security solutions provideto install software or access secure data. Privilegeda seamless user experience. If connecting tocredentials could be lost, shared, or stolen. Aresources is complicated, users will look formalicious user with admin rights can not only makeloopholes which defeats the purpose of the solutionsfar-reaching changes to a system, but they wouldand puts the businesses further at risk. Simplifyingalso be in a position to hide their actions. Not toauthentication through Single sign-on (SSO) andmention the occurrence of negligence and mistakes,centralizing access through a single platformwhere privileged rights are accidentally misused.streamlines user experience and encourages userA PAM solution mitigates this threat by facilitatingadoption of proper security processes.precise control over exactly who has adminIAM is an umbrella term for managing all of anprivileges to which resources, and when. It monitorsorganization’s digital identities and their accesses.users’ actions, leaving an audit trail that can be11

AccessSecuritychecked in the event of a security breach. The mostany and all assets from a unique console. It provideseffective PAM system validates privileged attemptsthe tools needed to provide all users (internal,to access resources against the following criteria:external, and 3rd party) with the access they need todo their job, as well as a way for super-admins to1. Can the user prove who they are?manage authorizations and track users.2. Does the user have the necessary privilegesThe access manager centralizes access andto access the resource in question?management to all resources within one singleplatform, with no separate logins or disparate3. Are there appropriate circumstances for thesystems. Users only see the resources that they haveprivileged access?the rights to access; no more and no less. Theycannot see other IT assets on the network, even if4. Is all user activity being monitored andthey can guess that the resources are there.logged for tracing and audit purposes?Using an access manager gives administrators a5. Can the session be terminated (eitherclear picture over who is using and accessingautomatically or manually) if the activity isresources across their organization. And it makesunauthorized or suspicious?connecting to resources simple for internal andexternal users, streamlining access to all authorizedPAM solutions can vary in their architecture, butresources through one platform. The accessmost feature three main anizations who need to provide external access An access managerto contractors, service providers, and remote A password manageremployees, offering an additional layer of security A session managerfor these “insiders” connecting from outside thecorporate network.These modules work in tandem to ensure the abovePassword Managerquestions are always answered in the affirmativebefore privileged access is granted.The goal of an effective PAM solution is to preventAccess Managerprivileged users from knowing the actual passwordsto critical systems. The password manager stores allThe access manager componenet governs access topassword SSH keys within a secure vault, meaningprivileged accounts. It enables an organization’s ITthat users need never know or share the rootsecurity team to map user’s roles and access,passwords. Employing an advanced passwordgranting, revoking and modifying user privileges tomanagement tool in a PAM solution significantly12

AccessSecurityreduces the risk of an organization’s passwords fallingand lead to them being reversed. Recordings areinto the wrong hands. Passwords are enforced forparticularly useful in case the information needs tocomplexity and automatically rotated, meaningbe reviewed during a future audit or training.credentials become invalid even if they are breached.A comprehensive PAM solution is the best possibleA password manager is more than simply a vault.way to optimize security against the potential risksWhile it does securely store and encrypt passwords,posed by privileged users.it also helps to enforce robust password policies andEndpoint Privilege Managementimprove best practices within an organization. Thepassword manager is a key part of the PAM solution,allowing organizations to reduce risk exposure andIn addition to PAM, Endpoint Privilege Managementmeet a variety of compliance requirements.(EPM) is a critical component of an effective IAMstrategy that can be used to secure the devices thatSession Managerusers are accessing an organization’s network fromand other “terminal” equipment. Endpoint PrivilegeThe session manager is the core of a robust PAMManagement applies the Least Privilege principle tosolution, monitoring privileged access in real time,these endpoints, enabling organizations to definechecking whether actions taken in a privilegedprivileges beyond the user level to allow or blocksession are both legitimate and authorized. It alsoapplications and processes. This helps to protect thecreates an unalterable audit trail of all sessions, thenetwork from threats such as ransomware orlogs of which can be searched, making it easier tomalware. Whether it’s a phone, computer, or pointmeet compliance regulations. And if attempts areof sale terminal – all devices need to comply withmade to access sensitive resources withoutspecific criteria before being granted access toauthorization, they can be automatically terminated.network resources.This is the Zero Trust principle in action: ‘better safethan sorry’.Why should we protect endpoints?The session manager gives complete visibility overThe days when employees only accessed a networkprivileged user actions, reducing the risk offrom their fixed workstations are long gone. Moderndeliberate or accidental abuse of privilege. It recordsorganizations can have hundreds or thousands ofclicks, typing, and all other actions to allowendpoints – and this number will only increase as theorganizations to see exactly what a privileged userIndustrial Internet of Things (IIoT) connects evendid during a session. This includes actions a usermore devices to networks. The average modernmay be trying to hide, whether on another screen oremployee can access an organization’s network fromwith key commands. The recording of sessions cana desktop PC, a work laptop, work phone, and theiralso help to catch legitimate mistakes in real timepersonal devices, too, and from anywhere. The more13

AccessSecuritySummaryendpoints, the more potential avenues hackers haveto infiltrate IT infrastructure.Consider this example of access security comingIt’s important that the correct security measures aretogether. A contractor needs to access anin place to prevent unauthorized devices fromorganization’s database to perform some work,accessing a network. However, it would beso she attempts to log on to the corporateimpractical to apply these measures to every devicenetwork through her personal tablet. Theindividually. Endpoint Privilege Management allowsorganization’s IAM procedure ensures shefor control and compliance with regulations suchauthenticatesas GDPR, NIS, and PCI-DSS – without penalizingtemporary password she has been supplied withuser productivity.as well as the code from an RSA token.How does Endpoint Privilege Management work?The PAM system authorizes her access to theEndpoint Privilege Mana

This is the comprehensive beginner’s guide for anyone looking to understand the basics of access security. Access security is a framework of policies and technologies that combine to manage the access that users have to an organization’s sensitive IT assets