There could not be something simpler than this common sense approach to safety whether in real life or whether in the realm of cyber security. You grant privileges to someone as long as they need it, and not as long as they would like to keep it around themselves.
Another common sense practice would be to give anyone the minimum privileges to get a job done, rather than shower them with an extravagant amount. Once the job gets done, wrapped up and polished, you bring down the privileges to near ground zero again, the lowest possible state of stable operations.
Why would you keep any operational parameter in the highest state of readiness if it is not operational, is not being used, and if it is not functional? Standing down is a very common and effective part of any operation to control overuse and over-fatigue, whether in the armed forces, in civil services, or in any operational environment.
You trust no identity and you manage all privileges in real time continuously by enhancing and lowering them soon after. You apply multiple approaches to verify the real or digital identity of a user when they make any request to change their privileges.
This is the basis of a Zero Trust approach to Privileged Access Management in the realm of cybersecurity.
Here is a simple step-wise check list!
Who is requesting access: which human or machine or robotic user?
What is the context of the request: why do they want access?
Risk of the access environment: where and when are they at the time of the request
Multifactor authentication: verify is the identity who it claims to be
Grant least privilege access: what are the minimum privileges required to complete the task
Ground zero: Revert all privileges to previous normal once task is completed so there are zero standing privileges
The key to an organisation’s security policy, with repository of user identities and privileges, needs to be protected in a vault. The organisations’ very existence is now protected inside this vault.
You verify and reverify every request to dip into this vault and change existing privileges through multifactor authentication. While organisation’s will layer themselves with elaborate tools to protect access to their financial controls, like bank accounts and cash, the very technology tools that enable that secure access to happen smoothly, may sometimes be left gaping and wide open.
52% of organisations do not have such a password vault, according to global surveys. This is one of the basic steps in Privileged Access Management. If over half are not even vaulting privileged passwords, that means that passwords are being scribbled down somewhere or neatly entered into shared spreadsheets.
Three out of four organisational breaches abuse privileged access, making it the leading attack vector globally. Global research company Gartner named privileged access management a Top 10 Security Project in both 2018
Strangely, tried and tested, common sense rule of operational preparation that work so well in the real world, do not seem to be applied in the critical arena of cybersecurity and organisational readiness.
By Kamel Heus, Regional Director, Northern, Southern Europe, Middle East and Africa, Centrify.