Post-COVID-19, every user should be treated as privileged
Article by Thycotic security engineer for Asia-Pacific Daniel Comarmond.
Given the way 2020 is going, many organisations need to make access to their data, systems, and resources as flexible as possible to cater for a world in which there is no longer a ‘normal’.
To best cater for business continuity — and assuming that the data in question has undergone assessment and classification for risk and confidentiality — data should be stored wherever it takes to maximise accessibility.
But given that, how do organisations protect their data? A risk-based approach to business continuity demands a balance of convenience and security. Still, it’s understandable that in the current era of unpredictability, convenience may often take precedence over security.
This means security policies and controls have to compensate for the widespread availability of data, systems, and resources.
In particular, some of the fixed terms of reference formerly used in security architecture may no longer be useful. With people working in de-centralised locations, data is travelling farther and broader than ever before, and being edited in places that certainly don’t resemble an office.
Location is no longer a consistent reference for security models, where business continuity demands of people and data to operate from anywhere.
Previously, organisations could also depend on their data, systems, and resources being accessed only from a predictable set of devices, but not everyone was handed a corporate asset by their employer when deserting centralised locations to work socially-distanced. With bring your own device (BYOD), a fixed set of devices is also no longer a realistic reference for security models.
This leaves people as a factor you CAN trust. Cybersecurity executives must not forget what is being protected — their colleagues, and their ability to continue operations no matter where they are.
To continue operations and transactions, people interact with people that they trust. Francis Fukuyama summed up this correlation of trust and economics: “One of the most important lessons we can learn from an examination of economic life is that a nation’s well-being, as well as its ability to compete, is conditioned by a single pervasive cultural characteristic: the level of trust inherent in the society.”
That’s why protection of data starts with people you trust — start with what you already know: the ‘known good’, not the ‘unknown bad’ – and then determine the varying degrees of trust per person, or ideally per group of people.
What about ‘insider threats’, I hear some say? Great question. But if an organisation trusted someone enough to hire them in the first place, then they need to be afforded the tools to do their job. Hence we trust, but verify by re-validating privileged rights.
Yes, privileged rights. The question organisations should ask themselves is “who do we trust – and how much do we trust them?” If only some staff are permitted to access data or an application, and other people cannot, that’s privilege.
Privilege is about what data a person can access, or actions a person can perform. It is about people, not just about accounts that unlock access to said data or elevated actions.
It’s a privilege for someone to view and manipulate personal information in a marketing database. It’s also a privilege for someone to access R&D details; it’s a privilege for someone to access financial data in accounting systems; it’s a privilege for someone to manage content on social media feeds. Every person should be treated as a privileged user, in some form or another.
No matter the format, access to data must be protected. This gives organisations a centralised tool to define which people — both internal and external — are mapped to which resources, challenge people to prove who they are with multiple factors of authentication, and then broker sessions to authorised resources.
To round out the trifecta of authentication, authorisation and accounting (AAA), a privilege management suite is a centralised tool to report on the behaviour of and relationship between people and which systems, resources, and data they are accessing — and thus re-validate or revoke access.
Trust, but verify — a concept everybody can understand and build upon.