Matt Wilgus, Schellman & Company principal and threat & vulnerability assessment lead, comments on how authentication and cloud security standards have changed with the increase of remote workers, due to COVID-19. Read a portion of the ebook below, or download it in its entirety on the SC Media website.
By Alan Earls
With the COVID-19 pandemic forcing an increase in corporate staffs working remotely, the importance of privileged access to cloud assets has never been greater. Despite the pandemic, cyberthreats continue to multiply as bad actors do their best to find weak spots to access corporate cloud resources.
The impact of the pandemic has been swift and extreme. Once COVID-19 began to spread, notes Matt Wilgus, principal, threat and vulnerability assessment services of Schellman & Company, an IT audit and certification firm, its influence on his company was significant. In the span of just a few weeks, employees that normally only accessed resources from the office now work from home. Today, Wilgus says, “We’re now 100 percent remote.”
"Now, multifactor authentication is the standard."
This change has ramifications on security and compliance programs. For example, he explains, a username and password that might be sufficient in an office environment is insufficient for a remote user. Now, multifactor authentication is the standard.
And as CISOs have started to focus on the new challenge of authenticating users, especially privileged users, strong authentication has suddenly become more critical.
“As with most scenarios in this new work-from-home enterprise IT world, COVID-19 has accelerated the trend of existing threats to critical assets, and this is no different for security teams managing cloud-based application authentication,” notes Francis Ofungwu, a Chicago-based managing director at Protiviti, a global consulting firm.
For example, he says, security teams already struggling with shadow IT will likely see the issue exacerbated by the lack of control and visibility of a remote work force. “Even for those applications that have been sanctioned for use by company policy, organizations may still struggle with governing access to those applications and responding to cloud threats,” he says.
Of course, Ofungwu notes, cloud-based applications generally have some native access control capabilities, but this might not be enough to identify potential attackers. To filter out potential attackers effectively in a work-from-home environment, organizations should consider implementing protective tools.
"...identity-based threats are one of the top business risks that organizations currently face."
One approach that has gained considerable momentum over the past few years is cloud-based privileged access management (PAM), according to Ofungwu. PAM can help organizations securely store, rotate and isolate credentials, and monitor sessions. “This trend will continue as organizations come to realize that identity-based threats are one of the top business risks that organizations currently face,” he says.
On premises and cloud have a similar challenge, notes IDC cybersecurity Research Director Jay Bretzmann. Both approaches have two types of users: normal and privileged. Privileged users are the real problem because they have the authority to do practically anything they want, colloquially known as read-update-destroy, says Bretzmann. “That’s why when someone like that leaves or changes roles you want to immediately shut down their entitlements in both on premises and in the cloud,” he says. Cloud-based PAM applications can control entitlements in both locations, he adds.
The evolution of PAM
UK-based research firm KuppingerCole recently reported that it expects the PAM market to grow from $2.2 billion in 2020 to $5.4 billion by 2025. It cites digital transformation, compliance, cybercrime, DevOps, and cloud and distributed computing as the key growth influencers. In its May 2020 Leadership Compass report, Paul Fisher, a senior analyst, ranked some 40 companies in the PAM market.
In the report he wrote: “KuppingerCole believes this result shows that all vendors are looking [at] where they can innovate in order to gain some competitive advantage in the market, but also within certain sectors such as SMB or in the emerging area of PAMaaS (PAM-as-a-service.) It shows a market that is changing fast as the impact of digital transformation and increased levels of compliance has forced greater demands onto PAM solutions.”
Enterprise Strategy Group Vice President and Group Director for Cybersecurity Doug Cahill says, “The big picture is that there is a cloud security gap and organizations are struggling with security, especially with the velocity at which organizations are consuming SaaS (software-as-a-service).”
He adds PAM was originally a category of end-point security control focused on the level of privilege a user needed on their Windows system. Of course, the need for privilege management has long since grown beyond that narrow focus and is seeing a resurgence with the growth of cloud and SaaS.
The challenge for IT is compounded because lines of business (LOBs) currently are driving cloud consumption and SaaS. In that model, a business unit no longer needs to get permission from IT or cybersecurity to gain access to an application. In fact, many organizations run hundreds of SaaS applications, often entirely outside of the purview of IT and cyber teams. Anyone can start using a business app in the cloud whenever they feel the need, says Cahill.
For example, a team of developers could decide to use Slack as a collaboration tool with one person spinning up an account and becoming the admin. That person is privileged and can then create other sub accounts for the rest of the team. The same process is often repeated with Salesforce, Dropbox, Workday and numerous other SaaS offerings with no oversight, creating a hidden class of super users.
As a result, says Cahill, companies end up with silos of identity and no central ID store to create accounts and grant privilege. “There is no governance at the start and no governance for revisiting those privilege levels later,” he adds.
However, despite the potential benefits companies can reap from implementing cloud- and on-prem-based PAM, the question comes down to this: Is PAM right for you? The answer is: It depends.
Andras Cser, vice president and principal analyst at Forrester Research, sees PAM as more of a large enterprise offering. “You have to have hundreds of cloud apps at a minimum before this makes sense financially, so it tends to be for bigger companies,” he says. And most, but not all, PAM offerings are oriented to sophisticated cyber teams. Some, for example, eschew elaborate GUIs in favor of a command-line interface.
There also tends to be a split between born-in-the-cloud products and those that began in the on-prem world and are now establishing a beachhead in the cloud, he says. Some are also expanding from PAM to credential and password management and storing keys for cloud platforms.
Cser says choosing a PAM is, in part, simply recognizing whether you only need support in the cloud or whether you are in a hybrid mode, which would include support for on-premises privileges.
But Bretzmann is less concerned with size versus maturity. “PAM is one of the techs that is least invested in because you need to be a mature organization,” he says. “In general, organizations get to PAM last, but it is something that is desperately needed.”
Rogue privileged users, he warns, “know systems and how to exfiltrate data.” There is also a potential expansion of PAM needed because of the growth of DevOps. “You have developers writing code and they are paid to improve things and they aren’t interested in going through security toll gates,” says Bretzmann. However, the tools they use are often open source and they can easily be used to embed credentials as they are writing the applications, “so you really need to monitor them,” he says.
Fortunately, Bretzmann thinks the perimeter worries coming to the fore due to the COVID-19 crisis will help drive interest in PAM, at least in the short run. “Whether it will be an enduring influence on security spending, only time will tell,” he adds.
About the AuthorMore Content by Matt Wilgus