As more of the population becomes vaccinated against COVID-19, organizations are preparing to return to the office. In the emerging hybrid environment, where employees can login from anywhere at any time, cybercriminals have an expanded attack surface and a variety of new vulnerabilities that they can exploit. Organizations need to revisit their privileged access permissions and double down on their security strategy to protect their data and people from being exposed in the next big data breach.
The problem with privileged access permissions
More employees who have access to privileged credentials means more entry points for cybercriminals to take advantage of when looking to infiltrate a company. Over this past year, we’ve seen massive data breaches stemming from credential-based attacks.
From Twitter phishing scams to SolarWinds – hackers know that privileged credentials grant easy access to navigate a company’s data from within. As companies move to a hybrid model, it’s important to look closely at which employees may have been granted additional access during the shift to working remotely and reassess who has privileged access now to minimize this threat.
Employees need to have some level of privileged credentials to do their jobs, but most organizations often grant too much access for too long. In fact, a recent report found that nearly half of privileged users access sensitive/confidential data purely out of curiosity. What makes this worse is that almost the same percentage are pressured to share their access rights within the organization. When users have more access than necessary to do their job effectively, organizations are creating additional opportunities for hackers to gain access.
As we return to the office, organizations should consider implementing the following best practices to improve their identity-centric security:
1. Educate employees on strong passwords
Security teams need to place value on protecting individual credentials. Passwords are foundational and implementing strong password security is essential when keeping hackers from easily accessing employee accounts. Organizations should invest in educating their employees on basic password security rules, encourage individuals to generate unique, complex passwords for every system, ensure that corporate/work account passwords are unique from personal accounts, and use authentication apps for added protection.
2. Leverage multi-factor authentication
Multi-factor authentication (MFA) goes together with strong password security. Security teams need to make MFA a minimum requirement. MFA keeps accounts and people secure with a variety of authentication factors – PINs, physical keys, biometrics, etc. Even when a password may have been compromised, MFA is able to protect an organization’s data and prevent cybercriminals from gaining unauthorized access. This extra layer of protection can significantly reduce the chances of a hacker being able to walk right into the network.
3. Lean into a zero trust & least privilege framework
Zero trust is a proven model that eliminates vulnerable permissions (i.e., unnecessary and excessive access) in favor of specific-rights delegation and provisioning with granularity. It’s in its name, but it truly means that organizations should not trust anyone. Core to achieving zero trust is the least privilege framework, whereby individuals—especially those who require elevated permissions—are only granted the precise entitlements necessary to do their day-to-day jobs.
When granting elevated permissions, security teams need to ensure that these entitlements are time-bound and offer nothing more/nothing less than what is required. Oftentimes, organizations grant their employees privileged access for much longer than needed. This leads to both internal abuse of privileges and raises the chances that a hacker will find his or her way within the company. Security teams should implement solutions that offer flexibility and make it easy for permissions to be managed and specific.
4. Focus on identity-centric security
As organizations move to a hybrid model, many will choose to move operations to the cloud. It can be difficult to replicate all security measures during this shift, but placing identities at the center of this strategy will enable organizations to make zero trust a reality.
When building out this identity-centric security strategy, security teams should focus on creating a unified identity model that standardizes the definition of identity throughout the organization. They should consider secure access and digital identities of not just users, but all applications and data, and they should seek out solutions that allow them to quickly identify unauthorized access within the network and rapidly revoke permissions as necessary.
As organizations prepare for the new future of work—from all-remote to hybrid models—security teams need to reassess which users have privileged access and for how long. It should never be forever. By leveraging identity-centric security, organizations will be able to achieve a zero-trust, least-privilege architecture that will help ensure that their data, and their people, stay secure.