By: David Higgins, technical director, CyberArk
The music pulses through your body. Crammed bodies on the dance floor sway together, neon lights flashing to the beat of the music. Thirsty for your next cocktail, you head to the entrance of the VIP lounge. But wait! The security staff hold up their hands. You’re not welcome here. Your clothes aren’t right, this is the wrong room, what’s inside isn’t for you. Whatever it is: you’re not going in. Only those with the right credentials can enter the VIP lounge and access the sensitive information, applications and systems contained therein.
Wait…VIP access to what?
At some point, with the burnout of home working, leisurewear and Netflix, many of us are daydreaming about going back to socialising again. For those working in security and IT, you may be among the first in line at the clubs. As many organizations continue to rapidly transform their business by investing in new cloud technologies, adopting new forms of communication and delivering services to customers in innovative ways, protecting against cybersecurity risk has taken on a greater sense of urgency.
This is especially true as identity-related risk is on the rise – cybercriminals are increasingly adept at stealing credentials from VIPs – whether IT admins or business users — to access sensitive areas of the business. And organizations need to keep up with the tempo of attacker innovation.
Our new ways of working have made protecting all identities, and their high levels of privileged access and related credentials, more important than ever before, and in more ways than ever before. We’re going to use nightclubbing as a proxy as we show you how to protect what’s most valuable to your organisation.
Getting Past the Bouncer
Getting into a nightclub is all about showing that you’re going to be an acceptable part of the environment. A wannabee partygoer might struggle to get past nightclub bouncers for any number of reasons, including wearing the ‘wrong’ clothing, exhibiting bad behaviour in the queue or lacking sufficient/valid credentials. Sometimes underage revellers will bring a fake ID, duping bouncers into allowing them entry.
Think of technologies like Privileged Access Management (PAM) as the ultimate ‘gate keeper’ for who gets access to what, where and for how long. For example, there are minimum requirements for users to gain initial access; often a username/password at the most basic level. These first-level credentials are not particularly secure and can be bypassed, much like some revellers who successfully bypass doormen with fake IDs. This fallibility makes further authentication a must to properly defend the organisation’s key information and resources.
Access all Areas
A night out at a club wouldn’t go so well without bar staff. These employees need access to staff-only areas such as the area behind the bar, the staff room and storage areas to pour drinks, mix signature cocktails, replenish bottles, and review stock lists. Some of these areas will require some form of access key to enter. Only trusted staff should be provided access to these areas to prevent any pilfering.
Certain areas of IT infrastructures operate on a similar model, with these access keys allowing system admins to make changes to system or applications, add or remove users, or delete data. Sometimes these ‘super users’ will be domain admins; people that extensive access across the network. These are super critical to secure. Unsurprisingly, gaining access to the credentials of these users represents the highlight of a cybercriminal’s night out…and it’s game over for the organisation if this happens.
Whether it is from a legitimate employees posing a threat or an external threat actors, PAM helps manage and secure network access and, using the principle of least privilege, only grants admin-level access to those who need to use it to perform their role.
Are You Really a VIP?
Nightclubs often have VIP areas that clubbers access either by paying extra to enter, or having sufficient (‘celebrity’) status as an individual. Extra security staff often guard VIP areas to retain their prestige and prevent the less-exalted amongst us from entering. Essentially, only those with legitimate access are welcome.
‘VIP areas’ for organisations equate to those resources that are typically extremely limited in terms of who is allowed access to them. Your ‘normal’ user will not be allowed to interface with a company’s sensitive IP, HR information, or non-public financial results. Only those users with escalated privileges – VIPs, in other words – should have access to them, and even then this should be tightly controlled. Attackers routinely seek to escalate privileges in order to access critical assets and data.
Who Stays…Who Gets Kicked Out?
Things don’t always go as planned during a night out. People try to get to where they shouldn’t, crashing other peoples’ reserved tables, or trying to blag their way into the VIP lounge. The staff may ask some partygoers to leave the club because of their undesirable behaviour. They may even be barred from ever returning to the club.
Compare this to a third-party contract ending, a consultant’s project finishing, or simply those who try and access a part of the network or an asset that they shouldn’t have access to. Once this happens, their privileged access becomes a potential security risk. Retaining it is undesirable and unnecessary; it should be de-provisioned immediately to shut off any chance of an attacker exploiting unused credentials or access. In the case of someone trying to get to where they shouldn’t be, that’s something that needs shutting down immediately.
Surveying the Scene
So how do organisations know where privileged access exists, and in turn, secure it? In a nightclub, a club manager and team are tasked with observing everything that’s going on. Security cameras and staff scan the dancefloor and restricted areas, watching for incidents and ensuring that all is running seamlessly. In business, this is the IT security team. PAM allows full visibility of access to critical data and assets, and can monitor, grant and revoke that access when needed. Adopting appropriate cybersecurity measures to secure credential-based access is essential for organisations wanting to protect their business from disruption or loss.
It used to be easy to take a night out for granted. You don’t necessarily consider the sheer number of resources that it takes to help make this a reality, from the bouncers that keep the obvious trouble out, the bar staff and DJs to keep you fed, watered and entertained, and the club staff that ensure that if you’re on that table or in that VIP room, it’s because you’ve paid to do so. Who’s going to kick out the people having a fight on the dancefloor? You? Probably not. And that’s not even considering the behind-the-scenes efforts to keep you safe, secure and entertained. So, as the number one control for managing, monitoring and protecting identities across your organization, consider what PAM could do for you. Now get back onto that dance floor!