With the growing frequency and sophistication of cyber threats, being breached has become the rule, not the exception. Despite spending $28 billion annually on IT security, a recent study reported that over 90% of organizations have been breached. Data from KPMG corroborates the statistic, reporting a 93% breach rate. Each new week brings a new data breach, and the public has become insensitive to the threat posed by both malicious hackers and careless insiders.
Look no further than recent attacks on JP Morgan, Target, Kmart, and even celebrity accounts. The issue of a credential, the security of that credential and how you manage privileges is core to any secure operation.
The cybersecurity market has evolved significantly over the last eight years. As an industry, we must change the security architecture with which we confront cyber threats. More of the same will lead to more breaches. We have to adapt.
Trust is Not a Security Control
In today’s complicated IT environment, we cannot make assumptions about trust. In years past, predominant thinking dictated you must assume trust, and then verify access. Any employee was assumed to have the right intentions, but even the best of intentions can have dire circumstances. In our current threat environment, the old trust model is broken. Now, more than ever, it is crucial that organizations adopt and enforce a zero trust model of security to ensure that privileged users are governed by automated security controls.
Under the zero trust model, organizations never trust and always verify. In the past, the zero-trust model was unattainable because it was impossible to manage. To establish a zero trust system, organizations need to be able to monitor behavior, establish a baseline, and flag suspicious behavior to prevent future breaches. This sounds like a time-consuming, costly endeavor, but by eliminating manual processes and ensuring all processes are automated and prioritized, organizations can now achieve full visibility across their infrastructure. These tenets are key to initiatives like the government’s Continuous Diagnostics and Mitigation (CDM) Phase II and our signature product, Xsuite.
Least Privilege and Zero Trust
When it comes to zero trust, there are a few critical components, the first being the requirement of multifactor authentication and trusted identity. Government agencies must comply with HSPD-12 that requires PIV/CAC for logical access. Beyond simply rethinking identity and authentication, organizations need to enforce least privilege by separating authentication from authorization entirely in order to give privileged users access appropriate only to their roles and responsibilities. By limiting the access tied to privileged users’ individual credentials, agencies can mitigate the risk posed to the system by inadvertent sharing or spear phishing. The technology is available – it’s up to organizations and IT professionals to change their mindset and deploy a logical solution that can bridge the space between authentication and authorization.
Changing the Game
CDM Phase II is changing the perspective of how we look at security. Rather than focusing solely on technology, CDM is about the people and the process, and zero trust access is at its core. Security is only as good as how well you can manage it, and if you can’t measure it, you can’t manage it. If you can measure normal, you can measure and manage the exceptions. Cybersecurity needs to evolve, and the zero-trust model is the embodiment of that change. In this case, industry can take a page from government to shift the lens on cybersecurity. As a wise character once told Indiana Jones, “don’t trust anyone.”
Click here to learn more about privileged identity management and the zero trust model of security.