The White House, having released detailed guidance agencies implementation of zero trust architectures, has highlight the importance of privileged access management (PAM) and identity access management (IAM) in the cybersecurity cycle.
PAM has typically applied to IT managers and others needing “keys to the kingdom,” with IAM applied to regular users. Kevin Jermyn, the area manager for customer success at CyberArk, said zero trust in the cloud computing era calls for IT staff so integrate PAM and IAM solutions.
“With the adoption of many cloud-based technologies delivered via software as a service or infrastructure as a service, privilege access is expanding beyond the traditional IT admin role,” Jermyn said. For example, human resources practitioners typically have access to personally identifiable information. Such users, he said, are increasingly falling under compliance requirements that their usage patterns be monitored.
The idea of treating, in essence, every logon and resource call subject to a zero trust challenge extends to automated processes like algorithms or bots that use applications and data, Jermyn said. And – in the most SolarWinds period – zero trust applies to the supply chain.
Jermyn said a good way to think of zero trust is as a way to protect data. Therefore guarding data assets leads to thinking differently about cybersecurity than traditional perimeter defense. And it gets an agency past a purely compliance approach to cybersecurity.
“Being 100% compliant and protecting everything at all times is kind of not really an effective strategy,” he said. More effective is a risk management approach, evaluating critical assets and determining the likely ways an attacker would go after them. This analysis, he said should take place in a context of “assumed breach” – a basic tenet of zero trust.
Then you can apply measures like multi-factor authentication where the measures will be most effective.
“If you take the approach of verifying every user, every identity with strong contextual risk based authentication,” Jermyn said, “and then enforce that just in time, just enough access at the right time, that’s a great way to reduce your attack surface and limit risk.”
Jermyn called that approach identity security. It focuses on securing each identity throughout its session, following it as it accesses critical assets. The approach erases the distinction between PAM and IAM, even as it accounts for differing permissions among various users.
Using strong passwords and, where required, multifactor authentication, agencies have largely secured themselves with respect to common identity challenges, Jermyn said.
“But,” he said, “I don’t think many agencies have the same level of security and audit fidelity into cloud, the DevSecOps pipeline, and endpoints.” He said cloud hosting of applications, data and workflows increases attack surfaces exponentially. As for DevSecOps, he said each deployed software module requires checking for what it can access. This must occur before deployment because the module will be interacting with existing systems. Moreover, identity controls must extend upstream to individual coders in a development pipeline.
Jermyn said the CyberArk Blueprint is a methodology that yields a risk-based and automated approach to limiting users’ lateral movement within networks and preventing privilege escalation. He said it helps cybersecurity staffs reduce the most amount of risk with the least amount of effort.