Access...Controlled
How privileged access management can drive federal security
F ederal leaders need an efficient and cost-effective way to
ensure security across their systems and devices. Many recognize the need to enforce access privileges as a key piece of the puzzle.
Industry analysts describe privileged access management (PAM) as a critical security
layer, a formidable means of defending high-value systems. Cyber watchdogs at the Center for Internet Security (CIS) agree, ranking PAM among their top five most crucial security controls.
Abuse of privilege lies at the heart of a wide variety of credentials- based cyberattacks. By controlling user privileges, government IT leaders can shut down the pathways bad actors use most often in their efforts to compromise federal systems. In addition to breaking
the most common chain of attack, thoughtful access control also helps to establish the audit chain required under various government cyber regulations, while simultaneously freeing administrators for higher and more valuable tasks.
Risks and requirements
It’s well understood that bad actors have exploited a lack of adequate access control in the past, leveraging credentials as
a means to infiltrate sensitive government systems. In the 2015 breach of the Office of Personnel Management—arguably a watershed moment in shaping
federal cyber practices—privileged access was a key attack vector.
While bad actors may exploit credentials across the entirety of government end points, federal IT needs to be especially concerned about access granted within the developer community.
It’s common practice, for example, for administrators to grant developers elevated permissions
in order to install or run certain programs or tools. Good cyber hygiene demands those permissions be thoughtfully controlled: Even those with elevated permissions don’t necessarily need blanket access to manage firewalls, routers, and switches. Credentials should
be rotated systematically based on evolving need.
A range of guidelines and regulations likewise steer government agencies in the direction of improved access control management. The Risk Management Framework, NIST 800-53, the Cybersecurity Maturity Model Certification (CMMC), and other guidance all call on agencies to exert thoughtful control around systems access and credentialing and to document their efforts through verification and audits.
A better approach
Too often, access control in the federal space has been a fragmented affair. Different entities within
a single agency may apply their own criteria to determine who has
what level of access. This typically will unfold in idiosyncratic ways, with manual processes leading to inconsistencies and opening up potential gaps in the armor.
Because this piecemeal approach is too labor-intensive, administrators often will try to streamline the effort by taking
a shotgun approach. They will assign higher-level credentials than are actually required and may fail to rotate credentials as needed.
In place of these fragmented
and partial efforts, federal IT
needs granularity in privileged access management, based on individual roles and responsibilities. Government agencies require a risk-based approach, a centralized and consolidated access control and credentialing strategy that protects the highest-value systems and devices.
CyberArk offers a Blueprint strategy, an easy-to-understand, risk-based program that aims to help federal agencies strategize and implement PAM at the organizational level.
“We know from experience and from post-breach analyses the types of accounts that bad actors will target in federal systems,” said Kevin Jermyn, CyberArk regional manager, federal customer success. “Agencies likely have domain admins in the environment, root accounts on the Linux servers or network devices. The Blueprint approach says: Let’s focus there
PRODUCED BY:
SPONSORED BY: