Subscribe
About

It’s time to rethink your access controls

The digital era means that most employees have some level of privileged access. With cyber crime on the rise, it is imperative to implement new, intelligent privilege controls.
David Higgins, Senior Director of CyberArk’s Field Technology Office. (Image: Supplied)
David Higgins, Senior Director of CyberArk’s Field Technology Office. (Image: Supplied)

In the past, protecting your business against cyber attacks was relatively simple. Privileged access was only given to IT administrators, who were surrounded by security controls strong enough to stop malicious actors in their tracks. However, both the definition of privilege and the threat landscape itself has changed dramatically in recent years, which is why, in the modern business world, it’s time to seriously rethink access controls.

Today, just about every user identity – whether they are in-house, third party or even a machine – has some degree of access to sensitive tools and information. This has resulted in an explosion of new identities which, coupled with a shift to hybrid and cloud environments, has rendered attack surfaces considerably more challenging for security teams to manage.

According to David Higgins, Senior Director of CyberArk’s Field Technology Office, the company’s recent global survey found that today’s high-risk access exists throughout the workplace, in almost every job role. This is clear evidence that the time has come for enterprises to rethink the way they protect their workforce.

“In today’s digital era, virtually all employees have some sensitive or privileged access, as this is necessary, just to get the job done. The survey found that all (100%) employees surveyed access work applications and services from their corporate device, including access communications and collaboration tools like Teams and Slack,” says Higgins.

“These, along with IT administration and management tools, and customer-facing apps, are business-critical applications that contain sensitive and privileged data. It’s also worth noting that four in five of those surveyed also access work applications and services from personal devices.”

Personal devices are often unprotected against security controls, making them especially vulnerable to threats. Moreover, IT and security teams often have little to no visibility over personal devices, meaning they remain unaware of the potential risks imposed by these endpoints, while also being unable to enforce the necessary security controls.

“This is dangerous when one considers the high percentages of employees surveyed at all levels of seniority, who are interacting with sensitive data. This means that most employees, whether office-based, hybrid or fully remote, have the potential to become a security risk.”

“Other major risks identified in the survey include using the same login credentials to access multiple work-related applications, and using the same login credentials for personal and workplace applications and services. Using external personal storage services to store and share workplace-related information with external parties is equally dangerous.”

Clearly, notes Higgins, there is a pressing need for organisations to protect their workforces with a revised approach to identity security, one that reflects the high levels of sensitive and privileged access present across companies today.

A balance needs to be struck, however – while it’s important that security controls do not hinder productivity, they still need to be powerful enough to deter staff from engaging in risky behaviours, so that sensitive data doesn’t end up where it shouldn’t.

“Moreover, the widespread use of artificial intelligence (AI) has opened up a new attack surface for security teams to manage, and created new vulnerabilities for businesses. This is due to the fact that the use of many AI tools often involves inputting sensitive data. Although the use of AI is sometimes monitored by corporate security controls, in many cases, security teams are none the wiser,” adds Higgins.

“Now, more than ever, it’s important that organisations and their security teams build resilient identity security strategies, making it easy for workers to do their jobs, while reducing overall risk. Intelligent privilege controls can do just that, by delivering a least privilege approach that secures access for all identities, including applications, endpoints, infrastructure and data.”

Intelligent privilege controls, continues Higgins, are advanced security measures designed to dynamically manage access to enterprise resources, based on real-time risk assessments and contextual factors. These controls adapt to varying levels of risk associated with different identities – both human and machine – and their activities within a company, ensuring that appropriate access is granted without disrupting productivity.

“These controls help overcome traditional challenges associated with privileged access management, such as rigid access policies, static permissions and lack of real-time threat detection. They provide a more flexible, scalable and context-aware approach to securing modern, dynamic IT environments, because these controls assess the risk of each access request in real-time and adjust privileges accordingly.”

“This ensures that users, applications and systems have the minimum necessary access at any given time, reducing the risk of unauthorised actions. By continuously monitoring and adapting to the behaviour of identities, these controls help prevent identity compromise, lateral movement and privilege abuse, which are common steps in the identity attack chain. These controls also balance security with usability, providing protection without overwhelming users with unnecessary authentication steps,” concludes Higgins.

Share