IT has always had a problem with changing business processes. Implementing new technology and new ways of working are both high risk (from a business perspective) and disruptive so combining them together often multiplies these issues leading to potentially famous consequences.
There is also a very valid requirement for IT to enable the business and anything which goes against this philosophy needs an equally important (or more important) business justification.
To avoid the business disruption while still controlling risk it is common for IT departments to attempt to solve these security problems through technology.
This includes solutions such as:
- Intrusion protection systems
- Privileged access management solutions
- Event log monitoring systems
While these are all very useful (and form significant parts of the PowerON Secure Access Framework), despite all the marketing and hype would have you believe, these solutions all assist with reducing risk but can’t completely solve the issue.
Why More Tech Isn’t The Answer
Implementing technological solutions in isolation can lead to disastrous consequences as attackers can often bypass or escalate round these solutions (for example scrape a PAM administrator password and then access the entire solution or use a known vulnerability in a domain controller to escalate directly to SYSTEM privileges).
With the sheer reliance on technology nearly every business now has, combined with the frequency and damage of cyber-attacks it certainly could be argued that IT security is no longer just an IT risk but an existential business risk. With a clear cost/benefit analysis and a clear priority on minimising disruption where at all possible, businesses should be willing to accept changes to save the business.
What Changes are Needed?
Often the highest impact change for most organisations is the migration away from single passwords onto more secure solutions such as Multifactor Authentication or ideally passwordless solutions. This can often actually improve user experiences when combining with Single Sign-on policies and solutions such as FIDO2 keys.
Self Service Access
IT has often fallen into the trap on managing users, groups and permissions as the tools to do this management were often complicated or required high levels of privilege. With modern self-service tools these tasks can be pushed back to the business, requiring the business take more responsibility for their own security while reducing the ‘Busy Work’ which takes up so much of the IT Teams time.
Fail closed over open
There is (rightly) a perception in a lot of businesses currently that systems must always be available to a user who needs it. With enhanced abilities to detect threats IT can now have a business discussion around elements such as blocking high risk users and activities until further verification can take place. While potentially disruptive this avoids scenarios where attackers are able to roam through the network without being blocked.
Risk-based approach to Access
By removing an access anything from anywhere at anytime policy certain tasks may become more complicated or slower. Examples such as restricting administrative activities to Privileged Access Workstations potentially mean some initial additional capital costs and stops an administrator from quickly fixing issues from their phone or personal device. Depending on business requirements these restrictions can be greater or lesser but often enable the mitigation of entire classes of risk.
Technology and security software in general is a key component of any modern security framework. Businesses should however be very wary of any claims that problems can be ‘solved’ by technology alone. It is also important that when considering technological solutions the wider context, prerequisites and other vulnerable avenues are considered.
If you’re interested in finding out more about our Secure Access Framework and how it can help your organisation, get in touch with our team today.