All organizations struggle to prioritize their cybersecurity efforts, but federal agencies do so with the twin burdens of added regulation and a smaller budget than most private organizations. As the world prepares for monumental data legislation to take effect, and as traditional, static security methods prove ineffective, it is becoming clear than privileged access management can no longer be ignored. These three forces will be explored below, along with how to strengthen network security against both immediate and future concerns.
Make Way for GDPR
May 25, 2018 brings a momentous shift in data governance: the General Data Protection Regulation (GDPR) goes into effect. This regulation will have a major impact on the European Union and on international entities with access to European citizens’ sensitive data. The GDPR is considered comparable to the U.S. Security Breach Legislation enacted in 48 states, but on steroids. Organizations must account for all sensitive data and the access granted to it. At the same time, it expands the definition of sensitive data to include online identifiers, such as an IP address or cookies.
The GDPR applies to any organization with more than 250 employees, including government contractors, that has the personal data of EU citizens – whether that organization has a location in the EU or targets EU citizens or not. This marks the first time U.S. companies have had to abide by an EU regulation (as opposed to a Directive), and the fines for non-compliance are steep: up to €20 million or 4 percent of annual global turnover, whichever is greater.
These potential multimillion-euro penalties were built into the GDPR to underscore the EU’s sincere intention to maintain data privacy, and it gives them the teeth to police compliance. GDPR compliance language will begin to appear on business websites as companies seek to assure customers that their data will be safe. But the bigger shift for businesses will be the need to dig deep into their processes to comply with this regulation. They will need to have full visibility into who has access to sensitive data – and, as we will see below, that is rare.
Static Security is Not Secure
Government entities are increasingly under attack by other governments, not to mention the standard set of opportunistic cybercriminals and growing cadre of hacktivists. In this new world of networks that have no perimeter, agencies must spend money down to the infrastructure core of operations to secure their data. While technology is changing at lightning pace, many processes remain stuck in the past. Static security measures like passwords and vaults don’t move with the speed of today’s business and simply aren’t enough anymore.
Malicious actors will continue to attack static security because those attacks work so well. Ideally, significant investment would be made to secure a company’s technology core as the company is being built. However, it’s not too late for existing companies to go beneath the OS and build security at the foundational level with elements like certificates, SSH keys and PAM.
Managing Privileged Access
It has become a key challenge to all IT security and IT architects to maintain privileged access to protected data. SSH user key-based access, referred to as the dark side of compliance, continues to bubble up on the high-risk radar as uncontrolled and unmanaged elevated access into production. Federal agencies must consider SSH key access when assessing security because they provide the highest level of access yet are rarely, if ever, monitored.
This dire truth has been confirmed by a recent study by the Cyber Security Research Institute. It revealed that 61 percent of respondents do not limit or monitor the number of administrators who manage SSH. Further, 90 percent of respondents do not have a complete, accurate inventory of all SSH keys. This means that there is no way to tell whether keys have been stolen or misused or should be trusted.
Now that government agencies are moving to the cloud, the lack of secure access cannot be allowed and translated to the new infrastructure. Cloud applications are elastic, scalable and dynamic. Traditional PAM was designed for static physical servers in much smaller environments. But as with passwords and other static security measures, static PAM can’t get the job done anymore either. Traditional PAM just doesn’t provide the agility one needs in the cloud and doesn’t handle elastic services well at all. In fact, it doesn’t handle traditional legacy infrastructure very well. Projects become complex and expensive.
Fortunately, there is a fix to these challenges: next-generation PAM (NXPAM). This NXPAM works without any permanent access credentials on servers, using only short-term temporary credentials that are created on demand. There are no passwords to rotate, no vaults needing to store them and no software that needs to be installed and patched on individual servers. This makes for a very fast and straightforward deployment project with unlimited scalability.
Government entities are under a strong mandate to defend against new cyber threats, including those from foreign governments, and government contractors face the detailed requirement of the GDPR. Both groups need to take a hard and close look at what security and compliance measures they have in place. Are policies consistently being carried out? Are they effective?
It is easy to identify a common theme having to do with governance for your trusted access to protected data. Going into 2018, it is crucial to start addressing these risks early. Agencies must have complete accountability of their protected data: who has access to my data? Where is my data? What laws and regulations impact my compliance program?
If you are using a legacy system, as most government entities are, drilling down to the core infrastructure is non-negotiable. This foundational level of operations must be secured, because if it gets compromised, attackers will have limitless access to do limitless harm. Controlling access has become fundamental in this age of the no-perimeter network that still uses static security measures and faces strict new regulations. Paying attention to the trends in this article will help your agency repel threats and instill confidence among the citizenry you are serving.