Share this article on:
As Australia falls back into remote work patterns, security teams need to address the risks associated with distributed work and security operating models, Jim Cook from Attivo Networks writes.
It sometimes takes a significant event to cause an inflection point. One of the many changes triggered by COVID is something that many security pros have known for years – that identity is the new perimeter. Widespread remote work has effectively demonstrated the critical role of identity within modern network security, making identity-first security management a must-have for today’s enterprises.
Last year, when Australian organisations first shifted to fully remote work models, there was a view that they would need to relax security protocols “to ensure their workers have frictionless access to their accounts and applications for working remotely”.
That was only ever plausible as a stop-gap measure – and even then, not a particularly good one.
It’s now clear that remote work will continue to be a reality for many Australians. Despite attempts to reopen offices, with many of us said to be positive to return, that prospect again looks problematic.
As one Australian cyber security consultancy noted at the start of the year, “remote working will remain prevalent in 2021 and far beyond”.
So will its cyber security implications.
Testing the perimeter
Security leaders have been reimagining the world of work and the security implications of that shift for decades.
Almost 20 years ago, a group of CISOs from blue-chip companies came together on a theory they called “de-perimeterisation”. They theorised the breakdown of the ‘walled garden’ corporate network and instead envisioned a decentralised global environment where they needed to establish “mutual trust” between assets, devices, and users to connect or exchange data. They produced some specific “commandments” for establishing identity and trust in this perimeter-less world.
Not all of this came true. The CISOs were correct in imagining a world where identity and trust were vital to enable decentralised working methods.
However, today there is still a corporate security perimeter, and that perimeter is the user and the privileges that they are granted. Users are network ‘endpoints’ that organisations must not only secure and authenticate access to systems both inside and outside the corporate environment. They must also now look at preventing the theft of these identities, privileges and entitlements, as well as the identity systems that manage them.
In other words, identity is the new security perimeter. As Gartner says, this year, “it has now become a reality due to technical and cultural shifts, coupled with a now majority remote workforce during COVID-19”.
The shift in thinking
“Identity-first security,” as Gartner notes, “puts identity at the centre of security design.” For most organisations, protecting identity means protecting Active Directory.
Active Directory serves as a roadmap for the entire network, providing a single management pane for authentication and authorisation across resources.
For that reason, it is a prime target for attackers. Today’s red teams estimate that they can compromise AD 100 per cent of the time during security exercises - and if red teams can do it, attackers certainly can, too.
With a compromised account, attackers can often evade perimeter defences, moving freely throughout the network to target AD and escalating their privileges further.
Unfortunately, organisations do not always have the necessary visibility into AD security hygiene issues, nor do they have reliable alerting to key exposures at the domain, device, or user levels.
Most organisations lack continuous visibility into identities and account risks related to credentials, shadow administrators, stale accounts, shared credentials, and identity attack paths.
This lack of visibility is particularly dangerous today, at a time when the network environment is more distributed than ever.
Where security teams need to focus
In addition to establishing AD visibility, endpoint security is essential, as it can identify unauthorised processes and activities while flagging users that are executing them.
Security teams should implement and orchestrate AD logging and monitoring, including change notifications and alerting mechanisms. These tools can make defenders aware of any changes made to AD in near-real-time, allowing them to act quickly in the event of suspicious activity.
In that vein, they should conduct continuous assessments on AD to identify potential attack paths and remediate any misconfigurations or exposures before attackers can exploit them.
Effective identity management also requires regular audits and assessments to identify the domain, user, and device-level exposures. These audits can help identify weak policies, account and privilege issues, rogue domain controllers, and other potential vulnerabilities.
It is also vital to factor cloud security into the equation. Organisations can mitigate cloud identity exposures by implementing security controls and managing cloud entitlements in a way that lets them monitor for misconfigurations, protect sensitive resources, and audit third-party access.
These protections can mitigate today’s most common identity-related exposures.
Jim Cook is the ANZ regional director, Attivo Networks.