An easy way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom.”
As a result, it’s not surprising that, according to Forrester, 80 percent of breaches involve privileged credential misuse. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags.
Zero Trust Best Practice: Limit Access & Privilege
To limit their exposure to these attacks, organizations need to rethink their enterprise security strategy and move to an identity-centric approach based on Zero Trust Security. One of the critical pillars of Zero Trust Security is to Limit Access & Privilege to minimize the risk and lateral movement of bad actors. To achieve this goal, organizations can take multiple steps:
- Enforce Granular Role-Based Access The first objective to limiting access and privilege is to limit lateral movement across the network. This is the primary way attackers gain access to sensitive data ― they start in one location and move lateral until they find what they are looking for. Thus, organizations should zone off what a user has access to and block access to other zones. In doing so, organizations can stop lateral movement.
- Implement Access Request Workflows for Applications, Endpoints, and Infrastructure Applying the concept of least privilege helps minimize an organization’s attack surface by eliminating static and long-lived privilege grants. Users should leverage self-service requests to gain access or elevate their privilege.
- Audit Everything Lastly, it is always best practice to audit everything. With a documented record of all actions performed by a user, these data sets not only can be used in forensic analysis, but also to identify suspicious activity in real-time with the option to terminate sessions. In addition, audit data can be leveraged to prove compliance with reports on every user’s privileges and associated activity.
Ways to Operationalize ‘Limit Access & Privilege’
While the above steps are logical, organizations often grapple with how to operationalize ‘Limit Access & Privilege’ in their day-to-day tasks without negatively impacting agility and productivity of users. In this context, it is essential to leverage automation technology (e.g., workflow engines) to manage temporary access to roles that grant privilege, shared account credentials, or remote sessions. To allow for scalability and timeliness, self-service access requests and multi-level approvals need to be closely integrated in the overall identity and access management process.
As many organization are centralizing their IT automation and service management efforts, Centrify has partnered with the leader in the space ― ServiceNow®. We’re offering four distinct certified applications on the ServiceNow Store that can be leveraged for the following purposes:
- Centrify Privileged Access Request Enables IT users to request temporary or permanent access to privileged accounts, a privileged session, checkout of a password, or a new role assignment from the ServiceNow asset management database.
- Centrify App Access Offers complete IT services automation — all through pre-configured policy, federated identity, and automated user account provisioning. End users simply request access to applications from within the ServiceNow service catalog. Once the app access is approved, the end user receives the app provisioned automatically with no manual intervention by IT.
- Centrify Identity Services Improve security with single sign-on and adaptive multi-factor authentication to ServiceNow.
- Centrify Password Reset End users can reset their passwords from within ServiceNow. For users who perform all their IT tasks in ServiceNow, they can do so for password reset as well by using this integration.
A recent update to the Centrify Privileged Access Request for ServiceNow application is now allowing system administrators of the Centrify Infrastructure Service to establish a request and approval workflow within ServiceNow rather than leveraging Centrify’s native Zone Role Workflow. For example, the following request and approval workflows can be configured:
- Checkout access for stored account passwords.
- Login access for systems, domains, and databases.
- Elevated privileges associated with the roles defined in zones.
Once the Centrify Zone Role Workflow is enabled within ServiceNow, end users can trigger self-service requests via the ServiceNow Service Catalog by selecting ‘Centrify Zone Role Workflow.' Requests can be submitted for future access, permanent assignment, or following best security practices on a temporary basis. Once the request is approved within ServiceNow, the entitlement fulfillment occurs automatically within the Centrify platform.
The Centrify ServiceNow integration is a good example on how organizations can operationalize the pillars of Zero Trust Security. For more details about Centrify Privileged Access Request for ServiceNow, visit the Centrify Community.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.