Andy Hammond, Strategist and Evangelist, SSH Communications Security
Gartner predicts that worldwide spending on information security products and services will reach $93 billion this year. Figuring out how to allocate those dollars can be difficult for CIOs, as threats mount from every direction. Gartner’s report reminds us that improving security is not just about buying new technologies and that doing the basics right has never been more important. Let’s look at two elements of access management and a new regulation that can help steer security spending and focus in the new year.
A Weighty Compliance Burden
This year, spring brings more than flowers; the much-discussed General Data Protection Regulation (GDPR) will take effect in May. This regulation will have a major impact on the European Union and on international companies with access to European citizens’ data. Organizations with more than 250 employees must account for all sensitive data and the access granted to it. At the same time, it expands the definition of sensitive data to include online identifiers, such as an IP address or cookies.
The GDPR applies to any organization that stores or transmits the personal data of EU citizens–whether that organization has a location in the EU or targets EU citizens or not. The fines for non-compliance are steep: up to €20 million or four percent of annual global turnover, whichever is greater.
Businesses will need to dig deep into their processes to comply with this regulation. They will need to have full visibility into who has access to sensitive data–and as we will see below, that is rare.
We live in an age of attacks from hacktivists, disgruntled insiders, cybercriminals, and nation-states. This situation is made all the more precarious by a network with no perimeter. Companies must spend money down to the infrastructure core of business to secure their data. While technology is changing at lightning pace, many processes remain stuck in the past. Static security measures like passwords and vaults simply aren’t enough anymore.
Bad actors will keep attacking static methods of security because it’s an easy win. Companies must go beneath the OS and build security at the foundational level with elements like certificates, SSH keys and PAM.
Companies must go beneath the OS and build security at foundation level
SSH user key-based access, referred to as the dark side of compliance, remains high-risk because it allows uncontrolled and unmanaged elevated access to production. Organizations must consider SSH access when assessing security because they provide the highest level of access yet are rarely, if ever, monitored.
Red Curry, Cybersecurity Strategist, SSH Communications Security
Consequently, maintaining privileged access to protected data has become a board/business topic. A recent study by the Cyber Security Research Institute provides proof of this unsafe reality. It revealed that 61 percent of respondents do not limit or monitor the number of SSH administrators. Further, 90 percent of respondents do not have a complete, accurate inventory of all SSH keys. So, there is no way to tell whether keys have been stolen or misused or should be trusted.
Such insecurity must not be translated to the cloud. Cloud applications are elastic, scalable, and dynamic. Traditional PAM was designed for static physical servers in much smaller environments. But as with passwords and other static security measures, static PAM won’t work anymore. Traditional PAM just doesn’t provide the agility one needs in the cloud and doesn’t handle elastic services well at all. In fact, it doesn't handle traditional legacy infrastructure very well. Projects become complex and expensive.
The alternative is a new iteration of PAM, which works without any permanent access credentials on servers, using only temporary credentials created on demand. There are no passwords to rotate, no vaults to store and no software to be installed and patched on individual servers. This makes for a rapid and straightforward deployment project with unlimited scalability.
Steps for Success
Going into 2018, there is a common theme having to do with governance for your trusted access to protected data. It is crucial to start addressing these risks as early as possible. Organizations must have complete accountability of their protected data: who has access to my data? Where is my data? What laws and regulations impact my compliance program?
To remain—or become—secure and compliant, it is imperative to start with the core infrastructure of your enterprise. After all, this is where your critical digital assets reside. Theft or damage to this data could be catastrophic. You can’t afford to have static security and poor access management–especially with the GDPR’s hefty fines. Doing the basics well, at has Gartner recommends and addressing these key issues will set your organization up for a more secure future.