As efforts to control the COVID-19 coronavirus pandemic have increased, the Federal government has moved the majority of its workers to telework. While this is a great step to enable social distancing, it does open up serious cybersecurity concerns.
Late last month, the National Institute of Standards and Technology (NIST) released a bulletin note from the Information Technology Laboratory (ITL) on cybersecurity risks increasing with remotely accessible telework networks. ITL concluded that agencies and organizations should assume that malicious cyber actors will try to gain access to agency systems, and that they’ll try to leverage telework devices to gain access to the enterprise network or attempt to recover sensitive data.
One way the Federal government can keep networks secure during this new era of teleworking – and once workers are back in the office – is through implementing privileged access management (PAM).
Federal agencies handle an incredible amount of essential and sensitive information and PAM can help keep that safe. So, let’s explore how PAM is helping agencies protect their highest-value information assets, infrastructures, and applications. And delve into what opportunities – and challenges – PAM presents to the public IT sector.
What is PAM?
In a basic definition, Privileged Access Management is a solution that helps an organization restrict privileged access to only specific accounts or persons within the organization or agency. Privileged access is either a type of administrative or super-user access that allows for the full control of critical systems and applications anywhere, any time. Through this, organizations can create a set of policies, processes, and tools to protect, manage, and monitor privileged access to users and credentials.
Through the use of PAM, agencies and organizations alike can limit who has access to what – and in most cases, the “what” refers to sensitive data, applications, and assets.
“We see abuse of privileged access at the heart of almost all attacks,” said Kevin Jermyn, Federal Customer Success Director, CyberArk. “Whether that be a malicious insider or highly motivated external attackers, privileged access can be exploited and used to gain access to critical systems and sensitive data.”
Determining privileged accounts can help organizations pinpoint potential attack vectors and help halt the spread of those attacks.
Isolating the Attack
The primary motivator behind the government and private sector companies moving to telework is to allow people to isolate and socially distance themselves during the workday – lowering the chance of spreading COVID-19. For PAM, the goal is the same. If organizations anticipate privileged access abuse, they can begin to take proactive steps to layer on defense.
“We have to assume breach mentality,” said Jermyn. “What that means is we’re thinking like an attacker, and if they’ve already gotten in, it doesn’t matter how, but we need to understand what they’re actually after, and a lot of times that’s privileged accounts or privileged access. So, if we can put different, proactive controls in place around those privileged accounts, that’s how we reduce risk.”
By putting those proactive controls in place, Federal agencies can block, or isolate, the accounts that are deemed privileged to better protect the sensitive data and monitor who is accessing it.
Understanding the Challenges
Like telework growing pains – who hasn’t struggled with their new video conferencing platform – PAM also comes with its share of implementation challenges. Three stand out from the crowd – lack of direction, end-user adoption, and resource requirements.
As many Federal agencies are looking to deploy PAM, they’re doing so because they’re required to by their agency leaders or simply checking a compliance box. Many agencies are treating PAM as a project, rather than an on-going program that will have long-term benefits for their cyber defense plans. Support from the top down is critical to ensure all agency workers buy in to the overall PAM implementation, and specific direction is needed as they move forward with integrating it into everyday plans.
“Agencies need prescriptive guidance on where they should be focusing their efforts, and they should be building a roadmap, with executive buy-in,” said Jermyn.
But agencies also need end-users to buy into the changes as well. In the public sector, many of those privileged users perform mission critical tasks on a daily basis. Ensuring that end-user’s experience is not impacted is a significant requirement.
“Anyone that says PAM is easy, you should probably run away from them,” said Jermyn. “Starting a PAM program is not an easy thing and requires a lot of technical resources working together, such as security and operations teams to discover and onboard those privileged accounts. Agencies need a way to effectively leverage automation, and build that into onboarding processes.”
In 2019, the Office of Management and Budget (OMB) released the Enabling Mission Delivery through Improved Identity, Credential, and Access Management executive memo, outlining restrictions and requirements around non-human access to ensure strong authentication. By doing so, agencies are required to authorize users to move toward continuously managing identities on the network, rather than at the moment of approval.
Implementing PAM is no easy task, but with the right mindset and plan of execution, PAM presents the Federal sector with many opportunities.
PAM makes it more difficult for hackers to infiltrate networks and obtain privileged account access. By using PAM, agencies can better protect privilege at the endpoint. As many hackers target the endpoint, agencies using PAM can make a plan to secure the endpoint from credential theft and malware. Through increased control and awareness of the environment, PAM enables agencies to see who and what are on the networks to protect against vulnerabilities, phishing, and other targeted attacks.
Patience is a Virtue
As agencies have had to deploy near-total telework, with limited warning, they now encounter the challenges of such rapid implementation. With PAM, agencies can’t afford to rush through the implementation process if they want it to work effectively and efficiently. A strong sense of direction, buy-in from the higher-ups, and trust in the long-term process are critical. But choosing a PAM product is just the start.
“CyberArk has tools to help customers develop effective and mature PAM programs,” said Jermyn. “And to do so, we understand it takes more than just a product.”
Federal agencies must trust in the end goal of implementing a PAM program and see it grow – it cannot just be a checkbox on a safety requirement list. With the right tools and patience, PAM can provide agencies with much more than a strengthened cyber defense plan.
For more information on implementing a privileged access management (PAM) program within your agency, check out CyberArk’s Cyber Blueprint, which provides simple, yet prescriptive guidance to help customers focus on the most critical accounts first.