For federal agencies, protecting the perimeter has historically meant securing an ever-expanding network of end-points – a perimeter whose diameter has exploded with the rise of mobile devices and the Internet of Things. For many organizations, securing this perimeter still largely relies on traditional strategies and tools, such as firewalls, data encryption, software patching, end-point management and security information and event management offerings.
However, despite the value these robust and complex systems offer organizations, breaches still happen; the bad guys get in — and exploit information presumed secure. Recent high profile attacks ranging from Sony Pictures Entertainment and Anthem, Inc. to the Office of Personnel Management and the United States Postal Service have accentuated the massive vulnerabilities that exist in the present security framework.
Often, this framework is the result of an organization’s attempt to comply with regulations, mandates and best practices – boxes to check that do not necessarily align with business strategy or comprehensively increase network and data security. Recent cyber attacks on global enterprises and government agencies have only further accentuated the systematic vulnerabilities associated with simply “checking the box.” However, there remains a realm of compliance where box checking truly and effectively enhances security and boxes-out the hackers – and that’s identity.
Time and again, the common thread weaving itself through security breaches large and small is a hacker’s ability to gain access to privileged user credentials. Once exploited, these accounts allow attackers to move laterally undetected throughout the network, continually elevating privileges and gathering intelligence on people, strategies, intellectual property and systems – intelligence that can lead to the disruption ofoperations, financial and reputational extortion … and even the ability to elicit damage on physical systems and people. Identity has become the new security perimeter, and privileged identity management – the protection and oversight of organizations’ most critical accounts and credentials – has become the key to effectively managing that perimeter.
Read the complete report in the April/May issue of Homeland Security Today.
Ken Ammon is the chief security officer for Xceedium, Inc. A recognized expert in security issues, he began his career in the US Air Force where he was a captain assigned to the National Security Agency. He joined Xceedium from Lookingglass Security, LLC, and was founder and president of NetSec, which was sold to Verizon Business Systems, where he became a senior vice president. Ammon has testified before Congress on security vulnerabilities affecting sensitive government information and infrastructure, and served as an adjunct faculty member at the National Cryptologic School.