Every organisation should give every employee privileged access to its IT systems. No, that’s not an edict to elevate the access rights of every user, it’s a reflection that the old distinction between a ‘privileged’ and ‘general’ user needs a rethink.
Privileged access, or a privileged user, originated as a term to describe IT specialists with a level of access that enabled them to manage and configure IT systems, as opposed to users who had access only to the data and functions provided by those systems.
Today, with so much sensitive information online and with IT systems’ access protections so easily bypassed through techniques like phishing, it is essential that every user has access privileges that define the information and services they can use, and those they cannot, and limit their access accordingly.
Thomas Fikentscher, CyberArk’s regional director ANZ, in the Bridging the Cyber Divide series, says organisations need to define access privileges for every user, and tightly integrate with identity management.
“As identities have access to services – to data, to secrets – security needs to wrap around identity and to be tailored to whatever the identity is supposed to do,” he said. “So, we’re extending this whole definition of privilege across pretty much every user.”
And, Mr Fikentscher added, the digital transformation being undertaken by many organisations has greatly increased the danger of not tightly controlling users’ privileges.
“If you go back to the legacy systems that many organisations are still using, to the big databases running in organisations. Those used to be highly protected environments, and only a limited number of people had access. Now, as part of digital transformation, these systems are being lifted to the surface and embedded into new business processes.
“For example, if you’re an insurer and you want a digitised claims management process, you need to open up your database and provide some form of access, maybe a web interface or a console. All of a sudden, it becomes visible. It’s the same if you do that in a banking system.”
The increasing breadth and depth of user access to information is also reflected in new employment roles, he said. “If you look at the job market, you’ll see how job titles are changing. Everything starts with ‘digital’ or ‘data’. There are data scientists, digital scientists, forensic this and forensic that. It’s no longer ‘librarian’, it’s ‘cybrarian’.”
“You’ve got medical nanotechnologists doing tissue design; you have people who are drone operators, or UAV technicians – all these individuals are performing technical work and digital work, by the nature of their jobs. They’re dealing with secrets, with critical information.”
In addition to the ‘human element’, Mr Fikentscher said 5G and IoT were adding a whole new dimension to the challenges of managing access privileges.
There are an estimated 20 billion internet-connected things, or IoT devices, many with IP addresses, giving them access from and to the Internet, and increasing these are being connected over 5G which provides those connections with very high bandwidth.
“The technology is evolving to enable more and more digital services, but with that comes a lot more problems for many organisations,” Mr Fikentscher said.
To protect all this sensitive information, he said organisations need to start by precisely defining every individual’s access profile.
“Every organisation needs to come up with some form of framework or a concept and say, ‘I’ve got a workforce that is embracing more and more digital services.’ And it’s the same in government: agencies are providing digital services to their citizens,” he said.
“More people are now doing privileged work. So, you have to look at securing these identities, understanding what people access and how they access it, when they access it, and what they actually need.
“And, if people understand that philosophy, then they’ve basically got to the root cause of the issue: making sure people who perform certain tasks are doing things in a secure manner. Then you have visibility, and you have a level of control over what’s happening in your business, or in your government agency.”