This is an ongoing series of guest blogs written by TAG Cyber analysts in conjunction with various members of our SPHERE team. Offering insights from the perspective of the professional industry analysts combined with a technology company focused on the goal of establishing cyber hygiene. This article comes from a fearless leader, CEO & Founder of TAG Cyber, Edward Amoroso.
As the inevitable discussions and inquiries about cybersecurity make their way up the corporate ladder from working-level practitioners to senior executives and eventually to the board of directors, questions about information risk are usually very much to-the-point. For example, the typical senior corporate executive will often ask security experts like our team of analysts at TAG Cyber a bottom-line question somewhat along the lines of the following: What is the one most important thing,” they will ask, “that is required to have a real impact on cyber risk?
Our experience is that while answers this type of question will vary based on the circumstances, the most honest responses tend toward the concept of hygiene. This is often surprising to executives who expect to hear about the need for advanced methods like neural networks or behavioral analytics.
When references to hygiene are made, they are usually connected to the related concept of identity. In fact, most security experts will agree that identity-related issues are at the heart of most serious breaches, which suggests the importance of cleaning up data, services, and infrastructure in this area. This also leads to a key functional requirement in modern cybersecurity, one that we believe might be the most important aspect of enterprise protection. Specifically, we refer to identity hygiene – which includes the basic task of cleaning up the permissions that exists across the enterprise.
This issue of permissions has been a nagging challenge for security teams for many years, but some good news is that excellent information technology (IT) tools and protection platforms now exist to improve the administrative and operational posture of deployed permissions.
The team at cybersecurity company SPHERE, for example, provides an excellent automated support platform that assists enterprise customers in cleaning up their permissions. This has the impact of ensuring that entities can only access resources for which proper role or privilege-based justification can be made. And this is truly the one answer that is always included in responses to questions such as posed above. If an enterprise wants to take one action that can significantly reduce their cyber risk, then they should focus on cleaning up permissions and taking steps to ensure that they are properly managed.
Auditors have come to recognize the importance of permissions as have the developers of frameworks such as the NIST Cybersecurity Framework. Audit, compliance, and governance models now routinely include permissions management as critical protection controls to address cyber risk.
Our advice to enterprise security teams is to review existing plans to ensure that permissions are being appropriately addressed in protection planning. This might be done in the context of the existing identity and access management (IAM) platform, but specialized solutions such as from SPHERE are recommended to ensure world-class support. Let us know your own progress as you take steps to reduce permissions risk through improved identity hygiene initiatives.