Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
April 11, 2022
Part One in a Series
As organizations continue to migrate critical services and data to cloud providers to improve operational resiliency, efficiency and cost saving, the typical data infrastructure footprint continues to expand in both scale and complexity. Organizations that had previously operated in a handful of data centers with nearby offices now, through the adoption of cloud-based solutions and third-party integrations, must adapt to secure sensitive systems and data replicated across hundreds of third-party platforms on often-opaque physical infrastructure. At the same time, accelerated by a global pandemic and the subsequent Great Resignation, organizations face unprecedented pressure to embrace workforce decentralization and BYOD policies, compounding the difficulty of drawing even a logical line between an organization’s critical data and the rest of the world.
This progressive confusion of where data physically resides has led to a reformulation of a security strategy that emphasizes a context-based approach to data access. A critical component of a context-based Zero Trust strategy is role-based access control (RBAC). A well-defined RBAC hierarchy, combined with identity governance processes and automation, helps create an authoritative source to the question, “Who should have what access and when.” However, not all entities that access critical data readily conform to the RBAC models or identity governance processes. For example, non-person identities – machine and service accounts responsible for processing data as part of automated workflows – do not follow the same lifecycle an end-user does and do not generally conform to RBAC models based on specific job functions. Similarly, high-level administrator accounts – those with root-level access to entire Active Directory forests, server farms, database clusters, production cloud tenants, etc. – are typically distinct credential sets from ordinary daily login profiles that, while able to conform to RBAC and identity governance, often possesses such broadly unfettered access that they can defeat many of the security controls that would typically restrict a non-elevated account. Preservation of uninterrupted business operations and client trust are often directly dependent on an administrator’s ability to rapidly restore a corrupted database, reroute network traffic, or simultaneously push a critical update to thousands of servers. In the wrong hands, however, such unrestricted permissions have the potential to do an equal or greater amount of harm. A malicious actor possessing a set of administrator credentials might instead choose to exfiltrate sensitive data for future sale on the dark web, make proprietary prototype details publicly available, or push zero-day malware to unpatched devices. Privileged credentials are undeniably, the keys to an organization's kingdom.
Verizon’s 2021 Data Breach Investigations Report revealed 61% of 5000+ confirmed data breaches involved credentials. Various other sources estimate somewhere between 80 and 90% of data security breaches are due to stolen and/or misused credentials, the higher figures encompassing a broader array of cases including malicious internal actors and accidental misuse. And while many security solutions focus on the strength of encryption algorithms that render any intercepted password hash unusable, the most common attack pattern used to obtain stolen credentials is social engineering, comprising over a third of all analyzed attack patterns according to Verizon’s report. This data suggests that, unlike the clumsy amateur phishing attempts caught by most spam filters, spear phishing is a proven and effective method for gaining unauthorized access to data when properly executed by a clever attacker.
Privileged access management solutions are designed specifically with the above threats in mind. Automated password rotation, a key feature of PAM, significantly reduces the possibility of a successful spearfishing attack against an unwary employee or contractor by removing the password itself as something a user knows. An attacker masquerading as a help desk employee or senior executive to pressure a user into sharing their password would be met first with confusion (“I don’t have that information.”) and then mistrust (“Who is this really? You should know I don’t have this information.”) at the request. Another PAM feature, dual access control, allows for a form of just-in-time provisioning and separation of duty specific to high-risk credentials. To check out a password for a privileged account, an administrator must initiate a checkout process in which another party must review and approve the checkout request before the administrator can obtain the password. Privileged session monitoring in PAM takes auditability to a whole new level of transparency and accountability, recording every keystroke and mouse movement and archiving the recorded session for future review. Such capabilities make malicious actions extremely difficult to hide even when performed by capable and determined internal actors with complex systems and organizational knowledge. And because these controls can be applied to conventional credentials sets and API keys, hashes, and certificates, PAM is not wholly dependent upon RBAC or identity governance to deliver an effective security control for high-risk credentials and secrets.
Solutions capable of effectively delivering such capabilities require both platform-specific skillsets and in-depth knowledge of applied PAM strategy. Much as misconfiguring a firewall rule can misroute or refuse valid network traffic, misconfiguring a PAM platform can result in authentication failures leading to business process failures (e.g., payment processing), the inability of systems administrators to utilize elevated credentials to deliver support properly, and other costly business disruptions. Additionally, PAM platforms are not “set it and forget it” monoliths. As organizational needs evolve and new processes, roles and applications are introduced, an organization’s PAM platform must evolve in parallel to reflect the current state.
For organizations that do not yet have a formalized identity access management (IAM) program, or are currently attempting to manage their Identity tech stacks through a more generalist security team, building in-house identity knowledge and skillsets can prove both costly and time prohibitive. CyberSeek, a project partially funded by the National Initiative for Cybersecurity Education, estimates approximately 600K unfilled cybersecurity job openings to-date. For context, the total U.S. cybersecurity workforce is estimated by the same source at just over one million. This means approximately 38% of current cybersecurity labor demand remains unmet: a shortfall that is unlikely to change any time soon. The Bureau of Labor Statistics’ 2020-2030 Employment Projections predicts job growth over four times that of the broader job market over the next decade, suggesting the gap in security talent will only continue to widen over the coming years.
However, such metrics tend to categorize cybersecurity skillsets in fairly general terms, failing to accurately represent the need for knowledge and experience in specific cybersecurity technologies. Thus, the skillsets needed to support a PAM solution are not well quantified by available labor market statistics but are assuredly far rarer than what even the broader cybersecurity labor market would indicate. Such acute scarcity, as dictated by fundamental laws of supply and demand, drives resource costs up significantly, often well beyond what the modest budgets of smaller security organizations can bear.
The solution: PAM strategy assessments complemented by expert automation and management in Privileged Access Management as-a-Service (PAMaaS). This offers a lightweight, affordable solution that delivers best-in-class PAM capabilities managed by a team of seasoned identity engineers with top-level technology certifications and decades of combined Identity experience.
It’s time for your PAM program to evolve into one that can holistically secure and administer privileged credentials in the cloud via end-to-end planning, organizational change management, technology implementation and ongoing management services. Check out PAMaaS to learn more.
Optiv Security: Secure greatness.™
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv’s Privileged Access Management as-a-Service offers planning, implementation & maintenance to protect privileged accounts in a flexible as-a-service model.
Optiv’s Privileged Access Management Services
Optiv's PAM services provide solutions for privileged access and roll out of industry-proven programs.
PAM - Privileged Access Management
PAM polices privileged accounts (how administrators login to critical IT resources they must manage). Since access rights associated with admin privileges are high level, they are often the target of cyber attacks and must be uniquely secured.
Let us know what you need, and we will have an Optiv professional contact you shortly.