The complexity of access has become a major challenge that is keeping CISOs up at night. Unfortunately, while the solutions to address the problem are available, many have yet to properly build them into their security environment.
Forrester Research has estimated that 80% of breaches involve compromised or abused privileged accounts. Yet, just are sharing root and privileged access.
This needs to change, especially given the increasing scrutiny on cyber security best practices in Australia.
The Evolving Cybersecurity Landscape in Australia
Ransomware remains one of the most prevalent and damaging threats to Australian businesses and critical infrastructure.
The impact of ransomware is exacerbated by the fact that it only takes one lapse in security —such as an inappropriate permission granted to the wrong individual — to compromise an entire network.
At the same time, the regulatory landscape in Australia is becoming more stringent as the threat of cybercrime grows. Key regulations, such as the Essential Eight, developed by the Australian Cyber Security Centre (ACSC), are designed to help organisations mitigate cybersecurity risks, and one of the main ways that it does that is by requiring organisations to have a better grasp over access control.
As part of that, the government has developed the Protective Security Policy Framework, in which organisations are required to “limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls).”
However, simply locking down an environment isn’t going to work, either. For one thing, an environment that is too restrictive makes it difficult to get work done, resulting in a decline in productivity. More than that, however, is that a more restrictive environment might ironically open the organisation up to new security risks. If the user experience is too compromised, users will look for ways to circumvent the network entirely, which can result in data being leaked to third-party platforms outside of compliance.
How Organisations Should Approach Access Exemptions
Ultimately, success in balancing these often conflicting requirements comes down to how well the organisation and security environment handle exemptions to access.
When handling requests for exceptions, it is crucial to assess both the legitimacy and urgency of the request. This process should involve a thorough evaluation of the context in which the request is made and the characteristics of the user making the request. For example, is the request coming from a high-level executive with a legitimate need for temporary access, or is it from an external contractor with limited oversight? Understanding the context can help organisations determine the level of risk associated with granting the exception and whether alternative solutions might suffice.
One effective strategy for managing exceptions with regards to application control is to grant time-limited exemptions. By setting an expiration date on access permissions, organisations can reduce the risk of long-term exposure to vulnerabilities. However, this approach comes with its own set of challenges.
One school of thought is that in such situations all restrictions on an endpoint are removed for the period of time needed. However, this approach is problematic as it provides far more permissions than what is required providing a greater threat surface than necessary. Importantly, for those organisations aligning to the Essential Eight such an approach fails to meet the requirements around restricting administrative privileges.
Additionally, a policy-driven approach to exception handling allows organisations to maintain consistency and reduce the risk of ad-hoc decisions that could compromise security. Policies should be flexible enough to address a variety of scenarios, from emergency access requests to routine exceptions, but rigid enough to prevent abuse. For instance, policies might require multi-factor authentication for all exceptions or mandate that certain requests go through a formal approval process involving multiple stakeholders. This ensures that security is not compromised for the sake of convenience.
Why Security Can’t Come at the Expense of the User Experience
Ultimately, exception handling should be part of a broader, holistic identity security strategy that integrates multiple layers of defence. This includes application control, user application hardening, and administrative privilege management. Taking a holistic and strategic approach to this means integrating all of these security solutions in a way that still enables the business to take full advantage of the opportunities presented with digital technologies.