Changing workforce dynamics expose flaws in IT Infrastructure
With a majority of the workforce operating from home for the foreseeable future, companies are having to spend increasing amounts of time and energy looking at software security, hardware security, and most importantly of all, who has access to what. If Covid-19 has illustrated anything, it’s that IT infrastructure needs to be protected, and that means assessing who needs what, when, where, and how – in other words, Privileged Access Management, or PAM.
The major source of security breaches within your business is your workforce, and the access they have to the servers and other devices which house your company intellectual property, your customer database, and your other digital assets. These breaches can be both intentional – deliberate hacks and attacks. They can also be as simple as someone clicking on something they shouldn’t or adding unauthorised apps or other software to company machines which give unintended access to critical confidential information.
Where privileged access can help is through control – who can access what, when, and why. Just as you wouldn’t give a trainee doctor a scalpel and ask them to perform brain surgery, you shouldn’t let the office junior access privileged accounts. However, many businesses do just that.
The challenges might not just come from your own staff, but from your partners and your suppliers too. You might be dependent on them for the survival of your business, but without having full control over what they’re doing in relation to any access they might need to your systems and equipment, you could be in trouble.
In other words, third parties are another major source of risk to your business. What do they need to see, and why? Can you prevent them accidentally or deliberately sharing your business with your competitors, for example? Do they really only have access to what they need? These are areas that need to be addressed.
The other third-party problem area is any contractor you may need to outsource work to. For example, if your outsourced workforce then in turn outsource work to others, you have lost control of the access management entirely. Their intentions may be entirely honourable when it comes to your business, but the potential is nonetheless there for a serious security issue.
Within your business, the issue is the number of people who have administrator accounts, and how these are maintained, especially when staff are on extended periods of leave – such as maternity or paternity allowances – or leave your company altogether. Passwords inevitably get written down, or worse still, emailed or messaged through to cover staff – in other words, they’re a security breach just waiting to happen.
A major step towards a solution is to keep a careful eye on who needs access to which systems, when, and why. Additionally, automating tasks that often need a human administrator – such as starting or stopping servers, or refreshing passwords – removes another level of risk.
Privileged accounts exist on every device your company has, so the best path to a secure solution is to remove the need for passwords to be recorded or shared by others, and to instead protect these, effectively controlling access. The step beyond protecting those accounts is to then protect who can do what with them. The more tasks can be automated, the less chance there is of human error – or intent – causing security issues.
Once privileged accounts have been identified, they can be brought under control, and managed. With a single control point to effectively audit accounts, it’s easier to have an overview of what’s going on, and the ability to investigate issues as soon as they happen.
Once users are operating on a “need to access” basis, it’s less likely that issues will arise as full user access sessions can be recorded and viewed to isolate problems. It then also becomes possible to allow users to access material and devices only when they need to, and not for possible access channels to be “always open”. This is particularly useful in limiting third-party access.
Accidents can and will happen – the human element cannot be completely removed, and computers can only do as they are told. However, with a clear audit trail it’s possible to keep a keen eye on the entire life-cycle of account access, and to protect company security more robustly.