Securing privileged accounts
Posted: Wed Feb 05, 2025 10:58 am
The scale of the problem is real. According to Verizon’s 2024 Data Breach Investigations report, stolen credentials were used in 77% of attacks on core web applications. Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches involved stolen credentials.
“We need to move to an identity-centric security culture,” says Akif Khan, a vice president and analyst at Gartner who specializes in IAM. “If you don’t identify your users, it’s hard to provide any security. If you don’t know who’s accessing your systems, how do you know whether they should be accessing them or not?”
In his view, IAM is replacing the old idea that organizations should have a secure perimeter. The risks of relying solely on perimeter security are clear. In June this year, the Ticketmaster and Santander data breaches were linked to unsecured Snowflake cloud accounts.
goes hand in hand with effective identity management and initiatives like zero trust. But because zero trust requires significant, long-term investment, CIOs and CISOs should also improve existing credential protection and move to risk-based approaches to identity.
This is driving organizations to move toward policy-based and risk-adaptive access control systems. These systems allow companies to enforce MFA if an action is deemed high-risk, or block it altogether. But this depends on the organization having a clear IAM strategy.
“Lay the foundations to ensure clear visibility and control over who has access to your resources,” Swalling recommends. “Make sure identities are in order. Combining this with robust privileged access management, possibly using automation and machine learning, will simplify and improve administrative tasks and reduce user frustration.”
Frustrated users are ripe targets, agrees belgium mobile database Mustafa, Cisco's EMEA identity solutions manager, and very real targets for attacks against MFA.
Zero trust
Cisco is a proponent of the zero-trust security model, but Mustafa admits that few organizations have fully deployed it.
Cisco research found that 86% of enterprises have started using a zero trust model, but only 2% say they have reached maturity. Complexity and inconsistent user experiences are among the barriers.
“The principle at work here is: ‘Trust no one, verify everyone,’” says Mustafa. “The only way to implement a zero trust policy is to constantly verify all users, devices, and applications at all times and anywhere, inside or outside a given network.” This includes deploying MFA, least-privilege access, and micro-segmentation.
“We need to move to an identity-centric security culture,” says Akif Khan, a vice president and analyst at Gartner who specializes in IAM. “If you don’t identify your users, it’s hard to provide any security. If you don’t know who’s accessing your systems, how do you know whether they should be accessing them or not?”
In his view, IAM is replacing the old idea that organizations should have a secure perimeter. The risks of relying solely on perimeter security are clear. In June this year, the Ticketmaster and Santander data breaches were linked to unsecured Snowflake cloud accounts.
goes hand in hand with effective identity management and initiatives like zero trust. But because zero trust requires significant, long-term investment, CIOs and CISOs should also improve existing credential protection and move to risk-based approaches to identity.
This is driving organizations to move toward policy-based and risk-adaptive access control systems. These systems allow companies to enforce MFA if an action is deemed high-risk, or block it altogether. But this depends on the organization having a clear IAM strategy.
“Lay the foundations to ensure clear visibility and control over who has access to your resources,” Swalling recommends. “Make sure identities are in order. Combining this with robust privileged access management, possibly using automation and machine learning, will simplify and improve administrative tasks and reduce user frustration.”
Frustrated users are ripe targets, agrees belgium mobile database Mustafa, Cisco's EMEA identity solutions manager, and very real targets for attacks against MFA.
Zero trust
Cisco is a proponent of the zero-trust security model, but Mustafa admits that few organizations have fully deployed it.
Cisco research found that 86% of enterprises have started using a zero trust model, but only 2% say they have reached maturity. Complexity and inconsistent user experiences are among the barriers.
“The principle at work here is: ‘Trust no one, verify everyone,’” says Mustafa. “The only way to implement a zero trust policy is to constantly verify all users, devices, and applications at all times and anywhere, inside or outside a given network.” This includes deploying MFA, least-privilege access, and micro-segmentation.