Trust, but Verify: Keeping Watch over Privileged Users April 9, 2018 Juan C. Asenjo | Thales eSecurity Global Partner Marketing More About This Author > “Trust but verify” is a Russian proverb President Reagan used as doctrine for nuclear disarmament between the U.S. and the U.S.S.R. in the mid-1980s. Its application was instrumental in ending the nuclear arms race and the threat of war. Today, the same doctrine can be applied to enterprise applications and data that is being threatened by a complex dynamic of attack vectors. As more trusted privileged users hold access to more critical functions and information within organizations, the trust bestowed on them must be validated to address insider threats and thwart cyberattacks. Privileged Users Privileged users today can include a multitude of people from system administrators, network engineers, and database administrators, to data center operators, upper management, and security personnel. They’re generally either inside or under contract to the enterprise. Moreover, it is not just the potential renegades that organizations need to worry about, but also cybercriminals who, through multiple devious methods, can gain access to the credentials of authorized privileged users. As organizations grow and designate more privileged users, an increasing number of credentials and the data these credentials unlock, is at risk. Privileged users and privileged accounts can be exploited to attack an organization from within. As a result, these attacks can be hard to detect and can cause significant damage. Stolen credentials can go unnoticed until a great deal of data has been harvested or modified, or critical systems sabotaged. The Challenge Depending on their privileges, users may need unlimited access to applications, but only limited or no access to file systems and their data. However, security controls offered by traditional operating systems do not always offer this level of segmentation. Controlling privileged access without impacting operations can thus require careful planning. Multiple layers of security are needed to protect privileged accounts from unauthorized external and internal access. The sensitive data that accounts process must also be safeguarded. Applying security mechanisms to protect account credentials, the sessions that users create, and the data they exchange, requires a complete solution that enables compliance with government and industry data security regulations without affecting operational efficiency. This is why watching over the activities and managing the accounts of privileged users has become critical in order to reduce data security risks, protect enterprise reputation, and comply with increasingly stringent data security regulations. Privilege Account Management (PAM) PAM solutions provide visibility and control over privileged accounts and their users, and establish robust defenses against potential attacks across the layers of the computing environment. By managing user access, safeguarding file systems, ensuring process segmentation, and providing encryption capabilities, PAM solutions protect users, assets, files, and applications. The technology gives organizations the ability to stop insider threats and credential theft that can lead to privilege escalation, lateral movement, and ultimately a damaging breach. In addition to all these security advantages, PAM solutions do not require complex re-engineering of applications, databases, or the infrastructure. PAM Plus Comprehensive PAM solutions require enterprises put in place secure access controls, auditing, alerting, and activity recording capabilities. Moreover, IT staff and management need to pay attention and respond to irregular activity that may indicate an attack is in progress. Best practice also calls for strong cryptographic key management and encryption of data at rest to ensure data security. Encryption can also reduce the scope of regulatory requirements including the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and others. Strong cryptographic key management protects privileged credentials and ensures only authorized users and applications can access sensitive files. Hardware security modules (HSMs) enable an additional layer of security. HSMs provide a hardened, tamper-resistant environment for safeguarding and managing underpinning cryptographic keys. Thales nShield HSMs are FIPS 140-2 Level 3 certified and are Common Criteria EAL4+ compliant, providing the highest levels of security to facilitate security auditing and regulatory compliance. To address the security of sensitive files, data at rest encryption, using Vormetric Transparent Encryption (VTE), makes files useless if stolen. Cybercriminals who exploit a privileged account protected by these solutions will find themselves disappointed. The Total Security Solution Combining PAM with strong key management and data encryption provides a comprehensive data security solution that protects enterprises at both the user and data storage level. This powerful combination helps enterprises comply with increasingly strict regulations and protects organizations from the financial and reputational threats posed by major data breaches. Thales eSecurity and its partners can help your organization manage privileged user access and control file systems by establishing a robust root of trust for credential management and data encryption. To learn more, sign up for our webcast “Privileged Account Security: Safeguarding User Credentials and the Data they Protect.” To assess your organization’s level of preparedness for regulatory compliance take the GDPR Fitness Assessment to stay #FITforGDPR and ensure compliance. Have additional questions? Tweet me @asenjoJuan or leave a comment below.