Practising defence-in-depth
and incorporating privileged
access security controls at the
core of their strategy will allow
organisations to implement
a zero trust framework that
helps to drive down risk while
maintaining business velocity.
responsible for rotating them? Questions to which developers
often have no answer.
Organisations seek centralisation but development teams are
often more focused on high velocity, code sharing, ad-hoc
tooling and full-on automation. It therefore becomes the job of
the security team to get the developers on board.
When you have so many applications, focus becomes
paramount. The priority must be removing application secrets for
RPA – this has the advantage of facilitating cross-team visibility,
adoption and quick wins – which is useful for demonstrating
benefits to developers. From there, the next step is migrating
to a shared services security model, with the end goal that
non-security teams provide internal financing for cybersecurity
projects. This creates cross-functional teams, allowing
organisations to bring DevOps and security teams into alignment
and fostering collaboration for stronger overall security.
Extending security to the cloud
A recent CyberArk study shows that nearly 70% of
organisations do not secure business-critical applications
deployed on the cloud any differently to how they secure low-
value applications or services. Organisations must take steps
to protect what attackers target most as cloud applications
proliferate: privileged access. This means locking down the
powerful human and application-to-application credentials
used by SaaS applications and cloud-native applications built
using DevOps methodologies to reduce the risk of an attack.
When data and applications are moved to the cloud, it’s
easy to provide all developers access to any cloud resource,
postponing the tedious permissions management to later.
However, – the more it is postponed, the harder it is to impose
stricter security permissions. A previous study of attendees of
InfoSecurity Europe 2019 showed that 37% of organisations
have already experienced attacks that could compromise
their data and applications to the cloud. According to industry
experts, nearly all cyber-attacks involve privileged access. In
cloud-first environments, access therefore not limited to the
network and the perimeter is no longer defensible.
Security strategies must therefore shift to protecting what’s
most important from within. Zero trust security models – where
organisations trust nothing and verify everything, whether it
comes from inside or outside the network perimeter, before
granting access – are making this possible. Practising
defence-in-depth and incorporating privileged access security
controls at the core of their strategy will allow organisations to
implement a zero trust framework that helps to drive down risk
while maintaining business velocity. u
76
Issue 23
|
www.intelligentciso.com