Who owns the data in your organization? If you’re like many, there’s a chance it’s fragmented. Maybe legal owns governance while security owns data security. IT, legal, security and line-of-business owners might share tasks. Perhaps there is no real data governance or oversight at all. What we hear from people across all industries, though, is that whether they have a mature governance and data security program or a nascent collection of policies expected to evolve over time, there is one specific avenue that remains difficult to address: controlling access to sensitive data. Zero trust and other access controls can help.

Combining Zero Trust and Other Tools

There are plenty of articles extolling the virtues of combined data security and access management tools — and with good reason. These are core components of zero trust and according to the 2021 Cost of a Data Breach report, a zero trust framework can reduce the overall financial impact of a data breach by 42.3%.

Read the report  

Beyond statistics, this is a practical combination. By always watching a user’s actions and data security posture and quickly adjusting access privileges as needed, you can preserve data privacy, meet data compliance needs and ensure a zero trust architecture.

But what about privileged access management (PAM)? Privileged accounts are expanding rapidly, becoming more complex and taking more in stride. Today, containers, servers and apps can all have privileged access. This widens the borders of a privileged account as well as the attack surface for bad actors looking for an entry point.

Often, businesses do not practice good hygiene around privileged credentials. They don’t set limits for them beyond typical access policies dictating where, when or how users can access these sensitive accounts. Beyond this, PAM oversight is less easily added into data security. The relevant teams often cannot determine the user behind privileged credentials when strange behavior occurs.

In fact, many companies still use ad-hoc methods like paper or spreadsheets to manage privileged credentials. With 74% of breaches stemming from privileged credentials, and one in four employees reporting they know someone who has sold privileged credentials, more granular control is paramount.

In this on-demand webinar, IBM and Enterprise Management Associates, Inc (EMA) discuss IBM Security Guardium Insights and the current state of data security.

Register for the webinar

The Importance of Just-in-Time PAM

The first step on the journey to the zero trust security promised land is just-in-time (JIT) PAM. We discussed earlier how businesses tend to practice poor security hygiene when it comes to privileged credentials. That’s where a JIT model comes in. In fact, in the 2020 Gartner Magic Quadrant for PAM, Gartner predicts that 50% of organizations will have put a JIT model in place by 2024, with those that do seeing 80% fewer privileged breaches than their peers.

Multiple JIT cases can be solved with PAM. Developers need JIT privileged access to build, test and launch products. Meanwhile, service accounts need JIT access for IT tasks. Given that 74% of CFOs intend to move at least 5% of their onsite employees to permanent remote bases, more remote workers need JIT access to stay productive.

In a nutshell, this model abides by the notion of least privilege access. It gives users the least access they need to accomplish privileged tasks. This means limiting the time spent in a privileged system. In addition, it greatly limits the locations from which those systems can be accessed, among other factors. Setting strict limits on where and for how long accounts can be accessed makes it less likely someone could abuse those privileged credentials. If odd behavior does occur, your team can discover the culprit more easily.

Who Is Watching the Watchers?

So, we’ve enhanced our PAM with a JIT model. But it still doesn’t fully address the access management gap. Even with policy guiding the use of privileged credentials, there is the risk of those credentials still being exploited. To combat this, deploy data security analytics.

Any data security solution, including those built to secure the modern hybrid multicloud, must come equipped with artificial intelligence (AI) that can centrally analyze what’s happening across all data sources within a given data environment. Why? The World Economic Forum predicts that by 2025, there will be 463 exabytes of data created daily. This contributes to a massive threat landscape where suspicious actions can occur. On top of that, we need machine learning to understand normal behavior across dozens of disparate databases. Without it, it will become more and more difficult to detect risky moves and trends.

This goes double for detecting and learning more about risky behaviors occurring behind PAM credentials. It is imperative to have a data security solution in place to spot problems. This solution can tell when a privileged account is behaving oddly or when someone extracts large volumes of sensitive data. It is equally crucial to integrate with a PAM solution to unmask the user behind the shared account. This leaves the feedback loop wherein the system looks at ongoing user behavior. From there, it can inform the need for changing access policies on privileged accounts.

Starting at Zero Trust

Data security is a zero trust issue at heart. With a zero trust model, organizations are enabling least privilege access to their data and always checking access credentials for users, devices and applications. By assuming a breach is bound to happen, they are ready to spot and respond to attacks. If the endgame is to limit access to critical data to those with the right credentials and a real need, it requires a mix of analytics, ongoing checking of data sources and systems, and a constant look at the security posture of users and endpoints. By breaking down silos between data security and identity teams, essential roles such as visibility, security and governance are less fragmented, and you can limit the damage caused by a breach.

Learn why IBM Security Verify Privilege is a leader in Forrester Wave™️: Privileged Identity Management (PIM), Q4 2020. Don’t forget to join IBM and EMA in this on-demand webinar as they discuss IBM Security Guardium Insights and the current state of data security. 

Register for the webinar

More from Zero Trust

SOAR, SIEM, SASE and Zero Trust: How They All Fit Together

Cybersecurity in today’s climate is not a linear process. Organizations can’t simply implement a single tool or strategy to be protected from all threats and challenges. Instead, they must implement the right strategies and technologies for the organization’s specific needs and level of accepted risks. However, once the dive into today’s best practices and strategies begins, it’s easy to quickly become overwhelmed with SOAR, SIEM, SASE and Zero Trust —  especially since they almost all start with the letter S.…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…