A STORY OF DESTRUCTION BY THE INTERNET OF THINGS

Once upon a time, in a world long, long ago…well actually not that long ago, there was an enterprise. This enterprise had control. It controlled who accessed its applications and data; it controlled who took that data outside of its company walls. It was a fine kingdom, protected by a strong wall.

Then the Internet happened. The enterprise could no longer keep everything inside the kingdom walls. The walls started to break apart and the company had to look at new ways to protect itself.

The short story above is a very simplified history of what has happened to organizations of all types and size, across every industry sector in the last ten years. We all are now very aware of the changes to the organization perimeter, how it has been extended and then made fuzzy. How the tools to control the cyber security threats have had to evolve to handle this change.

Now, just when we have gotten used to the extended enterprise perimeter, a new technology has entered our kingdom, not only making the perimeter fuzzy, but also smashing it apart. This technology is the Internet of Things or the IoT.

The Internet of Things meets the Supply Chain

Supply chains can be complex and convoluted. If you were to map one out on paper, including all of the possible tiers of suppliers, it could end up looking like something only a mathematician could understand. The IoT has just taken this complexity and added an order of magnitude to it. The IoT is big and getting bigger. Gartner have predicted that by 2020, half of all new business processes will incorporate some element of the IoT. These new elements are adding more ‘moving parts’ to the chain; and of course, any additional point is a potential point of failure. In our Kingdom analogy, it is like the castle walls have fallen away almost completely.

As we know, the supply chain can work like a domino effect. If one domino is knocked over, it hits any connected dominos until the whole chain falls over. One example of many was with the car manufacturer, Citroen, where a breach of customer records took place. In this case, it was a supply chain member, a site selling Citroen related gifts that opened the doors to the kingdom. Hackers added a backdoor to the sales site using an Adobe ColdFusion vulnerability. The impact isn’t always just direct loss of data, etc. either, reputational loss, from association can also be very costly to a brand. Simply put, any application or device (IoT or not) across the supply chain is a domino. If each part does not have the correct security in place, the rest of the chain is impacted – security is the responsibility of every member of the supply chain because it has the potential to impact every member. 

IoT and Supply Chains: The Good, The Bad and The Ugly

The IoT is a force for both good and bad. The World Economic Forum in their Global Risks 2015 report stated that, “While the “Internet of Things” (IoT) will deliver innovations, it will also entail new risks.” In terms of the supply chain, the IoT will add a whole new level of complexity to the chain. But the Internet of Things is also a force for good. The IoT can certainly improve supply chain processes and logistics. One of the key offerings of IoT devices is the data the devices can generate. This information can be used to analyze processes, creating a more demand driven chain, improving logistics and ultimately cutting costs. However, it is the very benefit of the IoT that is also its potential security downfall. As more IoT devices are used to make the chain more efficient and data focused, more points of failure are added to the chain. All of these new devices and things need to have security risks analyzed. The risk assessment of such complex chains is in itself, highly complex. More devices increase the risk of breach and therefore more points in the system need to be secured.

And of course, as expected, cybercriminals will exploit this new technology. Gartner have said that on the back of the IoT a ‘black market’ will take shape, selling fake IoT sensors which can then be used for cybercrime. Without due care, these sensors will then become an intrinsic part of the overall supply chain, creating baked in security holes and back doors. If your chain becomes infected with a spoofed IoT device the whole chain is compromised.

Having It All

The use of the IoT within a supply chain offers us focused intelligence. We can use the data generated to improve chain efficiency, make more informed decisions and offer better services to our customers. But we must recognize, this sea change in the way we generate data and extend our touch points, brings with it new security challenges and increased risks. To ensure the benefits of the IoT out way the risks, we need to ensure that we take those risks seriously and put measures in place to mitigate them. Only with insight, analysis and knowledge of effective security measures can we ensure that the IoT becomes a kingdom maker, rather than a kingdom destroyer.


HOW TO USE THE PHILOSOPHY OF YIN AND YANG TO MAKE BETTER PROCUREMENT DECISIONS

Business as well as life is a balance. It was the Chinese New Year on the 8th of February, so it seems pertinent to use the philosophy of yin and yang to discuss the interactions of critical controls in the enterprise procurement process. The idea of yin and yang is that opposite/contrary ideas can in fact be complementary and build a stronger whole. This approach may well be useful in providing the right balance between the various control systems that come into play as any procurement process develops.

The Elements of Critical Control During Procurement: The Yin

There are a number of ‘critical controls’ within any given procurement program. Security is often seen as the main critical control and one, which can have the greatest impact on assets and infrastructure. However, security is not the only element that can have a potential impact on the procurement process and on vendor risk management. Of course, the criticality of each part is dependent on the industry. But in general, the type of things that you need to know about a vendor before procurement choices can be made include:

Security:   If you read this blog regularly, you’ll know that data and privacy breaches often have their origin with a third party supplier. A number of studies corroborate this, including the 2013 Trustwave study, which found that 63% of the investigated breaches began with 3rd party administration exposure. There is also a general and historical problem in the communication between procurement and security, security being seen to ‘slow down’ procurement.  However, this is starting to change as more breaches, like those mentioned above, occur. In a previous post we have talked about how KPMG have found that 70% of procurement managers now realize how important it is to know how a third party will handle their client data. This is a move in the right direction. An end-to-end security strategy, across the vendor/client eco-system is increasingly important and often needed for compliance with industry regulations.

Legal:   The legal aspects of vendor onboarding can be arduous. It seems that once you involve the lawyers, everything comes to a standstill. There are, of course, good reasons for this; legal needs to make sure that all eventualities are covered. This is never truer than when you have regulations to comply with, which often extend outwards to your suppliers systems. Other factors, such as competition law and the legalities around origins of goods, personnel and services, need due consideration.

Social and environmental:   As green laws take effect, a number of environmental constraints can come into play in the procurement process. You may need to develop a sustainable procurement policy to comply with regulations around these areas and to make sure the vendor choices you make, fit in with this overall strategy.

Having effective know your vendor (KYV) policies in place before making final decisions is part of your supply chain risk assessment. This is a key part of the procurement process as it offers a way to minimize the future risks and protect the business against uncertainty. Gartner in their recent evaluation of the role of the CIO and risk, have stated that “Procurement teams develop contracts that improve security agreements with cloud vendors and security managers” to be able to meet the challenges facing business today, especially when dealing with Cloud based data.

What Prevents Efficient and Accurate Procurement Choices?

Procurement choices that are educated and based on checks and balances will ultimately benefit the company, because they reduce the risks associated with unknowns. Getting this process right is a challenge. For example, procurement and security need to work together for the greater good. The SANS Institute in their paper on “Combatting Cyber Risks in the Supply Chain”, recommend a combination of ‘people, processes and technology’ to deal with the problem of good vendor evaluation for procurement. Communication and transparency is the key to risk reduction. It may seem like a slower process to add in the assessment stage, to audit vendors’ data security procedures, but in the long term, this will benefit your company, through informed choice – the old adage, “more haste, less speed” is highly applicable to the procurement process.

Procurement is the natural place where communication can start. It is often the main channel between the enterprise and the vendor and as such, can create effective dialogue to manage critical controls, like security, and ensure they don’t slow the process down any more than necessary. Seamless, clear communication in this area can also help to identify any hurdles. For example, if the vendor needs to go through a certification or validation process this needs to be identified early on. It is only be having open discussions and actively building frameworks to work to, that we can ensure we have those critical controls incorporated into the procurement process.   

Get it Right, Now, Not Later: The Yang

Getting your procurement controls in place before you sign that purchase order is vital. If you do it after knowing your vendor and any critical exposure points they may have, then you may well end up with security or compliance issues down the line. Once the ink is dry on the contract, it is much more difficult to put controls in place. This can result in overall increased costs, as well as a risky project that potentially could end in a catastrophic data breach. Putting controls into the mix, at the right time and to the right level, is part of a good, holistic approach to procurement. Getting the yin-yang balance right will create the type of vendor eco-system that gives you true value for money, whilst minimizing your risk of privacy and data breaches.


TWO KEY SUPPLY CHAIN TRENDS THAT YOU SHOULD KNOW

One of the topics this blog likes to explore is how to make the whole supply chain process more efficient, less risky and ultimately more profitable for everyone involved. We look at this from a real-world perspective, using our deep knowledge of this area, especially around automation and security. So it is really good when external sources back up your own knowledge and experience and this has been the case looking at the report by PWC on “Next Supply Chains: Efficient, Fast and Tailored”. In today’s post I’ll take a look at some of the findings of this survey by PWC and discuss their implications on supply automation, chain management and risk.

Supply Chain Trends

The PWC report had a particular pertinent and insightful finding. This was that the supply chain is regarded as an actual strategic asset by 45% of organizations. Strategic assets are vital for competitive edge and keeping them well managed is therefore an important business consideration.

In their report, PWC has identified a number of supply chain trends, all of which show an expectation of increasing in importance and which have a material impact on the effective management of the supply chain. The following graphic, taken from the report, shows the 12 most important trends; noticeably all are expected to increase in importance.

In this post I’ll concentrate on two of these top trends, which we come across time and again, “Implementing techniques to automate and increase transparency” and “Managing supply chains security and risk”.

Automation to Increase Transparency

In the PWC report, they noticed that the most successful companies had a program in place to reduce supply chain complexity and to use automation methods to make supply chain processes more efficient. This has been instrumental in the leaders identified in the survey, having delivery performance figures of over 96%.  Part of this comes down to transparency across the supply chain. Transparency greatly helps to improve the smooth running of a supply chain. A report by electronics manufacturers, Jabil, found that 96% of the surveyed respondents said that an opaque supply chain put efficient operation at risk.

Gartner analysts concur with PWC and identify automation of supply chain processes as a supply chain trend. In a recent supply chain conference, Gartner linked automation and the Internet of Things (IoT) arguing that this has the potential to impact transparency across the chain. Gartner stated that, “functions such as procurement, logistics and inventory management often operated in silos with not enough coordination or focus on the end result”. Gartner reiterate this sentiment in their latest supply chain predictions of 2016, saying that automation will double in the next 5 years due to increased digitization of companies. 

The PWC report shows clearly that automation leads to better performance, and Gartner is backing these findings up. This comes at a time when the digital landscape is moving underneath us all, as digitization of services and the IoT grow in importance – this makes the move to automation of supply chain processes inevitable as the complexity needs to be countered by transparency. In fact, the idea of having greater control over the processes and bringing all of the steps together in a seamlessly connected manner should be the goal of any eco-system. The PWC report stresses that digitization and automation of supply chains will create greater transparency, if managed correctly, which will ultimately result in reduced costs and efficiency.  They also point out that automation is seen by two thirds of respondents as a “vital” part of the supply chain process. In fact, PWC show that automation is seen as one of the best ways to differentiate a business across a number of industry sectors including automotive and retail, giving them a method to “optimize their logistics and distribution operations”.

Managing Risk

The supply chain has not been immune to the global challenges we are currently facing. These challenges extend to financial market turbulence and the increasing cyber security pressures felt by all enterprises.

Growing risk from the supply chain is something that the vast majority of organizations seem to suffer from. Zurich Insurance found that in 2014, 81% of companies suffered a supply chain disruption, an increase of around 4% since 2010 and almost a quarter of survey respondents saw losses of around $1million due to such disruptions – cyber security being one of the most concerning.

The PWC survey identifies the management of chain security and risk as a top trend. They point out that to have a successful supply chain operation, an organization has to take personal responsibility for tracking the risks across the chain. The complexity of risk management rears its head most noticeably when the supply chain is a global one. Risk come in many shapes and sizes and a global chain can involve environmental, financial and certainly cyber-security risks. Ensuring stability of the extended supply eco-system is a management challenge and one, which requires a holistic approach.

PWC found that risk mitigation, through close management of supply chain partners was one of the top differentiating practices of effective and high performing supply chains.

A Transparent Approach to Risk Management

The two top trends we have looked at here are not mutually exclusive. Both of these trends impact each other. By using automation to improve transparency, you can in turn enhance the management of risk across the chain. A move towards automation is a leap forward to take your supply chain to the next level, but it will afford greater rewards in the guise of more optimized, efficient and risk minimized processes.


Why IBM for Privileged Access Management – Get scalable, enterprise-grade security solutions, backed by unmatched service and support.

When you deploy IBM Security Secret Server and IBM Security Privilege Manager across your organization, you unlock the full potential of PAM with solutions that are:

Partner with IBM for incredible service and benefits

  • 24/7 access to IBM support
  • Unlimited feature set within IBM Secret Server
  • Simple pricing and packaging options
  • Quick time-to-value—install in minutes and see value immediately
  • Supports large-scale distributed environments from on-premise to cloud environments
  • Integration with the IBM Security portfolio including IBM Cloud Identity, QRadar®, Guardium® Data Protection, and IBM Security Identity Governance & Intelligence.
  • Access to IBM Security PAM Professional Services
  • Access to IBM Security Expert Labs for deployment and configuration

Protect privileged accounts to reduce your attack surface. Sign up for a free trial of IBM Security Secret Server now.


Top 8 IAM Challenges with your SaaS Apps

The Importance of Identity for SaaS Applications

The enterprise cloud revolution is here. IT organizations everywhere, from small and mid-sized businesses to Fortune 500 companies, are moving from on-premises software to on-demand, cloud-based services. As enterprise IT makes this transition to a new hybrid on-demand/on-premises configuration, controlling who is granted access to which applications becomes increasingly important. This presents CIOs and their teams with a whole new set of identity management challenges. In addition, users must keep track of multiple URLs, user names, and passwords to get access to their applications. IT’s role is also fundamentally changing. As the steward of these new services, IT must provide insight and advice about Software-as-a-Service (SaaS) products to ensure the company is maximizing the business value of their investments.

There are eight main identity and access management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, as well as best practices for addressing each of them.

About IG
About AM
About Okta



IBM Security Privilege Manager – Remove excess privileges from endpoints and use policy-based controls to block malware attacks.

Least Privilege Policy

Security regulations call for a least privilege policy, which means limiting access to reduce your attack surface. Least privilege requires that every user, application and system account have the minimum access to resources needed to do their job. Many customers, users or applications have admin or root privileges with access to sensitive data/operating systems. Under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them. All others operate as standard users with an appropriate set of privileges.

Regulations like PCI DSS, HIPAA, SOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

To successfully comply with a least privilege policy, you must know which privileges you need to manage. That means finding out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Imagine how much damage and risk you will take away if you remove your business users from local admin groups, yet provide them with a way to install approved applications. IBM Privilege Manager helps with just that.

Get started with IBM’s free endpoint application and least privilege discovery tools.

To successfully comply with at least privilege policy, you must know which privileges you need to manage. Find out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Can you imagine how much damage and risk you will take away if you can remove your business users from local admin groups – yet provide them with a way to install approved applications? IBM Privilege Manager helps with just that.

Secure your largest attack surface with a single agent

IBM Privilege Manager can communicate with hundreds of thousands of machines at once. You can check policies and execute 24/7 control across every device and application under your purview through a single, streamlined dashboard.

You can discover which users and endpoints have local administrative rights, including hidden or hardcoded privileges across domain and non-domain machines, and automatically remove these rights as needed. This helps you control the exact membership of all local groups and users to reduce the risk of backdoor accounts.

Define flexible policies that ensure a frictionless user experience

IBM Privilege Manager automatically elevates the applications and data that users across your organization need—without requiring credentials or forcing users to request IT support. It provides granular policy-based controls that determine and maintain access to trusted applications and processes.

Through advanced real-time threat intelligence, the solution whitelists, blacklists or graylists your applications according to flexible policies you define.

  • Whitelisting – Trusted applications are whitelisted and elevated, so users can easily access them without IT support.
  • Blacklisting – Blacklisted applications are blacklisted based on real-time threat intelligence and are blocked from running.
  • Graylisting – Potential threats are graylisted, meaning they’ve moved to an isolated sandbox environment for further testing.

Additionally, any application can be quarantine and “sandboxed” at any time, as you deem necessary, regardless of its list designation. A quarantined application can be safely executed and tested without the risk of exposing system folders or underlying OS configurations.

Easily manage and remove local administrative rights

Determine which accounts are members of any local group, including system administrators. If necessary, you can quickly reset all endpoints to a “clean slate” by removing all local administrative privileges at once.

Boost productivity for users and support staff

Since policy-based controls are enacted on the application level, users can access the trusted applications, systems and data they need without local administrative rights or the hassle of submitting tickets to IT support.

Achieve audit compliance through transparency

Share an easy-to-understand auditable trail of all application policies, administration credentials and privilege elevation activities with auditors. You’ll provide a clear picture of your compliance levels and what actions, if any, should be taken.

Read the last part tomorrow!


Privileged Access Management and Identity Governance – Integrate with identity governance capabilities for continuous user lifecycle management and compliance.

IBM Security Identity Governance and Intelligence (IGI) integrates with IBM Secret Server for automated lifecycle management. Implementing PAM can’t be treated as a standalone project. It requires automated identity governance capabilities to prevent issues that would otherwise emerge over time: entitlement aggregation; users with an ever-expanding collection of access to privileged accounts as they change roles, jobs and departments; limited visibility into shared passwords; and so on. Integrating IBM Secret Server and IBM IGI helps prevent toxic combinations of access through a holistic view across both privileged credentials and normal business user accounts. IBM Secret Server securely stores and monitors privileged credentials in an encrypted vault, while IBM IGI ensures that users’ access levels are compliant with regulations and free of SoD violations.

Avoid access combinations that lead to risk

While PAM solutions give you a simple way to know who can access and use privileged accounts, you still need visibility and insight into the unique combination of privileged access each user has. A user with a “toxic” combination of access presents a risk to your organization.

Imagine that one of your users has access to an application that uses a database to store its data. What if that user—unknown to you—also had access to the privileged account necessary to manage the database? They would have the ability to edit the database, thereby circumventing the business and authorization controls of the application. And if the user had privileged credentials to manage the OS, then the auditable trail could be cleared.

Automate recertification campaigns

IBM IGI lets you run certifications to automatically trigger access reviews and gives managers business-friendly information to help with the attestation processes, free from cryptic IT jargon that could otherwise result in bulk approvals.

Integrating IBM IGI with IBM Secret Server extends certification controls to include privileged users as well as non-privileged business users. You can replace error-prone manual processes with an automated recertification process that makes it easy for approvers to better understand what it is they’re actually approving.

Recertification campaigns will help you prove compliance while maintaining clean, healthy and appropriate access to privileged and non-privileged applications.

The benefits of integration

When you integrate IBM Secret Server with IBM IGI, you:

  • Avoid entitlement aggregation and ensure continuous access management
  • Easily prove compliance through recertification campaigns
  • Avoid risks and toxic access combinations through SoD controls across privileged and non-privileged users

Read more tomorrow!


SUPPLY CHAIN RISK AND THE RESULTING CUSTOMER CONSEQUENCES

There is no doubt that supply chain breaches have become a major concern in nearly every business, especially where electronic transactions are taking place. Hacking that can result in supply chain breaches makes businesses vulnerable to theft of confidential data, along with real life theft of goods that are in transit.  For a hacker, the information obtained by gaining access to secure computer data can lead to the theft of millions of shopper’s credit card and account information, leaving a business liable for a fortune in fraudulent charges.

A glaring example of this is the recent major hack of discount retailer Target, which occurred on Black Friday of 2015. Over 40 million customer accounts were illegally accessed, giving the thieves credit and debit card data, along with security codes which are found on the back of the cards.  Luckily, no social security numbers or other vital information was stolen. 

Hackers can use this type of highly sensitive information to make electronic purchases online or sell to the highest bidder.  As a result of this enormous security breach, many major banks and other financial institutions have announced that they are much more thoroughly monitoring their customer accounts.  JPMorgan Chase (JPM) said it would limit the amount of cash that cardholders could withdraw from ATMs in a given period of time, along with enforcing a spending limit for electronic purchases in stores.

Chuck Schumer has demanded a report from the Consumer Financial Protection Bureau as to whether encryption of customer data should be required by law, while Richard Blumenthal called for a Federal Trade Commission probe.

What do I do if my card was hacked? 

“Customers typically aren’t liable for unauthorized purchases on their accounts that they report promptly. Major banks and credit card companies — including American Express (AXP), Discover(DFS), Bank of America (BAC), Wells Fargo (WFC) and PNC (PNC) — said they were monitoring customer accounts.  J.P. Morgan Chase said it was temporarily limiting ATM withdrawals to $100 a day and purchases to $300 a day for customers whose accounts were at risk.”

Wallace

How does this type of security breach occur?

Unfortunately, many of these hackers are extremely adept at covering their trails.  Many of the details of these crimes remain unsolved. In relation to the recent Hacking of Target, it is believed by security experts to have been a breach from point-of-sale-data. Basically, a HVAC vendor was allowed access to information on the same server that held customers’ credit card and other financial information. The bad guys obtained passwords from this vendor and were able to get onto Target’s server.  This is a major blow for both Target and their participating financial institutions, as they are forced to cover all fraudulent charges in order to retain shopper confidence.

“The recent, unprecedented cyberattacks have disrupted business for leading global companies, infiltrated governments and shaken confidence among security practitioners,” said Tenable CEO Ron Gula, in a press release. “With so much at stake, organizations need to know whether their security programs are effective or if they are falling short.”

(Fox News)

Data breaches are a rapidly rising area of concern globally, and in particular financial services where large areas of money are transferred both physically and electronically between different parties.  On the more passive side, hackers can find extremely confidential business information and disperse it into a public realm, usually through online avenues, and can seriously damage or inhibit the operational capacity of the entity.  Information such as bank account transactions, business trade secrets, and material production/sourcing information can be leaked to competitors in a way that gives them an advantage in the sales market, or in some cases even damaging the victimized company to a point that recovery is difficult or even impossible.


IBM Security Secret Server -Easily discover, control, change and audit privileged accounts.

The first step in managing privileged accounts is finding the accounts you don’t know exist. Manual processes and errors can lead to accounts that are unknown and unmanaged by IT. With IBM Security Secret Server, you can automatically scan your entire IT infrastructure to discover privileged, shared, and service accounts. This sensitive information is then stored in an encrypted centralized vault to ensure proper protection using advanced encryption standards. Password policies can be implemented and enforced on every account. You’ll gain full visibility and control over every privileged account in your environment.

Curb privileged access sprawl

When you discover all privileged accounts across your infrastructure using IBM Secret Server, you identify all service, application, administrator and root accounts. This means you gain total visibility and control over privileged credentials that previously went undetected.

Get started with IBM’s free interactive Privileged Account Discovery tool.

Generate, store, rotate and manage SSH Keys

Bring the generation, rotation, control and protection of SSH keys directly into IBM Secret Server. SSH Keys are similar to usernames and passwords but are used for automated processes and for implementing single sign-on by system administrators. With Role-Based Access Control and permission sets, you can control who has access to which sets of keys, regardless of location or IP address.

Monitor and record privileged sessions

Know every keystroke a user takes. IBM Secret Server enables real-time session monitoring and allows you to terminate a session if risky behaviour is detected. It also allows you to record privileged user activity. This provides an audit trail from when the user checks out a secret, to what they did on the system, to when they finally log off. Gain full insight into what’s going on in your most critical accounts.

Change passwords automatically when they expire

Privileged passwords should be changed regularly. IBM Secret Server’s built-in password changing and expiration schedules ensure that critical passwords are changed automatically, without manual intervention.

Delegate access to all privileged accounts

Maintain accountability and provide better context to approvers, so they know exactly why a user needs access. You can also set up role-based access control (RBAC) and an approval workflow that enables transparent access, time restrictions and other parameters of that access and password approval for third parties.

With IBM Secret Server you’ll gain full visibility and control over every privileged account.

You’ll know if someone adds backdoor access or makes an unauthorized configuration change.

You can identify who accesses a system, review the actions they take and react accordingly. Session monitoring and recording also gives you a complete audit trail.

Enhanced auditing and reporting

Utilize dozens of out-of-the-box reports for better insight into system health and compliance. You can generate full reports on password vault activity and create custom reports from database queries as needed.

Integrate IBM Secret Server for enhanced security

IBM Secret Server integrates seamlessly with critical IBM Security solutions, including IBM Cloud Identity, QRadar®, Guardium® Data Protection and IBM Security Identity Governance & Intelligence.

Read more tomorrow!


A Pressing Imperative: Privileged credentials are the targets of choice for cyber attackers.

A Pressing Imperative: Privileged credentials are the targets of choice for cyber attackers. 10

It makes sense for privileged accounts to be the most vulnerable because compromised accounts can grant unfettered access to your organization’s IT infrastructure. That’s why many high-profile breaches have resulted from unmanaged and unmonitored privileged accounts. The attackers responsible often gain administrative control through a single endpoint—and always leave substantial damage in their wake.

Locking out threats with Privileged Access Management

Ensuring your enterprise can appropriately protect, manage and monitor privileged rights mitigates the risk of unwelcome guests to your IT infrastructure.

Privileged Access Management (PAM) is a critical element of a broader Identity Governance & Administration strategy. It enables you to secure passwords, protect endpoints and keep privileged accounts safe and out of the hands of would-be impostors.

By 2022, 70% of organizations will have PAM practices for all use cases in the enterprise, reducing overall risk surface.1

Putting Privileged Access Management into practice

The latest Gartner survey responses suggest that 90% of organizations will recognize that mitigation of privileged access risk is fundamental to security control by 2022.2 However, 70% of organizations would fail an access controls audit today.3 That means while the vast majority of organizations will come to understand the importance and value of PAM in the near future, they currently lack the PAM software, controls and knowledgeable support required to put it into practice.

Locking out threats with Privileged Access Management

Ensuring your enterprise can appropriately protect, manage and monitor privileged rights mitigates the risk of unwelcome guests to your IT infrastructure.

Privileged Access Management (PAM) is a critical element of a broader Identity Governance & Administration strategy. It enables you to secure passwords, protect endpoints and keep privileged accounts safe and out of the hands of would-be impostors.

By 2022, 70% of organizations will have PAM practices for all use cases in the enterprise, reducing overall risk surface.1

Putting Privileged Access Management into practice

The latest Gartner survey responses suggest that 90% of organizations will recognize that mitigation of privileged access risk is fundamental to security control by 2022.2 However, 70% of organizations would fail an access controls audit today.3 That means while the vast majority of organizations will come to understand the importance and value of PAM in the near future, they currently lack the PAM software, controls and knowledgeable support required to put it into practice.

IBM delivers comprehensive PAM capabilities through enterprise-grade solutions: IBM Security Secret Server and IBM Security Privilege Manager. Backed by expert consultation and 24/7 support, IBM Secret Server and IBM Privilege Manager help you capitalize on everything PAM has to offer, while also integrating with identity governance solutions for complete lifecycle management for users of your privileged accounts.

A key part of securing your organization is ensuring you are integrating identity into the broader security ecosystem to mitigate internal and external threats. Two key parts of that are:

  1. Privileged Access Management – focused on the special requirements for managing powerful accounts within the IT infrastructure of an enterprise.
  2. Privileged Elevation and Delegation Management (PEDM) – which prevents external threats and stops malware and ransomware from exploiting applications by removing local administrative rights from endpoints.

This week we’ll take a look at why both are necessary for your organization.
Read more tomorrow!

1 Source: The Forrester Wave: Privileged Identity Management, Q4 2018 by Andras Cser, November 14, 2018

2 Source: Best Practices for Privileged Access Managed Through the Four Pillars of PAM, Gartner, January 28, 2019.

3 Source: Comply or Die: 2018 Global State of Privileged Access Management (PAM) Risk & Compliance, Thycotic.


en_USEnglish
nl_NLNederlands en_USEnglish