Privileged access: Understanding security inside out

Mark Warren, Product Specialist at Osirium, explains why privileged access poses security issues in the public sector

Government organisations are the backbone of the UK. From local councils to education, healthcare and transportation services, public sector entities are critical to the successful day-to-day functioning of our society. Unfortunately, however, their significance makes them an incredibly attractive target for cyber attackers.

Government organisations are targeted relentlessly. According to the Government Cyber Security Strategy: 2022 to 2030 policy paper, 40% of the 777 incidents managed by the National Cyber Security Centre between September 2020 and August 2021 were aimed at the public sector.

Unfortunately, this is a trend that shows no signs of slowing, with the August 2022 supply chain attack affecting the National Health Service (NHS) being a prime example.

Here, IT services provider Advanced – an organisation equipping various parts of the NHS with operationally critical software – was hit by a major ransomware attack, causing widespread outages that affected everything from patient referrals to ambulance dispatch to out-of-hours appointment bookings.

As you might expect, attacks against critical national infrastructure (CNI), such as our healthcare services, can have catastrophic consequences. Indeed, according to the CyberPeace Institute, the average incident affecting a healthcare system leaves patients unable to receive some form of care for 19 days. Further, in worst-case scenarios, it can result in around four months of disrupted medical service delivery.

We’re increasingly talking about the possibility of public sector attacks leading to life-or-death situations

In this sense, we’re increasingly talking about the possibility of public sector attacks leading to life-or-death situations – a threat that simply can’t be allowed to grow. So, how can cyberattacks against government entities be prevented?

Critically, it is important to understand that most cyberattacks start with employees. Today, adversaries target individuals and endpoints much more frequently than systems and networks to secure the privileged access they require to devastate CNI.

There is a calculated reason for this. Indeed, Verizon’s latest Data Breach Investigations Report affirms that human error remains a key cause of many data breaches, with tried and tested techniques such as social engineering and the misuse of privileged access being a factor in more than four out of five breaches.

The security problem of privileged access

The latter problem of granting access via privileged accounts is becoming increasingly pressing.

Simply put, a privileged account has more permissions than a regular user. Often listed as administrators, they have the power to create, update and remove other user accounts, change system settings, install software, access sensitive databases, and much more.

The risk lies in these powerful credentials being abused – a threat that can stem from different sources.

Perhaps the most obvious is through nefarious actors attempting to access IT systems during attacks. Indeed, threat actors will typically use a variety of tactics, be it hacking firewalls, planting malware to open backdoors, or undertaking spear phishing campaigns against specific staff to acquire their login credentials.

Insiders can also pose security risks

Insiders can also pose security risks. An organisation might encounter a disgruntled employee attempting to cause cyber damage or steal critical information before leaving, for example.

The less obvious insider risk, however, is the “over-enthusiastic amateur.” That’s someone who has managed to get admin credentials and then tries to make changes. Equally, some staff may not have been educated properly on security best practices, leading them to unknowingly make critical mistakes such as accidentally deleting vital personal data (healthcare records) or leaving systems open for attack.

Building privileged access management into your security strategy

To curb these threats, the successful protection of privileged admin accounts is required, this being achievable through the establishment of a comprehensive and effective privileged access security (PAS) strategy.

PAS is a security layer that sits between the comprisable human and valuable back-end systems that require the holistic view of managing privileged accounts. Indeed, such a strategy comprises several core principles, the most obvious being privileged access management (PAM).

PAM can play a key role as a defence mechanism for critical back-end systems and databases. It is different to identity access management (IAM) in that it goes beyond simply proving the identity of the user, instead adding additional policies to determine which systems each user within a network can access and with what privilege level.
While IAM is all about proving who you are, PAM controls what you can do and how you do it.

In this sense, PAM is a crucial complement to existing IAM setups, enabling the protection of valuable accounts. Indeed, it ensures that users are only allowed access to the systems they need, with the least amount of privilege needed, for the shortest period of time needed. This also resembles a core pillar of successful zero-trust models, providing an effective means of upholding the principle of least privilege.

Building in automation

While PAM can be transformative in a security sense, there is a common concern that introducing access controls can frustrate users and require them to change how they work.

Of course, productivity is also an important consideration. However, allowing this to be the sole concern that drives decisions around the controlling of endpoints will ultimately leave organisations exposed to threats.

There’s no avoiding the fact that manually creating users and managing privileges can become a time-consuming process in government departments or public sector organisations that typically have high employee headcounts. And if access control teams are left to manage major workloads without technological support, mistakes can be made, leading to either too much or not enough access being provisioned.

Today, issues surrounding productivity can also be overcome with the deployment of the right supportive tools.

Enter privileged process automation (PPA) – a powerful tool that can be used by IT infrastructure and operations teams to automate these complex and repetitive tasks. For example, PPA can be incorporated into central HR systems so that when new starters join, their user accounts can automatically be provisioned with the appropriate access rights that align with their job role and responsibilities.

Not only can this ensure that nobody is impeded and left waiting for permissions. Equally, it massively reduces the burden on access control teams and will likely eliminate the opportunity for errors to occur too.

Reducing risk on user workstations

Alongside PAM and PPA, a successful and effective privileged access security strategy should incorporate privileged endpoint management (PEM).

Reducing the number of administrator accounts in a network is vital in limiting an organisation’s exposure to threats. However, a key challenge is that certain user groups still require privileged access to undertake critical work-related tasks.

Not only that, but in organisations where administrator rights have been removed from all endpoints, IT teams can face an overwhelming number of requests to make configuration changes, such as installing certain software solutions that users require to complete their work.

Here, PEM allows organisations to remove administrator rights from users while also escalating privileges for specific processes where necessary, again easing any frictions for users and reducing the workloads of access control teams.

Enhancing security and productivity simultaneously

Indeed, it is vital to use these solutions in combination to cultivate an effective PAS strategy capable of combatting the risks associated with privileged access while improving – not impeding – workforce productivity.

PAM ensures all users are provided with just the right level of access and permissions needed to complete work-related tasks; PPA reduces burdens on access control teams while eliminating errors by automating repetitive tasks. PEM removes historically enabled local admin rights using without exacerbating helpdesk requests; government entities will be well placed to mitigate both internal and external threats.

It’s about building a framework which enables users to complete their work faster, rather than slowing them down, through the provision of rapid and secure access to the systems they need to get their work done – and only those systems – for the minimum length of time possible.

With public sector entities coming increasingly under attack and productivity becoming a growing issue across the UK economy, enhancing the security posture in this way has never been more important.

Written by Mark Warren, Product Specialist, Osirium