Privileged Access Management: The Key to Preventing Supply Chain Attacks
Across all sectors, organizations are relying on third-party software vendors that directly access their systems. Whether it’s to manage customer relationships, just-in-time inventory systems, Web development platforms, and everything else in between, more external vendors are regularly connecting to the network, often through privileged accounts.
This has created a lucrative opportunity for cybercriminals, who are increasingly targeting Software as a Service (SaaS) vendors with the sole aim of accessing their customers’ networks. After all, one successful vendor breach can offer a master key to hundreds of thousands of end-users and systems—as was the case with the notorious SolarWinds breach.
This method of intrusion is known as a supply chain attack, and bad actors haven’t backed down since SolarWinds was disclosed. Other recent high-profile examples of this phenomenon include an attack that affected Toyota’s Japanese manufacturing plants in February 2022. In this instance, a ransomware attack initially targeted plastic parts supplier Kojima Industries, which threatened to spread to Toyota through its just-in-time production control system, forcing a company-wide shut down. Similarly, in December 2022, files containing the data of 77,000 Uber employees were posted to the Dark Web. The data was traced back to a breach at IT asset tracking service Teqtivity, one of Uber’s many third-party software vendors.
With supply chain attacks on the rise, organizations need to implement measures to reduce their risk of falling victim. The best way to do so is by adopting zero trust architecture, supported by privileged access management.
Zero Trust > Perimeter Security
Thanks to the growth of remote work and the expansion of cloud and Internet of Things (IoT) technologies, modern IT security infrastructure is now highly complex, fragmented, and distributed. In this environment, traditional perimeter security—which was the gold standard for decades—is no longer fit for its purpose.
Instead of defending their network perimeter with a castle and moat approach, organizations should focus on identity security by never trusting and always verifying before granting access. This is the essence of zero trust, which requires users to re-authenticate themselves as they move laterally through a network—not just at the boundary or initial log in. This method is analogous to putting locks on every door inside your house. Even if a burglar manages to break in, he’s trapped in a single room.
Practice the Principle of Least Privilege
Privileged access management (PAM) is the cornerstone of zero trust. It is the key to providing both employees and third-party vendors with the minimum level of access needed to complete their work, and nothing more.
PAM tools provide IT teams with a bird’s eye view of who has access to which systems, enabling them to provide granular access controls for critical assets and privileged account credentials. This makes it easier—and more secure—to grant third-party remote access, in turn reducing the risk of supply chain attacks.
Many PAM tools also monitor and record user activity. With these capabilities, IT teams can conduct a thorough investigation when something goes wrong and can proactively demonstrate compliance with detailed audit trails.
Other Technology Options
Managing, monitoring, and securing third-party digital identities is the most effective way to prevent users from having more access than necessary, allowing your organization to successfully thwart a supply chain attack.
PAM for both internal privileged users and contracted third-party vendors sits at the heart of zero trust. But from a holistic perspective, PAM forms just one pillar of an organization’s digital identity strategy.
To ensure all their digital identities are secure, organizations should consider implementing the following solutions alongside PAM to achieve zero trust:
- Identity Governance. Manual user lifecycle management is a cumbersome, error-prone burden to IT staff. If not done properly, it can provide employees access to the most sensitive systems even after they’ve left the organization—creating major vulnerabilities. To prevent this, enterprises should adopt automated role-based identity governance. This establishes permissions day one and provides capabilities for continuous changes as a user evolves in his or her role.
- Single Sign-On. User logins should be efficient and secure, especially with most users entering multiple complex passwords every day. A single sign-on solution via no-click access or biometric authentication can reduce the need for passwords without sacrificing productivity or security.
- Multifactor Authentication (MFA). This one is already being leveraged by many organizations—for good reason. MFA provides an added layer of security by requiring users to verify their identity as they move through the network. It secures remote access and provides an auditable chain of trust—a necessity in today’s hybrid work environment.
Together with PAM, these core four solutions can provide organizations with the most important tools for managing all digital identities. Though the scope of any digital identity strategy will differ depending on an organization’s size and sector, the technologies outlined above provide a solid foundation built for growth and agility in the modern digital world.
Wes Wright is the chief technology officer at Imprivata with a background in security in the healthcare industry, including as the CTO of Sutter Health and the CIO of Seattle Children’s Hospital.
© 2023 Imprivata