How CISOs can Secure their Mission Critical Data Systems

86
How CISOs can Secure their Mission Critical Data Systems

Imagine a software platform with enough data to know proactively who needs access, to what, and to identify those with unneeded access all in real-time with zero human intervention required? It’s game-changing,” says Rob Palermo, VP of Product Management and Strategy, SecureLink, in an exclusive interview with ITSecurityWire.


ITSW Bureau: How can enterprises tackle new challenges emerging in security, privacy and compliance?

Rob Palermo: I think the industry (and by industry I mean both enterprises and the broader ecosystem of partners and tech suppliers, like us) has taken a retrospective approach for too long. For example, enterprises still rely too much on access audits and security assessments, especially for third-party access and risk management. Both of these tools have their place, don’t get me wrong, but both are inherently backward-looking. For example, most enterprises I speak with are still regularly finding many third-party users with access to critical or regulated systems that are no longer needed. This is usually done through some sort of an access audit. By the time they are discovered, it’s frankly too late.

Concepts like JIT access provisioning and zero trust have helped the industry make large strides, but we can’t stop there. Enterprises need a true closed-loop system, where all access and activity is centrally visible and tracked so users never have “too much” or “unneeded” access. I think machine learning creates incredible opportunities to close this loop faster without a ton of additional resources.

With a central data plane of all user access and activity, ML can help proactively identify unneeded access and help remediate or revoke access.

Also Read: 2021 Threat Landscape – The Lessons Learned from Recent High-Profile Breaches

ITSW Bureau: What steps can enterprises take to secure their mission-critical and sensitive data systems?

Rob Palermo: Again, from a third-party lens, so I’ll answer the question. When crafting a strategy, enterprises need to think of three main pillars – (1) how are they managing the identities and risk profile of third party users, (2) how are they managing their access methods and enforcing the right principles of zero trust and JIT, and (3) how are they ensuring visibility of user access AND their activity in the environment? Each of these can be tackled individually, but they become immensely more powerful when deployed as an integrated solution. For example, if security teams have visibility into user activity, they can supplement that identity’s risk profile, and in turn, their risk profile.

CISOs should inform their security teams on how stringent they need to be around their access rights and the controls they put around them (for example, authentication techniques, approvals, time-based access controls, etc.). That’s a bit of a grand vision, but some immediate steps are utilizing zero trust access methods and principles, enforcing robust authentication and approvals for mission-critical systems, and creating a centralized repository for all third-party identities. Also, they must protect the privileged credentials and ensure they have a way of controlling and obfuscating those.

ITSW Bureau: How can enterprises secure remote access for all their endpoints?

Rob Palermo: The simplest advice I can give is (1) to reduce the number of access methods as much as possible and (2) to ensure the security teams control those access methods. For third parties alone, the average organization utilizes over ten different remote access methods, and many of those are actually managed by their third parties, not the enterprise themself. This creates tremendous burden and risk. How should they effectively track access rights and activity across that many different connectivity methods? Moreover, when a third party controls them, they rely on them to ensure the security of those platforms. Many organizations de-risk this by relying on contracts and security assessments, but those really do nothing to provide actual security around vendor access. They just minimize the enterprise’s legal and financial exposure.

Also Read: Time to Move Towards Frictionless Security

ITSW Bureau: What trends do you think will transform the third-party cybersecurity vendors’ partnership for enterprises in the coming years?

Rob Palermo: I think enterprises will start to see a continued convergence of technologies in the broader Identity and Access Management space. Per some of my comments above, this will change the value proposition of cybersecurity vendors in dramatic and exciting ways because there will be a single closed-loop system for IAM. This allows for greater efficiencies and greater security because it will allow enterprises to transfer time-consuming and error-prone human-based intervention techniques like access approvals, access audits and session monitoring to machines. Imagine a software platform with enough data to know proactively who needs access, to what, and to identify those with unneeded access all in real-time with zero human intervention required? It’s game-changing.

Rob is the VP of Product Management & Strategy at SecureLink, a leader in third-party risk management based in Austin, Texas. In his current role, Rob oversees four main areas of business, including product management, product marketing, strategy, and professional services. During his three and a half years at the company, SecureLink has over tripled in size, thanks to a solid product line.