[October 23, 2014]

Identity is the New Perimeter -Deciphering CDM and Implementing Next Generation Cybersecurity

Xceedium, the premier provider of privileged identity management for the enterprise, and Innovative Solutions Consortium presented an inaugural Continuous Monitoring Phase II Symposium on October 16, 2014 at the CIT Complex in Herndon, Va. The event held in the Bannister auditorium was filled to capacity with government and industry cybersecurity professionals. The symposium focused on the goals of Continuous Diagnostic Mitigation (CDM) and on the topics of managing people and their access to systems. It explored the issues, challenges and best practices for organizations seeking to manage system access, credentials, human behavior, and the growing need to establish protective boundaries to ensure the security and integrity of data, applications and infrastructure.

Led by a robust roster of senior government and industry information technology (IT) executives - including representatives from the Department of Homeland Security (DHS), General Services Administration (GSA), Department of State (DoS), the U.S. Office of Personnel Management (OPM), HP Enterprise Security Products, Kratos, Microsoft, Forescout, Splunk (News - Alert), VMware, Amazon Web Services, and more - the event examined the topic of privileged identity management and insider threat from a variety of perspectives, programs and solutions. Sessions included keynote presentations and engaging panel discussions. The forum provided attendees with key takeaways centered on identity and underscored the criticality of establishing a least privilege infrastructure.

"I have spent over twenty-five years in the security industry," said Ken Ammon, Chief Strategy Officer of Xceedium. "The cadence and sophistication of attacks mounted by hackers, organized crime, and nation-state threats demands an unprecedented call to action for all of us."

Key Takeaways for Cybersecurity Professionals:

1. Identity is the new perimeter. No longer are there clear boundaries that can be drawn around a system to protect it. Identity must be considered an integral element of security, knit into the fabric of our next generation IT infrastructure. In order to better protect the enterprise, cybersecurity professionals must know who is entering and navigating the network at all times. As such, identity management must be core to any security framework, which is reflected in the goals of CDM Phase II.
2. A zero-trust model is essential for next generation cybersecurity. In the past, predominant thinking dictated that organizations assume trust and then verify access. In today's world, this model of trust is broken. Organizations must adopt a zero-trust model in which they never trust and always verify. In fact, the Ponemon Institute revealed in a study that 54 percent of respondents say their organization assigns privileged access rights that go beyond their role or responsibility. Instead, privileged users should only have access to the baseline information they need to perform their role, and only for the amount of time its needed.
3. A holistic shift in the security operating model is required. Being breached must be viewed as the rule - not the exception. Network administrators need to be able to establish what "normal" looks like on an ongoing basis, in order to immediately flag suspicious behavior and investigate. Additionally, in order to mitigate risk and improve system defense, organizations need to make a clear distinction between authentication and authorization. If a user's credentials have been verified and the system can confirm them, their identity shouldn't directly translate to carte blanche access to everything on the system. An automated process should replace manual processes to instantly determine the level of access granted based on a predetermined set of rules and conditions. The separation of authentication and authorization is a key component of CDM Phase II: Least Privilege and Infrastructure Integrity and any leastprivilege identity management approach.
4. Continuous Diagnostics and Mitigation embraces intersection with HSPD-12. The principles outlined in CDM Phase II are more than just a checklist - they are a robust complement to existing security guidelines and mandates, including Identity, Credential and Access Management (ICAM), the Federal Information Security Management Act (FISMA), the Federal Risk and Authorization Management Program (FedRAMP), and Homeland Security Presidential Directive 12 (HSPD-12). CDM Phase II attempts to implement an access lifecycle management approach that establishes an accurate, current baseline of knowledge and an understanding of everything in the system and who has access to it. CDM then aims to modernize and automate the business processes driven by digital policy. By provisioning access through a digital workflow, the integrity of the infrastructure remains intact from end to end.
5. Educating all employees on cybersecurity best practices is critical to success. The biggest threat to the IT infrastructure isn't technology itself, but rather the everyday employees who misuse their privileges, either maliciously or unintentionally. Employees should be made aware of hacking techniques - including information harvesting via social media, fake links and clone log-in sites - and be armed with the knowledge to avoid these tactics. Employees should adopt best practices and be instructed to use two-factor authentication for all personal sites, manually enter all log-in web addresses, be wary of calls from headhunters digging for information on job responsibilities and never re-use passwords.
6. Industry should take a page from government to implement an identity management system rooted in data. This includes a clear and up-to-date view of digital identity (the defined levels of trust, and the granted trust levels for all employees), credentials (a list of all credential types, and the issued credentials for each digital identity), authentication (password complexity rules, and a list of every account on the system) and authorization (all logical access privileges and all physical access privileges). Without the dashboard view of the entire system and an automated process that manages identities based on actual data, security is nothing more than a steel door with a grass hut entrance on the side.

Xceedium is the leading provider of privileged identity management solutions for hybrid-cloud enterprises. Large companies and global government agencies use Xceedium products to reduce the risks privileged users and unprotected credentials pose to systems and data. The company's Xsuite platform enables customers to implement a zero trust security model. It vaults privileged account credentials, implements role-based access controls, and monitors and records privileged user sessions. With unified policy management, Xsuite enables the seamless administration of security controls across systems, whether they reside in a traditional data center, a private cloud, on public cloud infrastructure, or a combination of environments.

Xceedium's solutions enable organizations to comply with security and privacy mandates, such as PCI DSS, FISMA, HIPAA, and NERC (News - Alert) CIP. The company's products provide industry-leading reliability, availability, and scalability, and they are the most highly certified products in the market, with designations including FIPS 140-2 validation, Common Criteria EAL4+ certification, and inclusion on the U.S. DOD Unified Command Approved Products List (UC/APL). For more information, please visit www.xceedium.com.

Xceedium and Xsuite are registered trademarks of Xceedium, Inc. All other trademarks, trade names, or service marks are the property of their respective owners.

About Xsuite

Xsuite, unlike other products, is specifically designed and purpose-built to satisfy the demanding privileged identity management requirements of enterprise information technology infrastructure. Today's enterprise IT-comprising an organization's entire computing fabric from traditional on-premise network equipment and servers, to virtual and public cloud based infrastructure-brings with it demanding new challenges for privileged identity management. Traditional, first generation solutions are ill-equipped to address these needs:

• Comprehensive Functionality - Xsuite delivers comprehensive functionality, including password and SSH access key management, strong authentication integrated with multi-factor security technologies, access control, user monitoring and recording, and proactive policy enforcement.
• Single Platform for Enterprise and Cloud - Xsuite enables a single set of policies across the entire cloud and traditional data center, ensuring consistent standards, easier compliance reporting, and reduced administrative overhead.
• Architected for Scale and Dynamism - Tight integration with Amazon Web Services (News - Alert) and VMware vSphere and NSX enable Xsuite to automatically identify resources as they're created, and automatically apply and enforce security policies. Xsuite's automated protections reduce "mean time to protection" to fractions of a second. Xsuite also delivers the built-in reliability and availability services, like clustering, which enterprise IT demands.
• Protection of the Extended Management Plane - Xsuite has worked extensively with both AWS and VMware to deliver tight, API-level integration and protections.

[ Back To TMCnet.com's Homepage ]