We live in a state of connected security. Today, many of us are virtually online all the time, with full accessibility to email, data, and work regardless of where we are, or the time of day. Some of us rely on features like mobile device notification suppression (i.e. “Do Not Disturb”) to ensure we can remain disconnected while we sleep. In contrast, technologies like mobile device management (MDM) ensure that our devices stay connected and secure even when we are not actively using the asset. This forms the basis for connected cybersecurity.
Why connected cybersecurity?
Connected cybersecurity provides a context-aware security profile for an identity and assets to determine if the requested access and behavior is legitimate or potentially malicious. It takes into consideration the trusted persistent history of an asset to determine if the user has ever engaged in access with the device versus potentially a new device, or attempted access by a threat actor. For the former, a user may be challenged with multi-factor authentication to secure the asset and user – and even be prompted with a security question to “remember me” and suppress future challenge and responses. This is key for connected cybersecurity. Enough information has been positively provided to trust that a user will access resources using a specific asset even when gaps exist in connectivity.
If we add additional context-aware information from IP range, location, user behavior analysis, etc. we can determine if a trusted device should have access even if prior security models have been satisfied. This helps manages risk from device theft, asset hijacking and more. So, what if I want to go off the grid and consider a “Do Not Disturb” paradigm for a longer period of time? What are the risks?
Risks of “Do Not Disturb” for an extended period of time
Team members go offline and invoke a do not disturb model all the time. Some team members are nine-to-fivers – others are connected 24/7/365. The 24/7/365 user behavior is expected of many professionals – and we all can relate to those who behave this way. However, some team members go off the grid for vacations, marriage, children, health, and a variety of other reasons. The duration they go offline is key to managing a connected state of cybersecurity as well.
For example, if there will be periodic check-ins during their absence – that activity could potentially trip threat models. User behavior will be different per individual and career responsibility. How many executives are truly offline fulltime during a vacation? I think you see my point. They are always connected and there is a state of security for them even when their email out of office reply states they will not be responding to any correspondence until a certain date. The out of office automated email reply in itself changes the state of connected cybersecurity just by raising awareness that all access will potentially be remote versus in the office.
Understanding the risks of connected cybersecurity
The first step in understanding the risks are to distinguish between the user and asset. The number and type of assets accessing secure corporate resources should always be known, quantifiable, and managed. Devices that have not been used (like old phones) should be aged out and the number of potential browsers (computers) used for remote access limited by quantity, location, operating system, etc. The more devices, inconsistent or insecure locations, older operating systems, etc. will increase the risk.
This can be managed by a good asset inventory solution and vulnerability management program. For the user, the more privileges they have remotely, lack of multi-factor authentication, poor entitlement management, and inconsistent access will also impact behavioral risk. This can be managed by a privileged access management (PAM) solution and identity and access management (IAM) process. The trick is managing both of these metrics on a single platform or location to influence future adaptive response. More on that in a moment.
The next piece of the puzzle is procedural. How do you manage requests for extended leaves of absence, but accommodate potentially periodic and intermittent access? The best methodology is first raising awareness that the individual is going offline. That is something missing from the vast majority of organizations today. When an individual is slated for a temporary leave of absence, human resource requests should be tied to information technology and cybersecurity. On-premise devices should be disabled or at least require multi-factor authentication (MFA) for any attempted access (i.e. if the user shows up physically at work).
Mobile devices should be restricted to only allow for pre-existing trusted devices and not accept any new access. The state of “do not disturb” takes on an entirely different level since there should be no (or minimal) access, and the connected state of cybersecurity should be static and not have any variations. This is typically handled by entitlements with IAM solutions for standard users and extended to PAM solutions for privileged access. Any new attempts or access during an employee’s absence could potentially be an indicator of compromise. This is much like access in the middle of the night contrary to my normal user behavior of sleeping – just for an extended period of time.
Putting connected cybersecurity together
So how do you pull all of this connected cybersecurity together? A comprehensive PAM platform and integration with IAM and other cybersecurity solutions from vulnerability management to asset inventory. If your privileged access solution is context-aware for location and vulnerabilities, your asset inventory helps control VPN and trusted devices, and your IAM methodology controls entitlements by role, device, and user – you are pretty close to a complete solution for knowing the state of cybersecurity for any connected device and user. Linking and integrating the process and solutions together, therefore, makes an effectively connected security model. This is true even if the device or user is dormant for any period of time. It allows changes in user behavior, changes in access, and changes in your trusted computing model.
If you are looking for a privileged access management (PAM) or vulnerability management (VM) solution, BeyondTrust can help. We provide a single, unified interface for both that can share data and help you realize the benefits of integrated data and shared communications to define connected cybersecurity.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
