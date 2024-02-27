In a dynamic regulatory landscape, navigating compliance requirements is akin to solving a constantly evolving puzzle, writes David Higgins, pictured, EMEA Technical Director at the cyber firm CyberArk.

Auditors now demand more than just reports on access; they require proof of robust controls securing identities across diverse environments. As compliance demands expand to encompass a broader spectrum of human and non-human identities, organisations face escalating stakes and mounting costs associated with non-compliance.

Take the evolving regulatory landscape as an example. Directives like NIS2, DORA, and the NIST Secure Software Development Framework underscore the emphasis being placed on bolstering security across critical sectors and internal systems. Meanwhile, the stakes of security compliance keep rising. The average cost of a data breach increases by as much as 12.6% when an organisation is found to be non-compliant, meaning the correlation between robust controls and compliance efficacy is undeniable.

The good news is that there’s a direct correlation between strong controls and strong compliance. With the right capabilities for discovering, securing and reporting high-risk access, you can achieve a proactive stance to meet regulatory demands, and these are some of the key steps your organisation can take to do so.

Finding and evaluating high-risk access

You can’t protect (or report on) what you can’t see, yet many security decision-makers lack a complete picture of human and non-human access to sensitive resources. To proactively meet regulatory demands, organisations must adopt a more comprehensive approach to discovering, securing, and reporting on high-risk access.

One place to start is by conducting an inventory of all accounts with administrative or elevated privilege access to systems, apps, servers, networks and more. Another critical step is discovering privilege across your organisation’s myriad endpoints, like workstations and servers. These are fundamental types of visibility, and many organisations are accustomed to them.

As we delve into new types of identities and environments however, compliance becomes more difficult. For example, developers and cloud ops teams are often over-permissioned with direct access to sensitive resources as their organisations rush to innovate. A CyberArk analysis of the three major cloud service providers shows that a user can access about 1,400 native services that, collectively, have over 40,000 access controls.

As part of their compliance, security teams should lean into cloud complexities and discover issues like over-permissioned IAM roles, unmanaged shared accounts, and hard-coded credentials for developers working in the cloud. In many cases, it’s up to you to interpret compliance requirements and guidelines in the context of new identities, environments and threats (these variables won’t necessarily be mentioned by name in a 100-page regulatory document). In other cases, the direction may be clear-cut, calling out specific areas like virtual infrastructure. Regardless, high-risk access – in all its shapes, forms and locations – requires fierce protection.

Deploying controls for identity security

As mentioned, securing high-risk access demands more than just passive adherence to regulatory guidelines. You must demonstrate that you have strong controls in place to reduce risk and build organisational resilience against attacks. Organisations must implement robust controls, such as stringent password policies, just-in-time access and multi-factor authentication to demonstrate that they are securing privileged access properly. Embracing emerging identity security principles like zero standing privileges can further fortify organisational resilience against evolving threats. These are effective ways to protect against ransomware – and great proof points for auditors to demonstrate progress.

Attaining continuous visibility across identity profiles

You can build upon the findings from your initial discovery process with ongoing, real-time visibility into the access (and actions) of identities across your organisation. This is where it’s essential to look beyond siloed categories of controls or tools. We recommend an integrated identity security approach, where the underlying solutions can share information, act on insights and provide a unified view of audit data across all forms of human and non-human access.

With this approach, you can gain a comprehensive view of who has privileges and authorisation to what resources, with capabilities for discovering, adjusting, certifying and revoking access.

How to support stretched security teams

Research shows that the mean time for organisations to identify a data breach is 204 days, despite the SEC now requiring public companies to report attacks within four days of determining an incident is “material.” How do you account for the limitations that many organisations have regarding time, bandwidth and staffing?

Organisations can gain back time and potentially save money by applying automated capabilities to replace resource-intensive, manual tasks that often bog down security teams. This includes automating governance processes to ensure checks and balances are in place for maintaining compliance. Some examples of these automatable processes includes recurring access reviews to continuously enforce least privilege rules, or regularly discovering which identities have access to specific privileged accounts and sensitive resources.

Gaining auditor confidence

To build trust with auditors, compliance strategists must integrate visibility and controls effectively in a way that can be communicated to auditors, and this requires a structured approach. Firstly, you can only secure and protect what you know; engaging relevant teams early on to understand their workflows and documenting their systems and access can be a big step towards building a successful compliance strategy.

The next step is implementation and rollout. If external auditors have called out gaps in controls, focus your implementation on a combination of prioritising critical systems, reducing complexity and employing automation for recurring access certifications. Finally, expand and communicate; you can’t do everything on day one, but in the same breath, attackers only need one gap to breach and wreak havoc. A proactive approach means building a clear plan for bridging gaps in your discovery process, and creating an implementation roadmap to bridge gaps, track progress and engage regulators openly.

The intersection of robust identity security and proactive compliance strategies is essential for navigating today’s regulatory landscape. By embracing a holistic approach to identity management, organisations can mitigate risk, enhance operational resilience, and earn the trust of auditors and stakeholders alike. As regulations evolve and threats proliferate, the importance of prioritising identity security in compliance initiatives has never been clearer.