BeyondTrust’s Universal Privilege Management approach secures and protects privileges across passwords, endpoints, and access, giving organizations the visibility and control they need to reduce risk, achieve compliance, and boost operational performance. In this interview, Chief Technology Officer (CTO) & Chief Information Security Officer (CISO) Morey Haber describes the fundamentals of privileged access management (PAM) and outlines some interesting strategies that help keep organizations secure.
Please describe the story of BeyondTrust.
BeyondTrust is a leader in the privileged access management space. We want to revolutionize the way the world uses privileged access management to secure privileges, credentials, secrets, etc. We have a family of integrated solutions that span from password technology to endpoint removal of admin rights all the way through to secure remote access technology that assures any privileged account is managed, monitored, or removed when appropriate.
What is your role in the company?
I’m the CTO and CISO for BeyondTrust. As a CTO, I oversee the high-level strategy of the organization and the products we make. I’m also the CISO of the company, which makes me responsible for the internal security and the cloud security of the products we make for our clients.
The dual CTO/CISO role is interesting. I help design or specify what a product should do in the privileged access management space, but we also use those products internally to protect our own security. It provides a nice loop back to validate that our solutions work. Having a dual role provides me with a unique perspective and is incredibly beneficial for me in my conversations with clients and prospective customers.
How would you explain the zero-trust concept to those who aren’t familiar with it?
The concept of zero-trust is not new. The zero trust security model essentially states that access is not given to something based on a local account or other types of privileges that have been assigned. Instead, we first evaluate what a user, application, etc. is allowed or not allowed to do. The context might be the network connection where you’re located, your privileges, the type of device you’re using, and other environmental factors.
When the connection, session, or access to an application is brokered through a zero-trust model, the policy engine makes the decision that you are allowed to authenticate, and your authorization should follow the principle of least privilege (PoLP). That means you only have the ability to do what you’re supposed to do, and only for the finite amount of time needed to complete the legitimate activity.
Your behavior during the session is monitored to look for inappropriate or potentially malicious activities. If your system was hijacked and your account is trying to do something malicious with the resource, it could take the appropriate action to disconnect the account and terminate the process. All session activity is documented in logs, either in the form of IO logs, or even screen recordings, for future forensics or transcriptions.
In the context of privileged access management, zero-trust is fundamental. Zero trust advocates for the elimination of standing privileged accounts and always-on accounts, which have administrator rights even if the user has never made a connection. The persistence of privilege in standing accounts presents an attack vector that is always ripe for exploitation.
When you apply privileged access management to those privileged accounts, the administrator, as well as any other privileged user that needs access, would be evaluated according to a set of conditions such as:
- Do they need access to the specific resource to do their job?
- Is this an appropriate working hour?
- Are they coming from an authorized connection?
The connection is established when a confidence threshold is met. Privileged accounts are the most sensitive accounts. BeyondTrust wants to make sure that the action is appropriate based on all the conditions, and that access is monitored and appropriately brokered.
How do you balance between security and usability?
When you have a proper zero-trust architecture (ZTA), which is the way of deploying a tool that helps to enable zero-trust, you can actually increase efficiency. That’s one of the benefits that BeyondTrust brings to the table.
For example, if a user with local administrative rights is operating on an endpoint, there is a high risk that malware or ransomware can infect the system by exploiting those privileges. The best practice would be to remove admin rights and make them a standard user. However, by doing so, things like adding a printer, changing the clock, updating or installing new software, would all stop working, leading to a bad user experience.
So, what companies have done is apply secondary admin credentials or some other type of local permissions, so that when UAC pops up, those secondary credentials will be applied. While that works, it’s also a security risk, because it means everybody has two accounts. One of these accounts is the local administrator, which malware can still scrape via a keystroke log or request to upgrade and infect the system. The best practice would be to remove admin rights altogether, but elevate the application as needed. When a user runs a program that needs admin rights, the application is elevated rather than the end-user running it. That is what we call least privilege endpoint management. It’s the concept of having an agent and a rules-based engine that states which programs need elevation, and changes the security token accordingly.
When a zero-trust architecture is applied to that, the control plane and the data plane are separated. You have an administrator and a policy engine that is now evaluating whether or not this person has the right credentials. An example of this evaluation criteria could be:
- Are they on a trusted computer?
- Are they working from home or are they in the office?
- Is there a ticket to change control?
- Have they replied as to why they should be performing the required action, for instance, installing a tool?
Once the criteria have been met, the identity and account relationship are confirmed, and access is made available using the least privilege model. Behavior is monitored, and actions like child processes are restricted to conform with zero-trust. This actually makes things more efficient, because when the end-user runs a program, it just runs, regardless of whether or not it needs elevation, and there are no secondary credentials. All the security monitoring capabilities are built-in behind the scenes and are transparent to the end-user.
How does BeyondTrust interact with third-party applications?
BeyondTrust interacts with a wide variety of third-party applications. We have two primary types of integration classes.
The first type of integration is with external vendors that we have to share data or authenticate with to validate or change control tickets. We have an extensive library of connectors and integrations to make the entire workflow, including a variety of tools like ServiceNow, McAfee, and others which you can see on our website.
The second form of BeyondTrust integration pertains to platforms that use our product internally. For instance, our password safe technology stores and automatically rotates passwords to provide that check-in/check-out experience that ensures credentials don’t become stale. Even if a threat actor got ahold of a password, due to malware keystroke logging or some type of phishing expedition, it would quickly become invalid because of the rotation.
Our technology is able to find targets, from operating systems to databases, and even applications, cloud resources, and infrastructure, and then log into them and regularly rotate the credentials. The solution even keeps a secure record of previous credentials, just in case a backup requires access, or for disaster recovery.
How do you expect the recent developments in user privacy to impact your business and industry?
The changes in data privacy have had a very large impact on BeyondTrust, as well as many other companies.
It’s important to understand that data security and data privacy are two different things. Data privacy is the protection of sensitive information that you may or may not have privileges to see or collect. With this in mind, if you have sensitive data, you want to make sure it is only being used appropriately and within the proper regions. People can build the proper scope around access to cover privacy laws and concerns. The actual implementation is data security – everything from data retention to obfuscation applies to data privacy, but the overall protection of any type of data would be a part of data security.
I recommend organizations separate data privacy and data security and clearly understand the differences between them. Then, when you do the data mappings and discovery, you’ll find that the data privacy aspect becomes a lot simpler to address.
What would you say is the number one mistake that organizations make with regards to security, and how can it be avoided?
In terms of security, the number one mistake organizations make is the mindset that it won’t happen to them. People seem to think they are invincible and can’t be breached because they have enough defenses. In reality, modern security threats, from supply chains and vendors to vulnerabilities, to privileged attacks, to identity-based attacks and phishing, are getting more sophisticated by the day.
We have to break free from that denial mindset and realize that the tools we use only minimize the risk. We can work toward diminishing our cyber risk – but never altogether eliminate it. My recommendation, therefore, is to prepare yourself for a breach, because it will happen.
You need to have a proper incident response plan:
- Know who to notify in terms of the authorities, law enforcement, etc.
- Know what your legal obligations are in terms of contractual requirements to customers
- Make sure you comply with local and regional data privacy laws. This includes everything from bringing an attorney that specializes in cybersecurity on a retainer, or a forensics firm to tighten the security of your operation.
If you start running around with your hair pulled out, not knowing the severity of the problem or how to fix it, you could be jeopardizing your business, your job, or your reputation. Be prepared for when something happens because, in today’s world, it will probably happen.
Which trends or technologies do you find to be particularly interesting these days around your line of work?
The biggest trends and technologies that I see are newer solutions in the cloud to solve traditional problems. There are numerous startups and mature companies developing cloud technologies. These organizations are evolving vulnerability management, privileged identification and discovery, and other areas in ways that don’t require agents and scanners like what we’ve seen on-premise.
I find this very intriguing because we know you have to patch and discover assets, it’s pretty basic. But the traditional scanner is not the right way to do things in the cloud. Some great methodologies and solutions use APIs with least privilege to discover, assess, and perform these functions.
I think the biggest trend that you’ll see are these newer technologies like CIEM (Cloud Infrastructure Entitlement Management) coming to market to take on-premise concepts to the cloud in completely innovative ways. Vendors have set out to solve these problems creatively and then map and develop the best practices. I think that any of the legacy tools can potentially take a hit because they haven’t adequately evolved or adapted.
Any final words you’d like to add?
In closing, I would like to sincerely extend my best wishes to everyone. Please stay healthy and follow security best practices.
Never reuse passwords, make passwords complex, don’t share your passwords. Avoid silly things like using the same username on multiple accounts, variations of your name, or your email address. If you use your email address to log into multiple accounts, and one of them gets compromised, threat actors will know that you’re using it on other sites, even if the passwords are different. Make it that much harder for them by keeping unique usernames and passwords. Those are the best practices that will keep you and your business protected.