The myth of security versus convenience

The myth of security versus convenience

The ease of access and convenience to workplace systems is often observed as a ‘trade-off’ for security, but according to Rashid Ali, Enterprise Solutions Manager at WALLIX, this is nothing but a myth. Here, he discusses this common misunderstanding in workplace security, in further detail.

With the rise of remote working, having access to the right organisational resources in a timely and efficient manner is becoming a major competitive advantage. Employees want to feel empowered and supported in working in the best way possible and this includes having easy and quick access to company data from multiple devices and from different locations. Today’s workforce is agile and flexible and it brings with it a whole host of productivity and talent benefits. But this also means businesses need to be able to set the correct administrative rights and ensure that staff are granted permission to the data they need, when they need it.

The principle of Just-in-Time access security has recently gained popularity among business leaders and this is exactly as the name suggests: providing access to IT resources precisely when needed. In a nutshell, it means users are granted privileges to access a system or resource to perform a specific task as and when the need arises.

Why Just-in-Time?

The way we should look at Just-in-Time security is as a foundational practice. It is designed to help bolster security and maintain compliance while providing employees with much needed data access.

Employees want to be able to work from multiple devices, access data at home or on the move and they want it to be simple and efficient to do so. This is not a new revelation, but in the past 18 months we have seen a greater shift towards hybrid working, and now most organisations across almost every sector are embracing this in some form. 

However, one of the biggest security challenges is that when this access is not available or it becomes complex and inconvenient, employees will simply operate outside the parameters of IT. Employees can see security as a trade-off between ease of use and what is secure, which can become a massive problem for organisations. As a result, businesses need to address this early on, ensure employees have the access they need, and also make sure that everyone is understanding cyber-risks.

It is still necessary that organisations restrict access to sensitive data, so finding the balance can be a tricky situation. Whether remote or in the office, no business should be allowing complete blanket access to sensitive information. Also, providing too many users with too many privileges at all times opens the organisation up to an exponentially higher risk of having privileged credentials stolen, exploited and escalated in order to steal secrets, encrypt data, or bring systems to a halt. Granting elevated privileges only as and when needed – no more and no less – restricts exposure to a minimum while still allowing users to go about their work efficiently.

In a recent study by Oracle and KPMG, 59% of surveyed companies suffered a cyberattack due to privileged credentials being shared or stolen. So, the odds are not in your favour when it comes to granting excessive privileges to users across your organisation. Most companies typically give users too many privileges, or too many resources, as a blanket policy. While this makes sense from an operational point of view, this can go too far from a security point of view. But once companies are restricting privileges, this can hinder the day-to-day work and impact employee productivity if not done carefully.  

This is why Just-in-Time access security is a foundational practice to help reduce superfluous access privileges, and a key tool in implementing the Principle of Least Privilege and Zero Trust security models. As a policy, Just-in-Time security aims to minimise the risk of standing privileges in order to limit risk and exposure to potential cyberattack.

This approach, at its core, addresses three main factors of access: location; timing; and actions. Where is a user attempting to access from? Are they authorised to work during this timeframe, and how long will they need to retain access? What exactly are they attempting to do with their access?

Non-IT users can also be protected by Just-in-Time security solutions. Workstations are a constant source of vulnerability due to phishing scams and ‘password fatigue’ of users, with too many login credentials for too many different systems. However, removing local administrator accounts can cause headaches for hampered users and overburdened helpdesks. Endpoint Privilege Management empowers users to seamlessly elevate privileges for a specific application or process without elevating session or user privileges. This effectively eliminates vulnerable endpoint admin rights.

Ultimately, the aim of Just-in-Time security is to reduce – to an absolute minimum – the number of users with elevated privileges, the amount of privileges they each hold and the time duration for which they are granted. This enables organisations to improve cybersecurity posture, facilitated by strategic technology solutions, to minimise vulnerabilities and block malicious actors from potentially advancing and self-escalating privileges across the network.

Putting Just-in-Time security into practice

The first step is to audit all user access privileges, company-wide, to determine the scope and scale of the issue. How many users are there? What are their profiles and to which applications and systems do they typically need access? How many user accounts are dormant, how many elevated privileges are rarely or never used?

Based on the answers uncovered, the next step is to establish an internal policy to define requirements for users to be granted access to target systems: which roles and teams, under which conditions, and for how long should access be allowed? You will also need to regain control over all passwords and credentials to target systems. Centralising management and rotation of passwords to applications and IT assets is critical to ensuring comprehensive risk and vulnerability management.

A privileged access management solution is a strong first step to protect the ‘crown jewels’ of the IT infrastructure. This type of solution centralises and streamlines secure access to critical IT assets like production servers. This eliminates the shared use of root passwords, locking down sensitive access. Temporary privilege elevation can be requested as needed to enable human and machine users to carry out occasional tasks or run privileged commands. The user simply submits a ticket request to elevate privileges for a specified action and time period thanks to privilege elevation and delegation management. When connecting through a privileged access management solution, the user experience is seamless, facilitating productivity and efficiency while fully vetting authorisation to connect to the server based on the Just-in-Time principles-defined in the solution.

Reaping the benefits

Once fully implemented, Just-In-Time access management strictly limits the amount of time an account possesses elevated privileges and access rights to reduce the risk and attack surface. Privileged accounts are only used for the time needed to complete the task or activity – users, accounts and sessions do not hold on to ‘standing privileges’ once the task is complete. With the proper access security solutions, Just-in-Time is made simple with dynamic privilege elevation to ensure that only the right identities have the appropriate privileges when necessary, and for the least time necessary.

Browse our latest issue

Intelligent CISO

View Magazine Archive