Thycotic commentator: your endpoints just followed Elvis out the building
The nature of endpoints in IT terms has changed significantly in the last 10 to 15 years. Back in the early noughties, so-called thick applications were installed on users’ laptops (if they were lucky enough to own such a luxury item!) or on a desktop in the workplace. For cybersecurity teams, it was all about protecting what was installed on the system and the perimeter encompassing the clients’ LAN.
In the last 15 years, we have diversified from how that worked. The situation has almost gone back to the very early days of computing where mainframe or Meta-Frame (early Citrix Virtualisation) systems were used for hosting applications and data, and users addressed services through thin clients.
Today most applications and services are hosted in the cloud — the latter-day mainframes — or can be co-hosted, with low-overhead processing on the device and heavy-lifting done in a remote datacenter somewhere out there.
Today’s internet connection speeds mean there is little difference in responsiveness between operating remote instances and local monolithic apps. Just as well, given that a decent proportion of the population finds itself suddenly working at home. That means protecting cloud services, cloud access, remote endpoints and data in transit become as important as safeguarding perimeters. Like Elvis, endpoints have left the (office) building, and while the central working-space show may be over for now, it just highlights the fluid nature of what cybersec teams have to protect.
To help us explore the changing picture of endpoints and cybersecurity practices, we spoke recently to Joseph Carson from Thycotic, a leader in privileged access management (PAM) solutions in Australia and New Zealand, and Asia. Joe is Chief Security Scientist and Advisory Chief Information Security Officer at the company and a cybersecurity expert with over 20 years of experience in the industry.
Thycotic’s expertise is in providing security based on risk — risk posed by outside attackers on an organisation, but also the risks inherent in users having privilege-determined access to information. Its platform helps enterprises simplify what are often highly complex security toolsets.
With the company named as a leader in its field by top IT security analysts, the CISO at Thycotic has to know their craft. So, if anyone has the inside track on how organisations might reassess their security policies’ formulation with regards to newly defined endpoints, it’s Joe. We began by discussing the multiple accounts and services people access to get a day’s work done.
“Endpoints are no longer just the devices, they’re hosted everywhere,” he said. “And that means that since internet access became vital for a lot of devices to function, so it means that the access, communication and traffic become important. [A user needs] a multitude of credentials and authentication to be able to access those applications. And that’s where we start seeing a lot of things like Single Sign On, and privilege-based access security. [Those] really help manage those complexities of authentication and authorisation.”
Joseph told us not to come at the cybersecurity issue from individual endpoints’ standpoint but rather to begin with a comprehensive and continuous risk assessment of the data and how it is accessed. After all, it’s what cybersecurity is designed to protect. Our job in cybersecurity is to help reduce the risk to the organisations business and help employees be successful.
“First of all, before you get to any of the final decisions about implementations and strategies and controls, you have to understand what is [an organisation’s] risk? If I have a service, and that service isn’t available for a day, what’s the cost to the business? Can the employee do anything? And then the second part is getting the balance between productivity and security. You know, you should never sacrifice one or the other. So, it’s always finding that balance. In my mind, we need to get security to work so that means making security so it’s usable.”
The second part of the cybersecurity puzzle has always been an issue for IT teams: a scale with extremes comprising byzantine protective systems making daily working tools unusable for most and a liberal approach that promotes freedom but leaves the stable door wide open. And, we suggested, isn’t there also a big part for employee education in cybersecurity issues?
Joe told us that educating the users remains valuable, but that is exactly what cybersecurity teams have been trying to do for 20 or 30 years. And they shouldn’t stop now! “That’s a continuous thing, that’s not something you should stop doing. We want better educated people to be able to visually identify risks and report them. Because when you have people in the front line that can actually report instances earlier, the better an organisation will be at reducing the risk.”
Human defences are not the whole story — at least not in a risk-based cybersecurity strategy like one that Joe continuously helps educate companies all around the world today
“At the same time, we want to make sure that when they click on the link, […] the security controls in the background will work for them [and] bring important information to the foreground than they need or report it for additional checks in the background. The more we move security to the background, and where we make security work automatically and seamlessly, the better it is for the user.”
It is not just users in the enterprise who connect to networks, thereby, to one degree or another posing a threat to an organisation’s systems and data integrity. Today many thousands of devices attach through a network: the internet of things exists to a greater degree than many people imagine, and ensuring that machine security and identity is part of the risk assessment is a critical part of cybersecurity practice.
We discussed an example of an IoT network in which one device might drop off the radar then reappear a few hours later. In an intelligent, adaptive cybersecurity framework, such an event should raise a red flag until such a time as the reasons for the outage can be determined.
Aside from internet of things devices and cloud applications’ redefinition as endpoints that need cybersecurity consideration, 2020 and 2021 have writ large the BYOD issue. Or, as Joe terms it, “bring your own disaster or soon to be bring your own office.”
Many millions of words have been written (on this site alone) about the different ways in which organisations can help their users demarcate between work and personal applications/workloads on their tablets and phones. However, the Thycotic approach is a great deal more finely tuned.
“For me to access my work’s email, it might be perfectly fine to authenticate with a username, password, and a multi factor authentication. Now, if I want to go and access, let’s say, customer data, then the security control that I satisfied for my email is no longer ‘just satisfactory.’ So, I can’t just now move across and use the same security controls to access sensitive data. We refer to as leveling up, that you have to then level up or satisfy more security controls.”
An example came up of how the Thycotic company’s security controls worked (it takes its own medicine in that sense) on a granular level. Joe told us how, on a business trip outside his adopted homeland of Estonia, he got a notification from his team. He’d been attempting to access secure information from a different country — behaviour the Thycotic automated systems had flagged as anomalous against the company’s predefined policies.
Even though some of the technology used in situations like this is extremely complicated under the hood, Joe reaffirmed that for the end-user — him, in this case — simplicity was vital:
“One of my mentors and bosses many years ago said that security should be like a light bulb or like electricity. You hit the switch, and you don’t need to know the complexity in the background, it just works for you.”
For further reading, we recommend this eBook, “The Definitive Guide to Endpoint Privilege Management (EPM)“, plus there’s a webinar to get involved in too. Both highly recommended.