CyberArk Execs: 9 Bets on What's Next in Identity SecurityCyberArk Has Pushed Beyond Its Legacy in PAM to Address Broader Identity Use Cases
CyberArk is looking beyond privileged access management to take on the entire world of identity use cases, especially with new challenges presented by the rise of machine identities.
The Newton, Massachusetts-based company will offer more holistic protection to user and nonuser identities by expanding into adjacent technologies such as workforce and customer access, secrets management, cloud privilege security and identity management, founder, chairman and CEO Udi Mokady announced Wednesday during the company's Impact 2022 partner and customer conference.
"We're firing on all cylinders," Mokady proclaimed before an audience of 1,950 virtual and in-person attendees in Boston's Hynes Convention Center.
Information Security Media Group spoke with Mokady as well as Barak Feldman, senior vice president of privileged access management and identity security. Here's Mokady and Feldman's take on the biggest trends in identity security and the investments CyberArk has made in response to those threats (see: CyberArk Debuts $30M Venture Fund to Back Talented Startups).
1. Proliferation of Privilege
Privileged access was historically the domain of an IT department tasked with ensuring the company's technology was running safely and effectively, says Mokady. That has changed dramatically in recent years, with remote HR employees able to access employee salary data and DevOps engineers having the ability to launch containers at a moment's notice.
As a result, Mokady says privileged access needs to be made available to the masses rather than to just a select few. A CyberArk survey found that more than half of employees and 60% of machine identities can now access sensitive data, and businesses today have 45 nonhuman identities for every human identity, due to changes in the software development process and the use of just-in-time workloads.
"Identity is now the target of attackers who continue to innovate," Mokady says during his keynote address. "Attackers have a new supply chain, and therefore every identity needs strong security."
2. Rise of the Machines
Container and cloud-based technology makes it possible for smaller organizations to afford thousands of instances and automate at a larger scale, Feldman says. Machines tend to use generic service accounts to carry out their work, which makes authentication more difficult since measures like biometrics and multifactor authentication that are used to verify human identities don't work here.
Hard-coded passwords that remain unchanged due to concerns about the impact on the business amplify the challenges, since any adversary who learns of the password has the keys to the kingdom, Feldman says. Approaches such as robotic process automation have replaced steps that were done manually, meaning that automatic processes have displaced users with lookup or access authorization.
"It's the way modern organizations are architected," Mokady says. "More things are shifting left and done as code in a company."
3. Non-Workforce Identities Emerge
Third-party vendors, contractors and partners increasingly need access to the applications and systems of the client, Feldman says. Companies have long had to grapple with allowing outside access for staff augmentation uses, but firms in verticals such as food manufacturing now have technology experts that must remotely log into their systems to access, troubleshoot and fix issues due to the rise of cloud.
The biggest risks associated with non-workforce identities center on gaining visibility into exactly who has access to corporate information and how ad hoc vendors can be quickly authenticated at scale for one-time use, Feldman says. These outside parties need an easy and passwordless way to self-register with full control and visibility over what they're doing through session recording and isolation, he says.
"More and more organizations are allowing the business to pick the tools and applications that are good for the business, which means that there's a proliferation not only of identities but of technologies," Feldman says. "Industries are having a tough time finding good staffing, so they go to vendors, contractors, managed service providers and supply chain."
4. Need for Just-in-Time Access
Workloads such as containers are increasingly running for only short periods of time before bursting, and third-party applications often need brief periods of access to carry out their mission, such as a travel app needing to record the purchase of airline tickets, Mokady says. For this reason, least privilege rules, such as granting users and apps elevated privileges for the minimum time necessary, are more important.
The expansion of privileged identities means that not only database administrators but also workers in departments such as human resources and finance will need elevated privileges to carry out certain job functions, Mokady says. Regular users and machine identities will now need intelligent privilege controls to provide seamless access to resources without jeopardizing security, according to Mokady.
Organizations can put additional controls in place, such as isolating or recording the session if, for instance, a human resources employee begins accessing or manipulating salary data.
5. Secrets Management
Developers working natively on Amazon Web Services can now use CyberArk's vaulting infrastructure to manage and secure keys and credentials without taking away from the user experience. Going forward, CyberArk will extend the ability for developers to work natively while having the credentials centrally managed and applied to the other public cloud providers in the future, Mokady says.
Secrets Hub allows AWS developers to centrally manage secrets in CyberArk's vault while continuing to work with cloud-native assets, Mokady says. CyberArk's secrets management is focused on helping customers secure their nonhuman identities as the number of applications with credentials increases, Mokady says.
6. Cloud Privilege Security
The rise of new infrastructure and platforms means that IT, cloud engineers, cloud architects and cloud operations personnel now need privileged access to the cloud management console to manage all of the cloud services that are being rapidly spun up with automation. Shared or generic service accounts often won't cut it since there are specific regulations the public cloud providers have in place, Feldman says.
Companies should start by understanding the entitlements that are available in their cloud environment in terms of identities, roles and permissions, and then analyze what permission are actually being used in real life and remove permissions that are considered excessive, Feldman says. Companies must gain visibility into how often roles are being used and eliminate access to those that aren't being accessed.
Many businesses start by broadly granting users permissions to assets in the cloud and then remove or restrict access if the user hasn't accessed that asset in the first couple of months, Feldman says. This is similar to the approach CyberArk has taken with its endpoint privilege manager product, and it ensures that true least privileged access is being enforced based on the behavior of the user themselves.
7. Secure Web Sessions and More
Secure web sessions were introduced a few months ago, allowing sessions in SaaS applications such as Workday, Salesforce and Okta to be recorded and isolated with analytics generated and just-in-time access provisioned, Feldman says. While the application of privileged access controls is taking place behind the scenes, users continue to log in with single sign-on and have an unchanged experience.
Just-in-time access must also be extended to cloud services and infrastructure to ensure that access isn't left on the machines after developers, cloud engineers, cloud architects or cloud operations personnel finish their work for the day. Multifactor authentication should be required for accessing cloud services, and any changes in behavior or access should be flagged to ensure nothing abnormal is happening.
The ability to record web sessions is accompanied by new password management capabilities for business units within an organization, Mokady says. This streamlines and secures the process by which the marketing department stores its Facebook and Twitter passwords, human resources manages its password for ADP, and finance manages its passwords for banking apps, Mokady says.
8. Software Supply Chain Security
CyberArk Innovation Labs is working on a project to alert and prevent malicious activities such as identity misconfigurations across the software development pipeline that's currently has the codename Anun. The project is focused on DevSecOps and comes 19 months after the world learned of Russian hackers injecting trojanized code into SolarWinds' Orion to infiltrate businesses and government agencies.
Mokady says CyberArk benefits from understanding how adversaries propagate attacks and wants to make it easier for organizations to find and detect if their supply chain has been poisoned at all. A deep understanding of how the DevOps pipeline works and how attackers are landing and propagating is the basis for CyberArk's secrets management tool and determining whether the code base can be trusted.
"There was a big investment in machine learning capabilities, because you have to process a lot of changes to be able to find that needle of inserted malicious code," Mokady says. "One of the biggest investments that we're making on the identity security side is really amplifying the machine-learning capabilities of our solution."
9. From Privileged Access to Identity Management
CyberArk's vision goes beyond simply bringing privileged access and identity management together, and the company is applying the concepts behind privileged control onto every single identity in an organization, Feldman says. The company is looking to solve new problems with a modern approach by applying flows and other basic identity concepts into situations that involve high-risk access, he says.
Mokady says what sets CyberArk apart from companies that began in the identity and access management space looking to get into privileged access management is that airports, banks and governments already trust CyberArk to secure the keys to their kingdom.
Identity management companies were historically trusted with more lightweight scenarios around maximizing ease of access for the broader employee base, Mokady says.
Identity platform Okta announced in spring 2021 that it would debut a privileged access product in early 2022, bringing the company into direct competition with CyberArk and BeyondTrust. Okta CEO Todd McKinnon said in June that the company had decided to add a few more features to its server access management product, delaying the launch of Okta's inaugural privileged access management product by a couple of quarters.