Interview: CyberArk EMEA chief on how government has become a security leader
PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right
Credit: Dominic Lipinski/PA Archive/Press Association Images
The technological transformation that has taken place across the public sector in recent years has brought major benefits for both government and citizens.
But the digitisation of services and platforms has also placed significant additional demands on those charged with securing them and the data they process.
“Government departments that handle finance are increasingly like financial services organisations, and face the same threats and challenges,” says Rich Turner, senior vice president for EMEA at privileged access management vendor CyberArk. “As we see digital government become real, it becomes incredibly important to protect the pathway to what one might argue are some of the most important pieces of private information that exist. Criminals place a high value on citizen data and the like, meaning investment into the digital transformation of government necessitates a hand-in-hand investment in security.”
Having been founded four months before the turn of the century, CyberArk now has more than two decades of experience in securing such data. But the ways in which it does so have changed over the years, having begun life “focused on protecting data by placing it in a digital vault”.
“As the business grew, we recognised this challenge of managing privilege within organisations,” Turner adds. “Because we started to see threat actors leveraging privileges to move around networks and gain greater access control – ultimately getting to the point that they can take over a network entirely.
"People are spending more on information security than we ever have done. Yet the breaches are not getting less frequent, the scale of the attacks are not getting smaller, they're not costing any less money, and people aren't getting back to normal any faster. So, there's got to be something wrong with the paradigm."
“And none of what you might call the perimeter defence technologies were seemingly very effective in stopping these sorts of attacks because, to many of those technologies, a credential is a credential: if the username and password checks out, and it looks like you are doing something that, on the face of it at least, you are authorised to do, then the systems are all set up to give you a green light, not a red light.”
Dedicating your entire security strategy to attempting to keep threats from breaching the perimeter of your network could, perhaps, be compared to erecting a tall barbed-wire fence around your property. Effective, up to a point but, if and when someone is inside the fence – whether legitimately so or otherwise – there is very little else that can be done.
A risk-based approach
The privileged access management (PAM) technology in which CyberArk specialises is a form of security more akin to a central bank vault – within which are many individual safes or lockboxes, each of which is also locked from the outside.
In the enterprise IT world, this could equate to the use of multiple cloud consoles, such as Google, Amazon Web Services and Microsoft. PAM allows for the isolation and monitoring of individuals’ access to these platforms, ensuring employees can use the systems and data required for their role, while restricting access to sensitive areas and allowing administrators to identify any unusual or suspicious behaviour.
The need for PAM and other similar technologies is born out of a requirement for organisations to move from an approach focused solely on prevention, to one that encompasses detection and mitigation as well. There is, inherent in this, an acceptance that you cannot always keep out threats. It is a mindset shift that is proving easier for some than others.
“You are now finding organisations with… pretty sophisticated, pretty significant information security systems – in terms of sort of scale, cost and, to some extent, complexity – still being breached,” Turner says. “People are spending more on information security than we ever have done. Partially because the threat is growing, and partly because the consequences are growing. Yet, if you read the headlines, the breaches are not really getting less frequent, the scale of the attacks are not getting smaller, they're not costing any less money, and people aren't getting back to normal any faster. So, there's got to be something wrong with the paradigm.”
He adds: “And one of the problems is that an entirely defensive security strategy doesn't really work. You've got to take a risk-based approach that applies the right kind of security controls to make sure that, having given somebody access, you can control the things that they do, and that you can apply analytics to their behaviour that allow you to try and identify anomalous or erroneous use of an identity.”
CyberArk’s technology allows organisations to manage all the users of their systems and provide them with the necessary permissions and access to do their job or utilise a service. The behaviour of each user – or identity – can be monitored and analysed. Privilege can be revoked if a user has access beyond what is required for their role or needs, or if anomalous patterns are identified in their usage.
Among the public sector entities to use the firm’s products and services are several major central government departments, as well as law-enforcement and security agencies. Transport is also becoming an increasingly productive market for CyberArk, according to Turner.
PAM technology is a good fit for any organisation that needs to manage access to citizens’ financial data or other sensitive personal information, he adds.
A decade ago, the CyberArk EMEA chief says government lagged behind other sectors in its adoption of enterprise security – although in part this is because it was also slower to adopt “the working practices that increase threats to the network”.
Getting the basics right
The government may increasingly be helping to lead the way, but both the NCSC and vendors like CyberArk still need to assist many organisations in starting their journey from the very beginning.
“A lot of good security can be achieved with relatively simple measures: effective management of passwords, strong authentication for remote access, use of VPN or other privacy technologies, and good education of your employees,” Turner (pictured right) says. “A lot of this stuff is what you might call the security basics. Yet we continue to see organisations across the private and public sectors – that ought to know better – still making some of these fundamental mistakes. So, I think that the educative stance that the NCSC has taken, along with its proactive communication in recent years, has been very helpful to the improvement of both private sector and government security.”
CyberArk, too, wants to do its part to help public services become more secure, as it looks to expand and deepen its engagement with customers across the sector.
Turner says: “Our business there is growing – and their security is improving as a result.”
Citizens will also be invited to submit ideas for ‘reducing or eliminating regulation’
David Currie explains that there is an ‘arms race’ between web platforms and criminals that are equally sophisticated
Senior officials tell MPs about the challenges they face in delivering major programmes
Joanna Davinson says digital function is working with HR colleagues to promote greater movement between disciplines