How Veza helps companies map data access and stop insider threats

Final week, a U.S. federal authorities worker and Air Nationwide Guardsman named Jack Texeira was alleged to have exploited his High Secret clearance and leaked dozens of inner Pentagon paperwork to a Discord server, together with delicate info associated to the Russia-Ukraine warfare. 

The breach is a basic instance of a malicious insider assault, the place a privileged consumer decides to exfiltrate helpful info. It additionally highlights that organizations must act underneath the belief that any worker or contractor can resolve to leak information property at any time.

Actually, analysis reveals that insider threats are extremely frequent. Cyberhaven discovered that just about one in 10 staff (9.4%) will exfiltrate information over a six-month interval, with buyer information (44.6% of incidents) and supply code (13.8%) being the most typical property leaked.

“Privileged customers typically keep an overabundance of standing entry to important methods and delicate information, which, if extreme or pointless, can expose organizations to information leaks,” mentioned Geoff Cairns, Forrester principal analyst. For that reason, “id administration is important to stopping id sprawl and imposing the precept of least privilege.”

Nonetheless, for Accel-backed information safety startup Veza, safety groups must go effectively past id administration to mitigate the dangers attributable to malicious insiders; they want granular visibility into human and machine identities all through the enterprise and what information these identities have entry to.  

Unveiling the identity-to-data relationship 

Conventional id administration is about establishing a course of for authenticating customers earlier than they will entry property. Whereas this strategy is important to enterprise safety, it’s not all the time clear what information a person has entry to, notably when the typical consumer has over 30 digital identities. 

“We name it the id iceberg,” mentioned Tarun Thakur, CEO of Veza, in an unique interview with VentureBeat. “This statement that we’ve had since we based the corporate is basically the issue assertion of who has entry to what and what can they do? Organizations don’t have a solution to that query.” 

 With fashionable enterprises sustaining an average of 254 purposes, it’s tough to attain granular visibility into the precise information property a given id or account can entry. 

“Utilizing Nike for example,” Thakur started, “we are able to see [for example a user named] Gillian belongs to Nike, and our username Gillian or Gillian@nike.com. However what can Gillian do? What can she learn? What can she delete? What can she replace?”

Veza’s reply to the problem of knowledge visibility was to create an AI/ML mannequin engine to ingest role-based entry management (RBAC) metadata from tons of of apps to construct an id menace graph. 

The graph highlights the identity-to-data relationship, displaying human customers every id, what property they will entry and what actions they will carry out (e.g. whether or not they have learn or write permissions). As soon as this info is found, safety groups can management authorization and app permissions from a single location and cut back their organizations’ publicity to malicious insiders.  

This strategy is totally different from conventional id administration instruments like Sailpoint and Okta as a result of it’s primarily based on highlighting the connection between identities and information entry and defining controls, somewhat than hardening the id perimeter towards menace actors with single sign-on (SSO) or adaptive, risk-based authentication.

The position of privileged entry administration 

Mapping human and machine identities is only one step on the highway towards imposing zero-trust entry on the information degree, as organizations additionally must implement entry controls to reduce the danger of knowledge leakage. This begins by implementing what Michael Kelley, senior director analyst at Gartner, calls “the precept of least privilege.”

The precept of least privilege implies that “solely the appropriate individual has the appropriate degree of entry, for the appropriate motive, to the appropriate useful resource, on the proper time,” Kelley mentioned. Every worker solely has entry to the recordsdata and assets essential to carry out their perform, nothing extra. 

Each Veza and identity-data mapping present organizations with the flexibility to spotlight privileges on the information degree so there’s no ambiguity or threat of granting customers over-privileged entry. 

That being mentioned, Kelley argues that organizations who need to mitigate account takeover must transcend implementing the precept of least privilege, arguing that “corporations should then mitigate the danger of privileged accounts by means of PAM [privileged access management] practices,” Kelley mentioned.  

In observe, meaning discovering accounts with privilege, figuring out individuals or machines with entry to the accounts, after which discovering the extent of entry held by that account. 

As soon as these high-value privileged accounts are recognized, they are often locked inside a single vault with a PAM resolution. This allows approved customers to log in to the account to entry information property, whereas the safety staff audits and screens their exercise to ensure no dangerous exercise, comparable to information exfiltration, takes place. 

The choice whether or not to include id administration, PAM, or identity-data mapping ought to be primarily based on a company’s particular wants.

For cloud-native organizations or these working in a hybrid cloud surroundings, automated mapping is important for getting visibility over human and machine identities that exist in a decentralized surroundings, as is implementing authorization controls on the information degree.