We, from senhasegura, a provider considered Challenger by Gartner in its Magic Quadrant for PAM 2020 report, are proud to announce that we have also received the Customer’s Choice seal by Gartner in the Voice of the Customer: Privileged Access Management report. This seal is a recognition for the providers best evaluated by verified users, and endorses our commitment to developing the best PAM solution on the market, with our customers as the driving force behind our work. To ensure a fair and reliable evaluation, Gartner uses a rigorous methodology to consider the aspects analyzed by users.

Gartner considers Privileged Access Management solutions, or simply PAM, as tools that help organizations provide privileged access to critical assets and achieve compliance requirements by managing and monitoring privileged accounts and access. The functionalities of a PAM tool range from the discovery of privileged accounts in systems, devices, and applications to the isolation, monitoring, recording, and auditing of sessions, commands, and privileged access actions.

Since its creation in October 2015, Gartner Peer Insights has received over 350,000 reviews in more than 350 industries. The Voice of the Customer report summarizes reviews from the evaluation platform to assist IT leaders in choosing the best tools according to their organizations’ needs. These reviews complement Gartner’s assessment methodology and have an important influence on the decision-making process, considering the users’ experiences in implementing and operating the solutions.

To be considered in the report, providers must have obtained 10 or more reviews during the eligible submission period, which is usually 1 year. According to the Voice of the Customer 2021 report, Gartner Peer Insights has published 924 reviews in the period ended in November 2020. It is worth remembering that reviews from customers with less than USD 50 million in revenues are excluded from the methodology adopted by Gartner. In the period evaluated, senhasegura has received 54 reviews with an average score of 4.8, the second-highest review in the PAM market. It is worth mentioning the Service and Support aspect, also with a 4.8 score. Besides, 96% of our customers recommend the senhasegura Security platform.

Some testimonials from senhasegura’s users on the Gartner Peer Insights platform include:

“Excellent PAM (tool) for DevOps and Secrets Management, Fast deployment, and great Support. – Portfolio and Program Management for a client with sales between USD 250M and 500M.

The solution is very flexible and scalable. It has integrated very well into our DEVOPS CICD environment composed mainly of Kubernetes, Docker, Jenkins, and Gitlab. The architecture adopted was a 3-node active-active cluster in our AWS account, as we had a large number of applications depending on it. Also, the integration with AWS Watch gave us real-time PAM on ephemeral servers. The secret discovery tool helped us to have visibility of secrets in the pipeline and allowed us to rotate them during the application deployment stage without having to refactor each application in the first place”

For another customer with a turnover of more than USD 1 billion, senhasegura “allows a PAM approach to IT and OT environments for industry 4.0”.

Finally, one more satisfied customer, from the telecommunications and billing area with earnings between USD 3 and 10 BI, considers that “senhasegura’s intuitive wizards and all-in-one architecture facilitate deployment, even in a complex telecommunications company scenario, including high availability (HA) and disaster recovery (DR). The tool is also adherent to local and cloud environments and integrates seamlessly with our infrastructure with various vendors and technologies, including legacy devices.”

Among the 14 providers considered in the Voice of the Customer report, those who obtain a higher score than the market average, evaluated by more than 50 customers during the eligible period, receive the Customer’s Choice seal. Also, customer reviews must be represented in different segments, sizes, and regions. For Gartner, this is a way to recognize both the most satisfied PAM customers and the solutions offered by providers.

Once again we reinforce our pride in being listed in the Gartner Voice of the Customer report and receiving the Customer’s Choice seal. To find out more about what our customers have to say about senhasegura, and if you also want to leave your testimonial, visit our page on Gartner Peer Insights.

Disclaimer

Gartner Peer Insights Customers’ Choice constitutes the subjective opinions of individual end-user reviews, ratings, and data applied to a documented methodology. They do not represent opinions, nor do they constitute an endorsement by Gartner or its affiliates.

Gartner does not endorse any vendor, product, or service depicted in their research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner’s research publications consist of the research organization’s opinions and should not be construed as statements of fact. Therefore, Gartner disclaims all warranties, express or implied, concerning this research, including any warranties of merchantability or fitness for a particular purpose.

Privileged credentials are spread across the infrastructure of organizations of all sizes and types. Through them, it is possible to take a series of administrative actions, such as significant changes in assets and critical systems as Domain Admin servers or ERP systems. No wonder one can also call them “keys to the kingdom”.

And ensuring the security of these “keys” and privileged access is not an easy task for those responsible for Information Security. And taking into account the latest news of data leaks, not just IT teams but all organizational leaders are aware of the risks associated with privileged credentials and how such risks are considered to be part of the business strategy.

It is also worth remembering that, driven by the shift to decentralized models, we saw a boom of cloud-based approaches. For this reason, according to Gartner, more than half of global companies that already use Cloud will adopt a 100% Cloud-based strategy by 2021. In addition, the increase in connected devices as a result of the expansion of IoT, Industry 4.0 (also called Industrial IoT), DevOps, and other digital transformation initiatives has also increased the number of connected devices and privileged credentials. Many of these credentials are not associated with people and are called service accounts. As they are not associated with a user, in most cases, these accounts are not properly managed and monitored by the security teams, which increases the risk of being exploited by malicious attackers.

And for those who think cyberattacks are limited to large organizations, 28% of these attacks were performed against small and medium-sized businesses, according to the Data Breach Investigation Report from 2020. Also, research by the National Cyber Security Alliance has found that 60% of these companies shut down within 6 months after a cyberattack.

Regarding cyberattacks, some of the biggest and most recent ones involved the lack of proper protection for privileged credentials. The attack on SolarWinds, for example, came to show us the need to ensure the security of these credentials. This is because, by obtaining improper access to the infrastructure through malware, malicious attackers were able to move laterally through the infrastructure via compromised privileged credentials.

Thus, the goal of Privileged Access Management is to assist organizations to protect, control, manage, and monitor privileged access to critical assets. Therefore, by centralizing the management of privileged credentials in one place, a PAM solution is able to ensure the maximum level of security, controlling access and monitoring suspicious activities.

Gartner considers Privileged Access Management so important that it chose this market as the number one security project for two years in a row in its publication Top 10 Security Projects. And to address the Privileged Access Management scenario, Gartner has released the Competitive Landscape: Privileged Access Management report, prepared by its researcher Swati Rakheja.

And with the increase in PAM adoption, mainly through SaaS deployments, privileged credential management solutions, which were previously limited only to global organizations, are now also reaching small and medium-sized companies. Also according to Gartner’s report, the PAM market will continue to experience great adoption, expecting a compound annual growth (CAGR) of 10.7% between 2020 and 2024, reaching the size of USD 2.9 billion in 2024.

Considering that PAM use cases are evolving along with the capabilities and functionality of the solutions, and in order to continue to serve this large and promising market, PAM providers must reassess their strategic positioning in the market by offering new features to meet the needs of organizations of all sizes.

Some of the basic functionalities of a PAM solution, according to Gartner, include everything from credential discovery, onboarding, and management through password vaulting and rotation to privileged access governance and recording and auditing capabilities, such as privileged activity logging and reporting.

While small and medium-sized companies are starting their PAM implementations with these basic functionalities, global organizations are including advanced PAM use cases, which cover, for example, Just-in-time, or JIT access. When using JIT approaches, the solution performs access provisioning based on time of use, reducing the attack surface and the risks of attacks that exploit privileged credentials.

Also, functionalities based on Artificial Intelligence and Machine Learning, Privileged Task Automation, or PTA, and privileged session auditing are also included in the list of advanced PAM functionalities.

Other emerging needs in the PAM market are access management in multi-cloud and DevOps environments, including CI/CD automation and secrets management.

It is important to note that this difference in the use of PAM features also extends to geographic regions: while emerging markets such as Asia-Pacific and Latin America are still implementing basic Privileged Access Management features, more mature markets such as the European and North American already consider and implement more advanced use cases.

Finally, Gartner’s report presents the competitive profile of the main provider within the PAM market, including senhasegura. In this profile, Gartner brings information such as the product or portfolio overview and how the provider competes in the market.

Regarding senhasegura, Gartner highlighted our PAM offer based on the privileged access life-cycle, considering the Before-During-After approach. This life-cycle includes aspects from the discovery of assets, credentials, and digital certificates to the visibility of actions performed in the environment, allowing the organization to cover all aspects associated with the protection of credentials and privileged access.

As a competitive advantage of senhasegura, Gartner mentions Keystroke Dynamic Identity, or KDI. Based entirely on Artificial Intelligence and Machine Learning, KDI allows the continuous verification of the user’s identity through behavioral biometrics. Gartner also shows that senhasegura has been highly praised by its users for its ease of use and quick installation, not to mention its intuitive and user-friendly interface.

The year 2021 has arrived, and organizations of all types and sizes are continuing their efforts to adapt their workforce to the new work reality imposed by the Covid-19 pandemic. People, who were previously working using corporate devices and infrastructure within its security perimeters, have been forced to quickly change their approach, now working from their homes and accessing the same resources as before lockdowns. And according to Cisco research published in the Future of Secure Remote Work report, even with the introduction of a vaccine against the coronavirus, IT decision-makers believe that a significant part of this workforce will continue to operate remotely, thereby accelerating the move to Cloud-based models and their projects linked to digital transformation.

Many companies, however, did not have the adequate infrastructure to support a huge number of people working from their homes, let alone to ensure that sensitive data was not exposed. The change introduced by the pandemic has created a strong demand for digital solutions, bringing an important mission for the Information Security teams: not only to protect the company, its employees, and customers but also to guarantee business continuity. A Promon survey of 2,000 remote workers provides some worrying data: almost two-thirds of them had not received any cybersecurity training in the past 12 months. Besides, 77% of them are not concerned with data security while working from their homes. It is worth remembering that data protection laws provide for heavy sanctions in case of data leaks. If the personal data of Brazilians are leaked, for example, a company is subject to fines that can reach 2% of revenues or 50 million reais.

In this context, the Covid-19 pandemic also brought new attack vectors to this entire remote workforce. With so many people using insecure devices and networks to perform their daily activities, malicious attackers saw an opportunity to exploit security gaps introduced by this form of work. Also according to the Cisco report, 61% of decision-makers have reported an increase of 25% or more in cyber threats since the pandemic began in March 2020. And for those who think cybersecurity is something that concerns only global organizations, this increase in threats is also reported by small (55%) and medium-sized (70%) companies. But what aspects should Information Security leaders consider in order to guarantee the security of data transmitted via unprotected devices and networks?

Virtual Private Network, or VPN – as a basic tool in the kit of those who want to guarantee data security, VPNs are old known to IT teams. In addition to the function of avoiding geographical restrictions, the use of these tools also improves privacy on the internet. Also, a VPN allows you to encrypt all internet traffic through devices;

Wi-Fi, or Wireless Connections – most Wi-Fi networks are secure in some way. However, when outside their workspaces, employees should be aware that using public wireless networks is one of the preferred targets for malicious agents to spy on internet traffic and collect sensitive data

Home Routers – many people do not change the passwords for their home routers when they are installed, which increases the risk of falling victim to a cyberattack. To prevent any malicious attacker from having access to the home network and thus gaining improper access to critical data, the first step includes changing the router’s password. Also, it is interesting to encourage employees and third parties to check and install device firmware updates.

Passwords – In these times, it is more important than ever that your passwords are properly protected. Unfortunately, many people use the same password for multiple-service access credentials, both personal and corporate. This means that if a malicious attacker has access to a compromised password, it will be much easier to gain access to other services, including corporate accounts. Therefore, it is recommended to use a PAM solution to manage these privileged credentials.

Multi-Factor Authentication – often, strong passwords are not enough to protect systems from unauthorized access. If a criminal has access to a credential compromised in a data leak, it is not difficult to compromise other user accounts. Thus, by using multi-factor authentication, such as confirmation via an OTP (One-Time Password) generated by an application or SMS, it is possible to add an extra layer of protection to user accounts;

Backups – all user files must be configured to be backed up, preferably in a cloud-based environment. If there is a cyberattack through malware, such as ransomware, and the data is not properly saved, it is not possible to recover it without paying a ransom, which can directly affect the victim’s activities and even the business continuity;

Phishing – in addition to investing in cybersecurity solutions, it is also necessary to train employees appropriately to learn how to deal with phishing attempts or other social engineering-based attacks by malicious attackers to gain improper access to systems. One way to address this problem is to alert employees how to detect suspicious emails from unknown senders, especially if it involves any user action, such as clicking a link or opening an attachment. Even messages received from trusted senders must be considered and verified before they are opened.

As remote work becomes more and more common, companies of all sizes need to implement infrastructure in addition to the appropriate policies to minimize their exposure to cybersecurity risks. The list we presented here is a good start to give an idea of what should be considered in order to create an adequate policy to ensure the protection of the remote workforce. In this way, it is possible to reduce the risks of cyberattacks and avoid heavy penalties from data protection laws, which can affect the trust of employees, partners, suppliers, and even business continuity.

Risk management quantifies and qualitatively describes the risk of Information Security, allowing companies to prioritize risks according to their severity and thus ensure business continuity. 

Risk management determines the value of an information asset, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effects on the identified risks, determines the potential consequences, and finally prioritizes them.

After this definition, how is it possible to develop a strategy for risk management within a company? What are the main risks associated with Information Security? Also, find out what High Availability and Contingency has to do with risk management and what are their main differences in keeping your system secure.

Keep reading this article and learn how risk management in information security can contribute to your business continuity.

How does Information Security Risk Management work?

Risk management in information security is the process associated with the use of information technology. It involves identifying, assessing, and addressing risks to the confidentiality, integrity, and availability of a company’s assets.

The ultimate goal of this process is to address risks according to a company’s risk tolerance. Companies should not expect to eliminate all risks. Instead, they should seek to identify and achieve an acceptable level of risk for business continuity.

How to develop an Information Security Risk Management strategy?

Managing risks is an ongoing task, and your success will depend on how they are assessed, plans are communicated, and functions are maintained. Identifying the people, processes, and technologies required to help you deal with the steps below will develop a solid foundation for a risk management strategy and program in your company, which can be developed over time.

Identification

This stage is the process of identifying your digital assets that can include a wide variety of information: confidential company information, such as product development and trade secrets; Personal data that can expose employees to cybersecurity risks, such as identity theft regulations. Another example is those companies that handle credit card transactions and need PCI-DSS compliance.

Assessment

This is the process of combining the information you have gathered about assets, vulnerabilities, and controls to define risks. There are many structures and approaches to this.

Treatment

Once a risk has been assessed and analyzed, the company will need to select the risk treatment options. In this scenario, companies can accept the risk or prevent it.

Communication

Regardless of how risk is handled, the decision needs to be communicated within the company. Stakeholders need to understand the costs of whether or not to address risk and the reason behind such a decision. Responsibility and accountability need to be clearly defined and associated with individuals and teams in the company to ensure that the right people are engaged at the right times in the process.

Main risks associated with Information Security

Security risks are inevitable, so the ability to understand and manage risks for systems and data is essential to a company’s success. 

If you are able to address the risks below and respond effectively to security incidents, you can find out how to better resist cyber threats and reduce potential risks in the future.

Privilege Abuse

In most technology environments, the principle of least privilege is not valid. There are many reasons why privileges greater than necessary have been granted to a user.

Granting excessive permissions is problematic for two reasons: approximately 80% of attacks on corporate data are actually performed by active or dismissed employees. Privileges excessively granted or not revoked at the right time make it simple for someone to perform malicious actions.

Third-party Access

A number of third parties, including suppliers, contractors, consultants, and service providers have access to network resources, which allows them to modify, replace, or impact your company’s operational service. This access is considered privileged and needs to be even more protected than the access by an employee.

Companies apply efforts to protect their networks, but forget about third-party access security controls. These controls can protect third-party access to privileged credentials, as well as strengthen security aspects that are normally exploited by attackers to gain access to the corporate network.

Insider Threats

When it comes to data breaches, employees themselves can be one of the biggest risks to an organization. These threats can be: accidental, when personnel is only poorly trained; negligent, when employees try to bypass implemented policies; or malicious (the most dangerous), when an employee is motivated by financial gains, espionage, or revenge.

HA (High Availability) and DR (Disaster Recovery / Contingency) as metrics for Risk Management

Any good system these days must be built to expect the unexpected. No system is perfect and, at some point, something will happen that will cause a system to malfunction (a fire, a hurricane, an earthquake, human error – the list goes on). Since systems can fail in different ways, they need to be designed with the expectation that a failure will occur.

Thus, there are two related, but generally confusing, topics that work on the system architecture that mitigate failures: high availability (HA) and disaster recovery (DR).

High availability simply eliminates single points of failure, and disaster recovery is the process of putting a system back into an operational state when it goes down. In essence, disaster recovery is triggered when high availability fails.

Fundamentally, high availability and disaster recovery have the same goal: to keep systems up and running in an operational state. The main difference is that high availability is designed to deal with problems when a system is running, while disaster recovery must deal with problems after a system failure.

Regardless of a system’s high availability, any system in production, no matter how trivial, needs to have some kind of disaster recovery plan in place. And this should be included in your information security risk management strategy.