Saviynt 2020: Helping orgs manage risk, scale cloud initiatives, and maintain regulatory compliance

Saviynt announced the general availability of their latest platform release, named Saviynt 2020. Designed to support the modern enterprise IT landscape, Saviynt 2020 is already helping 1.6M users at major global organizations manage risk, scale cloud initiatives, and maintain regulatory compliance.

“Enterprise security challenges demand an intelligent, risk-based approach, especially with the drastic changes brought about by the global pandemic,” said Todd Soghier, Director, Identity & Access Management Governance at Marriott International.

“We are continually working to improve our identity posture and Saviynt 2020 has played a vital role in securing our growing identity perimeter, which consists of hundreds of thousands of users and hundreds of applications.”

The rapid acceleration of digital transformation and cloud adoption has created new challenges for today’s modern business. Organizations need cybersecurity support that will empower the reality of today’s work-from-anywhere enterprise and meet the continuous compliance needs for the most highly-regulated industries.

Built upon the principles of zero trust, Saviynt 2020 provides security and governance for complex multi-cloud and hybrid environments.

“The enterprise ecosystem is experiencing a seismic shift, causing businesses across the globe to significantly rethink the ways identity helps them manage risk and security,” said Amit Saha, CEO at Saviynt.

“The reality behind this shift is that identity is no longer just about people. Instead, identity spans workloads, data, bots, and connected devices. Last year, Saviynt introduced a new vision that would simplify the adoption of identity and access technologies.

“Today, we are proud to deliver on that promise through Saviynt 2020: a fully-featured, unified platform that brings together identity governance, privileged access management, application access governance and data access governance.”

Saviynt 2020 is designed to be adaptable and solve evolving business requirements. Eliminating the need for multiple products and vendors, the platform can govern and administer all access, privileged or standard, within hybrid applications such as Microsoft 365, Workday and Salesforce, to cloud infrastructure assets from Amazon Web Services, Microsoft Azure, Google Cloud Platform and more.

Customers will benefit from the following capabilities:

  • Accelerated uniformity: To support rapidly growing human and machine identities, Saviynt 2020 offers enhanced capabilities around guest access management, BOT access governance, operational technology integration, application and privileged workload discovery, as well as a revamped application onboarding experience that includes an RPA Bot for last mile identity automation.
  • Intelligent identity: Risk-based intelligent identity helps drive greater efficiency and productivity throughout the entire identity lifecycle. Saviynt 2020 simplifies a once-complicated journey with contextual risk insights and automated decision-making capabilities, all powered through AI and machine learning. These new capabilities reduce an organization’s risk profile by guiding better security decisions and automating or speeding-up many identity-related tasks.
  • Continuous zero trust: Addressing the new identity perimeter evident in organizations, Saviynt 2020 improves security posture in the new age of work-from-anywhere. Offering the ability to simplify and streamline dynamic access management, customers will gain a 360-degree view of risk so that they can prevent data breaches and insider threats, all through a cloud-agnostic approach.
  • Frictionless access: Productivity and simplicity in mind, Saviynt 2020 is designed to reduce friction with an all-new intuitive user experience. Saviynt now makes it easy to request access via ServiceNow, within a user’s browser, or via a mobile app to help drive the adoption necessary to maintain a modern, secure identity perimeter.

“Saviynt has emerged as one of the leading providers of intelligent identity management, innovating well beyond key legacy players with an already established position in the market,” said Richard Hill, analyst at KuppingerCole.

“Saviynt’s strength, however, comes as a result of its cloud-native, converged approach to enterprise identity. With the release of Saviynt 2020, enterprise organizations will continue to benefit from an integrated risk-based, intelligent approach to IGA and Access Governance, for both on-premises and cloud-based instances.”

Preventing cybersecurity’s perfect storm

Zerologon might have been cybersecurity’s perfect storm: that moment when multiple conditions collide to create a devastating disaster. Thanks to Secura and Microsoft’s rapid response, it wasn’t.

Zerologon scored a perfect 10 CVSS score. Threats rating a perfect 10 are easy to execute and have deep-reaching impact. Fortunately, they aren’t frequent, especially in prominent software brands such as Windows. Still, organizations that perpetually lag when it comes to patching become prime targets for cybercriminals. Flaws like Zerologon are rare, but there’s no reason to assume that the next attack will not be using a perfect 10 CVSS vulnerability, this time a zero-day.

Zerologon: Unexpected squall

Zerologon escalates a domain user beyond their current role and permissions to a Windows Domain Administrator. This vulnerability is trivially easy to exploit. While it seems that the most obvious threat is a disgruntled insider, attackers may target any average user. The most significant risk comes from a user with an already compromised system.

In this scenario, a bad actor has already taken over an end user’s system but is constrained only to their current level of access. By executing this exploit, the bad actor can break out of their existing permissions box. This attack grants them the proverbial keys to the kingdom in a Windows domain to access whatever Windows-based devices they wish.

Part of why Zerologon is problematic is that many organizations rely on Windows as an authoritative identity for a domain. To save time, they promote their Windows Domain Administrators to an Administrator role throughout the organizational IT ecosystem and assign bulk permissions, rather than adding them individually. This method eases administration by removing the need to update the access permissions frequently as these users change jobs. This practice violates the principle of least privilege, leaving an opening for anyone with a Windows Domain Administrator role to exercise broad-reaching access rights beyond what they require to fulfill the role.

Beware of sharks

Advanced preparation for attacks like these requires a fundamental paradigm shift in organizational boundary definitions away from a legacy mentality to a more modern cybersecurity mindset. The traditional castle model assumes all threats remain outside the firewall boundary and trust everything either natively internal or connected via VPN to some degree.

Modern cybersecurity professionals understand the advantage of controls like zero standing privilege (ZSP), which authorizes no one and requires that each user request access and evaluation before granting privileged access. Think of it much like the security check at an airport. To get in, everyone —passenger, pilot, even store staff— needs to be inspected, prove they belong and have nothing questionable in their possession.

This continual re-certification prevents users from gaining access once they’ve experienced an event that alters their eligibility, such as leaving the organization or changing positions. Checking permissions before approving them ensures only those who currently require a resource can access it.

My hero zero (standing privilege)

Implementing the design concept of zero standing privilege is crucial to hardening against privilege escalation attacks, as it removes the administrator’s vast amounts of standing power and access. Users acquire these rights for a limited period and only on an as-needed basis. This Just-In-Time (JIT) method of provisioning creates a better access review process. Requests are either granted time-bound access or flagged for escalation to a human approver, ensuring automation oversight.

An essential component of zero standing privilege is avoiding super-user roles and access. Old school practitioners may find it odd and question the impact on daily administrative tasks that keep the ecosystem running. Users manage these tasks through heavily logged time-limited permission assignments. Reliable user behavior analytics, combined with risk-based privileged access management (PAM) and machine learning supported log analysis, offers organizations better contextual identity information. Understanding how their privileged access is leveraged and identifying access misuse before it takes root is vital to preventing a breach.

Peering into the depths

To even start with zero standing privilege, an organization must understand what assets they consider privileged. The categorization of digital assets begins the process. The next step is assigning ownership of these resources. Doing this allows organizations to configure the PAM software to accommodate the policies and access rules defined organizationally, ensuring access rules meet governance and compliance requirements.

The PAM solution requires in-depth visibility of each individual’s full access across all cloud and SaaS environments, as well as throughout the internal IT infrastructure. This information improves the identification of toxic combinations, where granted permissions create compliance issues such as segregation of duties (SoD) violations.

AI & UEBA to the rescue

Zero standing privilege generates a large number of user logs and behavioral information over time. Manual log review becomes unsustainable very quickly. Leveraging the power of AI and machine learning to derive intelligent analytics allows organizations to identify risky behaviors and locate potential breaches far faster than human users.

Integration of a user and entity behavior analytics (UEBA) software establishes baselines of behavior, triggering alerts when deviations occur. UEBA systems detect insider threats and advanced persistent threats (APTs) while generating contextual identity information.

UEBA systems track all behavior linked back to an entity and identify anomalous behaviors such as spikes in access requests, requesting access to data that would typically not be allowed for that user’s roles, or systematically accessing numerous items. Contextual information helps organizations identifying situations that might indicate a breach or point to unauthorized exfiltration of data.

Your compass points to ZTA

Protecting against privilege escalation threats requires more than merely staying up to date on patches. Part of stopping attacks like Zerologon is to re-imagine how security is architected in an organization. Centering identity as the new security perimeter and implementing zero standing privilege are essential to the foundation of a security model known as zero trust architecture (ZTA).

Zero trust architecture has existed for a while in the corporate world. It is gaining attention from the public sector since NIST’s recent approval of SP-207 outlined ZTA and how to leverage it for the government agencies. NIST’s sanctification of ZTA opened the doors for government entities and civilian contractors to incorporate it into their security model. Taking this route helps to close the privilege escalation pathway providing your organization a secure harbor in the event of another cybersecurity perfect storm.

Securing human resources from cyber attack

As COVID-19 forced organizations to re-imagine how the workplace operates just to maintain basic operations, HR departments and their processes became key players in the game of keeping our economy afloat while keeping people alive.

Without a doubt, people form the core of any organization. The HR department must strike an increasingly delicate balance while fulfilling the myriad of needs of workers in this “new normal” and supporting organizational efficiency. As the tentative first steps of re-opening are being taken, many organizations remain remote, while others are transitioning back into the office environment.

Navigating the untested waters of managing HR through this shift to remote and back again is complex enough without taking cybercrime and data security into account, yet it is crucial that HR do exactly that. The data stored by HR is the easy payday cybercriminals are looking for and a nightmare keeping CISOs awake at night.

Why securing HR data is essential

If compromised, the data stored by HR can do a devastating amount of damage to both the company and the personal lives of its employees. HR data is one of the highest risk types of information stored by an organization given that it contains everything from basic contractor details and employee demographics to social security numbers and medical information.

Many state and federal laws and regulations govern the storage, transmission and use of this high value data. The sudden shift to a more distributed workforce due to COVID-19 increased risks because a large portion of the HR workforce being remote means more and higher access levels across cloud, VPN, and personal networks.

Steps to security

Any decent security practitioner will tell you that no security setup is foolproof, but there are steps that can me taken to significantly reduce risk in an ever-evolving environment. A multi-layer approach to security offers better protection than any single solution. Multiple layers of protection might seem redundant, but if one layer fails, the other layers work fill in gaps.

Securing HR-related data needs to be approached from both a technical and end user perspective. This includes controls designed to protect the end user or force them into making appropriate choices, and at the same time providing education and awareness so they understand how to be good stewards of their data.

Secure the identity

The first step to securing HR data is making sure that the ways in which users access data are both secure and easy to use. Each system housing HR data should be protected by a federated login of some variety. Federated logins use a primary source of identity for managing usernames and passwords such as Active Directory.

When a user uses a federated login, the software utilizes a system like LDAP, SAML, or OAuth to query the primary source of identity to validate the username and password, as well as ensure that the user has appropriate rights to access. This ensures that users only have to learn one username and password and we can ensure that the password complies with organizationally mandated complexity policies.

The next step to credential security is to add a second factor of authentication on every system storing HR data. This is referred to as Multi-factor Authentication (MFA) and is a vital preventative measure when used well. The primary rule of MFA says that the second factor should be something “the user is or has” to be most effective.

This second factor of authentication can be anything from a PIN generated on a mobile device to a biometric check to ensure the person entering the password is, in fact, the actual owner. Both of these systems are easy for end users to use and add very little additional friction to the authentication effort, while significantly reducing the risk of credential theft, as it’s difficult for someone to compromise users’ credentials and steal their mobile device or a copy of their fingerprints.

Infrastructure

In today’s world, HR users working from somewhere other than the office is not unusual. With this freedom comes the need to secure the means by which they access data, regardless of the network they are using. The best way to accomplish this is to set up a VPN and ensure that all HR systems are only accessible either from inside of the corporate network or from IPs that are connected to the VPN.

A VPN creates an encrypted tunnel between the end user’s device and the internal network. The use of a VPN protects the user against snooping even if they are using an unsecured network like a public Wi-Fi at a coffee shop. Additionally, VPNs require authentication and, if that includes MFA, there are three layers of security to ensure that the person connecting in is a trusted user.

Tracking usage

Next, you have to ensure that access is being used appropriately or that no anomalous use is taking place. This is done through a combination of good logging and good analytics software. Solutions that leverage AI or ML to review how access is being utilized and identify usage trends further increase security. The logging solution verifies appropriate usage while the analysis portion helps to identify any questionable activity taking place. This functions as an early warning system in case of compromised accounts and insider threats.

Comprehensive analytics solutions will notice trends in behavior and flag an account if the user changes their normal routine. If odd activity occurs (e.g., going through every HR record), the system alerts an administrator to delve deeper into why this user is viewing so many files. If it notices access occurring from IP ranges coming in through the VPN from outside of the expected geographical areas, accounts can be automatically disabled while alerts are sent out and a deeper investigation takes place. This are ways to shrink the scope of an incident and reduce the damage should an attack occur.

Secure the user

Security awareness training for end users is one of the most essential components of infrastructure security. The end user is a highly valuable target because they already have access to internal resources. The human element is often considered a high-risk factor because humans are easier to “hack” than passwords or automatic security controls.

Social engineering attacks succeed when people aren’t educated to spot red flags indicating an attack is being attempted. Social engineering attacks are the easiest and least costly option for an attacker because any charismatic criminal with good social skills and a mediocre acting ability can be successful. The fact that this type of cyberattack requires no specialized technical skill expands the potential number of attackers.

The most important step of a solid layered security model is the one that prevent these attacks through education and awareness. By providing end users engaging, thorough, and relevant training about types of attacks such as phishing and social engineering, organizations arm their staff with the tools they need to avoid malicious links, prevent malware or rootkit installation, and dodge credential theft.

No perfect security

No matter where the job gets done, HR needs to deliver effective services to employees while still taking steps to keep employee data safe. Even though an organization cannot control every aspect of how work is getting done, these steps will help keep sensitive HR data safe.

Control over accounts, how they are monitored, and what they are accessing are important steps. Arming the end user directly, with the awareness needed to prevent having their good intentions weaponized, requires a combination of training and controls that create a pro-active system of prevention, early warnings, and swift remediation. There is no perfect security solution for protecting HR data, but multiple, overlapping security layers can protect valuable HR assets without making it impossible for HR employees to do their work.

Saviynt joins the IDSA, helps orgs mitigate risk and achieve regulatory and compliance goals

Saviynt, ranked in the top third of Inc. Magazine’s 5000 fastest growing US companies and a thought leader in converging Identity Governance and Cloud Privileged Access Management solutions, is pleased to announce it has joined the Identity Defined Security Alliance (IDSA) and will participate in forums and events in 2020.

“Saviynt is excited to join the IDSA, helping organizations mitigate risk and achieve their regulatory and compliance goals,” stated Nabeel Nizar, Saviynt’s Senior Vice-President of Products and Solutions.

“Our Identity 3.0 vision drives innovation to help organizations attain greater visibility and near real-time security responsiveness through the holistic convergence of identity governance, application GRC, and privileged access management.

“Using automation and consistent enforcement of security and compliance objectives across multi-cloud, multi-channel and critical hybrid IT assets, we evolve Identity to support cloud-first and digital transformation initiatives.”

The IDSA, a group of identity and security vendors, solution providers, and practitioners, acts as an independent source of education and information on identity-centric security strategies.

Saviynt brings to IDSA its expertise in developing a cloud-native industry-leading Identity Governance and Administration platform and the in-depth, user-centric understanding of Identity which helps organizations pro-actively address compliance and reduce risk through visibility and intelligent analytics.

“Our involvement with IDSA allows Saviynt to collaborate with alliance members to build smarter security, maximize identity, and drive great results for customers,” said Chris Gregory, Vice President of Channel Operations and Development, Saviynt. “IDSA is a perfect avenue for us to continue educating and building awareness for our converged IGA platform.”

“As our latest survey validates, organizations are dealing with an explosion of identities. Concern abounds that without strong IAM practices they face significant risk,” said Julie Smith, executive director of the Identity Defined Security Alliance.

“I’m glad to welcome Saviynt to the Alliance, bringing a new voice to our efforts to help organizations not only with identity-centric technology strategies but also with closing the gap between identity and security teams.”

Saviynt PAM and Saviynt Cloud PAM for GovCloud now available on AWS

Saviynt, ranked in the top third of Inc. Magazine’s 5000 fastest growing companies in the US and a thought leader in converging Identity Governance and Cloud Privileged Access Management solutions announced the availability of Saviynt Cloud Privileged Access Management (PAM), and Saviynt Cloud PAM for GovCloud on Amazon Web Services (AWS) Marketplace.

Saviynt’s Cloud PAM is a cloud-native solution converging privileged access management with Identity Governance and Administration (IGA) for cloud workloads and critical enterprise hybrid applications (ERP/CMS/CRM).

Built for elasticity and resiliency, architected as a SaaS offering, Saviynt’s Cloud PAM with integrated governance, identity analytics and preventive risk, offers frictionless access to privileged assets.

Vibhuti Sinha, Chief Cloud Officer of Saviynt, says “Security at speed and scale, without disrupting the user experience, is the core foundation on which Saviynt’s Cloud PAM has been built.

“Our vision of converging PAM with IGA, as well as tackling traditional PAM issues with unique approaches of using non-persistent accounts and temporal access is helping organizations to minimize threats in the changing hybrid IT landscape.

“Launching Saviynt’s Cloud PAM SaaS solution on AWS Marketplace, will benefit Saviynt’s customers and partners in rapid fulfilment as well as quick time to market and maximizing their ROI.”

With the new release, Saviynt’s Cloud PAM offers a comprehensive approach to managing privileged access by:

  • Continuous discovery and risk visibility: Real-time discovery of workloads as well as privileged accounts and risky access across AWS workloads including Amazon Elastic Compute Cloud, Amazon Relational Database Service, AWS Identity and Access Management and even federated AWS identities.
  • Real-time workload discovery and auto-registration: Built on native cloud technologies, Saviynt can detect ephemeral changes of cloud in real-time for better management and access ready.
  • Elimination of persistent accounts: With the just-in-time provisioning capabilities, Saviynt’s PAM reduces the overall attack surface and reduces risk.
  • Temporal and granular privileged access with seamless sign-on experience: Frictionless experience with in-session role and access elevation and privileged ID assignment models.
  • Keyless and Passwordless model: Seamless access to workloads without the need of any keys or passwords. This invariably reduces the operational overhead of rotating/refreshing and distributing credentials.
  • Integrated credential lifecycle management and vaulting: Vaulting as a service with no infrastructure management overhead as well as reducing the overhead of managing, rotating and refreshing credentials.
  • Integrations with the industry’s leading IT Service Management and User and Entity Behavior Analytics (ITSM/UEBA) and IDaaS providers thereby creating an ecosystem to operate/investigate and access in the most efficient manner.

“Our customers want proven, easy-to-use, and reliable SaaS solutions to help secure and govern access and privileged identities,” said Chris Grusz, Director, AWS Marketplace.

“Solutions that combine cloud-native security for use in AWS GovCloud (US), like Saviynt Cloud PAM, provide simplified compliance and security. We’re delighted to extend their availability to the 260,000 customers using AWS Marketplace.”