The Colorado State Capitol building in Denver. 

Mar 03 2021

Colorado Focuses on Privileged Access Management in Cybersecurity

CISO Debbi Blyth discusses working through a pandemic while following through on the state’s priorities for 2021.

Debbi Blyth has been Colorado’s CISO since 2014, and although 2020 brought on a slew of new challenges, many of Blyth’s cybersecurity initiatives have remained the same.

“When more agency employees began working from home, we had to deprioritize some on-premises projects and newly prioritize others for remote workers,” she says. However, she continues, “I haven’t changed very many priorities.”

Blyth is happy to report that despite working remotely, she and her team have been very productive.

“For me, I went kicking and screaming,” she says of remote work. “But I’ve saved hours of commute time and have found better ways to use my time, as well as better ways to use technology to compensate for at-work collaboration.”

While working from home for most of the year, her team has been able to move forward on two major security projects, including the completion of a privileged access management (PAM) program and increasing the state’s compliance with the Center for Internet Security’s CIS Benchmarks.

Colorado Embraces Privileged Access Management

Cybercriminals typically have specific targets when they breach an organization, with the end goal of obtaining high-level credentials to infiltrate databases, applications or system-critical information.

PAM is a cybersecurity tool that protects those credentials by making them temporary. So, even if a hacker is able to obtain login and password information, those credentials may already be useless.

“It’s going really well,” says Blyth of the implementation. “For the first time ever, we have full visibility into privileged accounts. System administrators, domain administrators, everyone who has the ability to make configuration changes — those credentials are the most important to protect.”

Blyth draws an analogy in describing the PAM setup: “It’s almost like checking out a library book,” she says. “Account credentials are checked out when needed, and there’s a time limit. When the time expires, or when the user checks them back in, the credentials are changed for the next user or session.”

Doug Cahill, vice president and group director of cybersecurity at Enterprise Strategy Group, says that PAM is a critical element of any organization’s cybersecurity approach.

“PAM is part and parcel of zero trust,” he says, “or another big buzzword in security, least privileged access, or LPA,” also referred to as the principle of least privilege, or PoLP. “LPA gives the fewest amount of people access to the least amount of assets.”

Blyth’s team is deploying PAM for all privileged accounts, both on-premises as well as in the cloud, which can be particularly vulnerable. A not-yet-published survey by ESG found that cybersecurity professionals named overly permissive accounts and roles to be the No. 1 issue in cloud-based applications. In addition, 52 percent of respondents shared that it was difficult to map user accounts to sensitive data residing in the cloud.

If a state or government agency is planning to implement a PAM program, Mike Wyatt, a principal at Deloitte, advises that agencies have a multifactor authentication program in place first.

“So many breaches start with compromised credentials,” says Wyatt. “MFA is a straightforward rollout for systems such as VPN. PAM is often a heavier lift. It takes more time to integrate, especially if there are legacy systems. It can be a long journey.”

MORE FROM STATETECH: How can next-generation endpoint security tools aid agencies?

Achieving CIS Benchmarking Goals Is a Key Priority

Colorado’s PAM strategy is one aspect of a cybersecurity program that follows “good hygiene,” according to Cahill. Tracking and evaluating an organization’s cybersecurity hygiene is where benchmarking comes in.

Blyth says that her security team in Colorado has been working closely with the infrastructure team to increase its compliance with CIS Benchmarks.

Colorado CISO Debbi Blyth
For the first time ever, we have full visibility into privileged accounts.”

Debbi Blyth Colorado CISO

“One thing I remind our teams is that this is not something we can do by ourselves,” she explains. “CIS Benchmarks are a measure of how ‘hardened’ our systems are to an attack. Meeting our cybersecurity goals requires partnerships with the infrastructure organization and across the IT organization.”

Blyth estimates that about 60 percent of the state’s servers have reached the target goal, and her team continues to work with other IT teams to ensure that all new servers are fully compliant.

Colorado’s cybersecurity team also follows the 20 CIS Controls & Resources as a framework for the state’s security program, as well as NIST SP 800-53, a National Institute of Standards and Technology document which serves as the basis for the agency’s policies.

The 20 CIS Controls & Resources “are a good way to operationalize the NIST cybersecurity framework, which is how many states, including Colorado, are explaining their programs and

Wyatt, of Deloitte, agrees. “When talking to legislators and asking for budget, you need a cybersecurity roadmap, and it’s helpful to have a straightforward way to explain what you’re going to do, like CIS 20,” he says. “Colorado has done this successfully. Ongoing communication with key stakeholders makes it twice as likely an agency will get security funding. You’re not just talking to the legislature when something bad happens.”

DIVE DEEPER: Find out how to protect government workers at home.

What’s Next for Colorado in Cybersecurity

Although no concrete decisions have been made, Blyth envisions that the state may not require all employees to come back to the office.

“I can imagine a hybrid approach, where people come back for important meetings or specific days but work from home on a regular basis. A lot of agencies are considering this as a way to reduce costs,” she says.

As for cybersecurity initiatives, there are always multiple projects moving forward at once.

In addition to completing PAM and increasing compliance with CIS Benchmarks, Blyth’s department has been working with the state’s internal development organization to build security into DevOps pipelines and increase visibility into cloud data storage and file sharing. She is also continuously tracking and remediating audit recommendations, as well as working on the human side of cybersecurity.

“Preventing ransomware attacks should be a priority,” says Cahill of ESG. “State and local agencies are targeted disproportionately. Employees need awareness training.”

“Our agencies are excited. They’ve been asking for simulated phishing attacks and training,” she says. “At the same time, we’re working on defining metrics for the coming fiscal year. We’re always looking to improve our security posture going forward.”

Adventure_Photo/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.