Morey Haber, Chief Technology Officer, BeyondTrust, explains why a comprehensive approach to privileged access management (PAM) – which encompasses not just the full community of credentialed users but also the many technologies and systems that they can access – is the only way for organisations to protect their critical assets in the ever-expanding IT perimeter.
For all of information technology’s benefits, most organisations are well acquainted with the by-product of rapid IT advances and expansion – increased cybersecurity risk. Indeed, growing cybersecurity concerns correlate directly with your organisation’s expanding digital universe and the number of people given some level of authority to operate within it.
A swiftly expanding digital perimeter – both physical and logical – inevitably makes organisations more vulnerable to the so-called cyberattack chain, regardless of how far the perimeter has extended. The attack process starts with a successful perimeter breach or insider malfeasance, followed by the theft of ‘privileged’ user credentials through either poor privilege security management or exploitation of a vulnerability. With privileged user IDs and passwords in hand, an attacker can then move laterally throughout an organisation, seeking its most valuable digital resources.
As the IT perimeter continues to evolve, threats and risks become increasingly difficult for IT and security teams to manage as they try to connect the dots between privileged accounts, vulnerabilities, exploits and successful data and system breaches. This barrier is a big reason why compromised privileged credentials are such a dominant source of successful attacks, accounting for 80% of all cyberbreaches, Forrester Research estimates.
Not all of these breaches involve cyberthieves or other outsiders stealing and then exploiting privileged credentials. In many cases, privileged users cause problems on their own, usually inadvertently through poor security practices but sometimes malevolently. Whether intentional or accidental, privilege-related breaches can bring devastating consequences.
Regardless of the perpetrators and their intentions, it’s clear that organisations generally haven’t done enough to understand and manage their privileged accounts. That’s a big problem because the need for privileged account access – and management – will only become more pressing as IT and communications environments continue to expand beyond traditional firewalls.
The expanding IT perimeter
The days of computer users sitting only within the four walls of a secure and digitally isolated building are a distant memory. The adoption of mobile devices and cloud computing dramatically expanded the digital footprint of companies. The more recent emergence of Internet of Things (IoT) devices is accelerating this expansion and the spread of new processes and technologies, from DevOps to Artificial Intelligence, is adding ever more complexity across the digital landscape.
This emergence of next-generation technologies (NGTs) makes it hard for IT and security teams to keep up. According to our 2018 study of NGT trends and issues, 78% of the participating IT professionals said security was a challenge associated with NGT adoption. A total of 20% said they had experienced five or more breaches related to NGTs over the prior 24 months, resulting in data loss, IT outages or compliance alerts. What was more revealing was that the cause of 85% of all NGT-related breaches involved privileged access – either authorised users unintentionally or intentionally doing inappropriate things or outsiders gaining privileged access to steal credentials.
Further complicating matters, an organisation’s connected community now extends well beyond employees to include vendors, contractors, cloud services providers and others who have various levels of authority to access digital resources.
Adopting a privilege-centric approach
There’s no turning back the clock when it comes to our expanding and increasingly complex digital footprint. It’s time for organisations to get serious about placing their privileged accounts under tight control, regardless of their digital presence. To this end, a partial or piecemeal solution won’t do. Organisations require a comprehensive approach to privileged access management (PAM) that encompasses not just the full community of credentialed users but also the many technologies and systems privileged access management existing and emerging – that they can access.
As with almost any other cybersecurity solution, the first step to a successful PAM deployment is to perform a comprehensive inventory of your organisation’s digital assets, processes, and – in this case – privileged accounts. Only after completing this initial discovery process can you perform a detailed risk analysis that identifies the most valuable or most sensitive data and systems, along with the most likely threats to their security.
Another major element of a successful PAM strategy is controlling user and application access rights as securely as possible. Often that means rescinding existing privileged credentials if a user’s or application’s need to access sensitive resources should be limited. By enforcing least privilege and appropriate credential usage and providing the lowest level of actual privileges needed to perform a task, some PAM solutions can help control mushrooming numbers of privileged accounts.
PAM solutions can also block access on the fly, by inspecting scripts; verifying commands; and, in some cases, performing dynamic vulnerability management. The goal is to reduce an asset’s risk, whether targeted via a privileged attack vector or through a vulnerability and exploit combination. With 80% of attacks traced to privileged credentials, deploying a comprehensive PAM solution is among the most effective ways to greatly reduce the risk of cyber breaches, regardless of the attack vector.
Lastly, organisations need to take a risk-based approach to planning, prioritising and implementing PAM solutions. Organisations new to PAM may consider applying a PAM layer to their traditional business infrastructure and processes, or they may opt to prioritise deployment for the NGTs that pose the greatest risk. In either case, it’s crucial to select a PAM solution that provides the flexibility and capability to not only address current challenges but also grow and mature in step with evolving business needs.
The answer – a sophisticated solution
To provide these and other advanced PAM functions, organisations should consider a fully integrated and comprehensive PAM platform that provides one set of interfaces for password and session management, privilege management, vulnerability management. The solution should also be able to be deployed in any format: as software; as a virtual or physical appliance; or as a cloud service on Amazon Web Services, Microsoft Azure or Google Cloud.
By deploying multiple platform components as software or appliances, organisations can scale their solution to accommodate any environment by using a simple, role-based model for features, functions and secure architecture. Such an extensible-platform approach can provide best-of-breed capabilities to protect privileges across traditional, emerging and next-generation technologies.