Why Privileged Access Management Should be a Top Priority (Part Two of a Two-Part Series)
To get the most from a privileged access management (PAM) strategy, focus on projects with the greatest risk and largest impact, perform a security health check, and explore as-a-service options, which are less costly and daunting to roll out across the enterprise.
Chief information security officers (CISOs) are overwhelmed with too many security projects. This was the recurring theme at this year’s Gartner Security Risk Management Summit. With the digital transformation market expected to reach $493 billion by 2022 at a 19.1% CAGR, the current pace of digital initiatives is bringing security discussions to the forefront of business planning. What process should a CISO use to select from a list of many security priorities?
During his talk on the top 10 security projects for 2018, Gartner VP and Distinguished Analyst Neil MacDonald advised to focus on projects that reduce the most amount of risk and have the largest business impact. And number one on the list of security priorities is PAM.
PAM: A High Priority
As noted in the first installment of this series, 80% of all breaches involve privileged credentials. Controlling privileged access not only reduces the potential attack surface and minimizes the impact of a breach, but it also builds resilience against other causes of disruption including insider threats, misconfigured automation and accidental operator error in production environments.
PAM also provides a high return on investment (ROI); the relative cost to implement it is low vs. the beneficial impact to the protection-detection-response cybersecurity lifecycle. A PAM implementation protects privileged user activity as well as nonhuman users and service accounts that may need to run occasionally in privileged mode. PAM protects mission-critical assets in which a breach could have catastrophic operational impact. At the same time, it addresses the common advanced persistent threats (APT) tactic of lateral movement and credential theft through pass-the-hash and pass-the-ticket impersonation.
Key IAM Challenges that PAM Addresses
While identity and access management (IAM) and PAM are key authentication and access controls, protecting privileged identities presents unique challenges. Consider:
Misuse of privileged access, whether it’s through an external attacker or accidental misconfiguration, can have a significant impact. Privileged access requests can require approval workflows, be issued to temporary users such as a contractor, or be time bound for specific maintenance windows. As such, implementation of the principles of least privilege and just-in-time access are key elements of PAM that will reduce the potential attack surface against privileged credentials.
Auditability of authentication and access is core to the IAM lifecycle and is required compliance for many organizations. Privileged activity auditing is already required in varying degrees in regulations for SOX, HIPAA, ICS CERT, GLBA, PCI DSS, FISMA, and others. However, auditing privileged access is now essential due to the General Data Protection Regulation (GDPR), which mandates management of access to personal data, putting all privileged access in scope. For more, please read “Every Move You Make: Privacy in the Age of the Algorithm.”)
Auditing alone does not provide operational resilience in the event that privileged access is misused. Recoverability requires the ability to know exactly what commands were issued and the system response. Session management allows the ability to control, monitor and record access, including live view and playback. While individual session management for general users is not feasible within IAM, it is an essential PAM feature.
Clearly the need to protect the informational crown jewels and critical business assets require securing these keys to the kingdom with governance above and beyond traditional IAM controls. But where should an organization start on the privileged access management journey?
A Privileged Access Security Health Check
The need to protect privileged credentials is obvious, but its urgency and benefit in terms of risk reduction and enabling digital business imperatives require a methodical review. Some key questions to explore include:
What types of privileged users does an organization have? What about service accounts and other automation? What access is entrusted to third parties?
Where do critical systems, data and applications reside? Are they in local data centers, resources in the cloud or managed by a service provider?
What controls does an organization have to limit privileged escalation and prevent lateral movement, and where would PAM integration significantly improve enforcement?
What is the feasibility or gap that hinders fully centralized privileged credential management? Are there local or group administrative accounts? Are the privileged use cases for all environments known — from desktops, mobile and all flavors of server operating systems, to all field devices?
What is the authorization process for new and temporary privileged user access? What are the approval workflows and how is governance enforced?
What identity and access compliance mandates, such as in PCI-DSS (for payments security) and GDPR, are being addressed with only IAM but can be better implemented or strengthened with PAM?
No matter where an organization is with its cyber identity maturity, developing an action plan for PAM as-a-Service (PAMaaS) adoption is essential for securing privileged access. This starts with the Privileged Access Security Health Check.
Picking Up on PAMaaS
To adopt PAM, IT organizations might want to consider PAMaaS, which is less daunting that an on-premises enterprise deployment. Traditionally, identity management projects have been viewed as complex, costly and long running with multiple phases of integration and automation. Consuming PAM as-a-Service offers rapid time-to-value, which is especially important in today’s accelerated digital business world. PAMaaS can be deployed and paid for incrementally as users and assets are brought online, allowing for a prioritized roll out and, in most cases, net cost savings vs. an equivalent stand-alone enterprise deployment.
Accelerated time-to-value. Protect and extend previous investments. Leverage out-of-the box integrations with a wide variety of IT operations and security systems including authentication systems, ticketing solutions and identity access and management platforms.
Reduced operations expense and complexity. Eliminate manually intensive, time-consuming and error-prone administrative processes. Simplify operations and improve the efficiency of IT security teams. Free up valuable IT staff to focus on strategic tasks to support core business activities.
Improved visibility. Understand what privileged accounts exist and who has access to them. Institute well-informed privileged account security policies. Monitor real-time and historical privileged account activity.
Elimination of the time and effort of procuring, installing and maintaining legacy hardware solutions with a flexible Software as-a-Service (SaaS) deployment and billing model.
24x7x365 PAM coverage by experts based in highly secure facilities around the globe.
This article was written by Tom Le, CTO of the Cognizant Security Practice.