Not Your Father's Privileged Access Management

By Joseph Carson, Chief Security Scientist and CISO, Thycotic

There is no silver bullet for cyber threats. But the stars have certainly aligned for one way to reduce cyber business risk – using Privileged Access Management solutions to secure and monitor account credentials like passwords and limit the damage if they are stolen or misused.

Most security incidents can be traced back to the use of compromised user accounts. Eighty-one percent of data breaches involve stolen or weak passwords, according to the Verizon 2018 Data Breach Investigations Report, something that is also apparent from Australia’s Notifiable Data Breaches Quarterly Statistics Reports.

The Australian Cyber Security Centre has again included Privileged Access Management in its Essential Eight list of most effective cyber mitigation strategies. Privileged Access Management also topped Gartner’s Top IT Security Projects for 2019 list of new projects for security teams to explore.

So why does Gartner estimate that only 40% of organisations have implemented Privileged Access Management for all enterprise use cases, even though modern PAM solutions are quick to implement, easy to use, and even improve user productivity?

One reason is PAM’s complex past. Privileged Access Management has a lingering reputation for being complex that dates back to when cyber security and IT in general were quite different affairs.

Before we bust this myth, along with some others, it might help to understand why PAM is so effective in reducing organisations’ risks from cyber-attacks.

Compromised superuser accounts are a hacker’s best friend

Threat actors will often start by targeting ordinary users with phishing attacks designed to trick them into sharing their login credentials. Once this has been achieved, the attacker can use their details to access the system, where they can often remain undetected for months. Moving about in the guise of a legitimate user, attackers can covertly exfiltrate data or install malware to facilitate larger attacks.

The intruder can also work to escalate their access by gaining control of a privileged account, making them exponentially more dangerous. These superuser accounts have many elevated powers and permissions which can wreak havoc in the wrong hands. Attackers can use their powers to create or modify other user accounts, access any machine on the network, and trawl through the most confidential data at their leisure. Superusers also have the power to erase audit trails and destroy evidence, greatly increasing the invader’s ability to evade detection and obfuscate their activity from investigators.

Despite the dire threat posed by a compromised privileged account however, it is common to find the management and security of these accounts is minimal at best. In many cases, accessing a superuser can be as simple as searching through a hijacked user’s inbox to find the privileged account’s login details. Employees are often fairly ignorant about what privileged accounts are or what they can do, even if their role sees them access the accounts themselves.

In a previous era, organisations could protect their networks with firewalls, VPNs, access controls, IDS, IPS, SIEMs, email gateways and so forth, building multiple levels of security on the perimeter. Nowadays, the traditional security perimeter is proving to no longer be an effective cyber security control, and fast-growing technologies like cloud, mobile and virtualisation make the security boundaries of an organisation blurry.

Busting some Privileged Access Management myths

In this new era, organisations need to ensure there are strong policies in place to govern how privileged accounts are accessed and used. Implementing a Privileged Access Management solution can also go a long way in controlling and limiting superusers by enabling organisations to actively monitor sessions and establish time limits.

Despite its effectiveness however, PAM has a longstanding and scarey reputation of being complex with many IT professionals, which means some organisations have avoided the solution. This dates back to a previous era of computing when PAM software was difficult and complicated to use. It could take months or even years to implement a solution – chewing up time and resources with teams of expensive specialists involved – and with many projects abandoned altogether.

However, PAM solutions have evolved to become much easier to implement and use, and many are now designed for out-of-the-box deployment, enabling IT teams to get them up and running quickly without the need for expensive specialists. The best modern PAM tools are also built to be flexible and scale with the organisation as it grows and its security needs change.

Tackling cyber fatigue with a better security experience

A second common myth about is that PAM makes things harder for users. This misconception also dates back to the days before the advent of easy-to-use PAM solutions with features like password management aimed at improving user experience.

Cyber security has never been a positive security experience for most employees. Many employees suffer from cyber fatigue – the frustration experienced in juggling scores of online accounts with multiple (and supposedly strong) passwords. In many cases individuals feel so frustrated that they give up trying to manage things safely and default to using the same passwords for multiple accounts, sharing passwords with family members, and logging on to the Internet using their social media accounts.

IT security staff should be looking for ways for employees to have a better experience with security, and the best way to do this is to implement PAM solution. This will help remove one of the biggest causes of cyber fatigue and will generate new passwords and rotate them when they are stolen or compromised.

Not just another cost to the business

Another myth is that PAM is just another cost to the business. Because they only reduce risk, most organisations spend valuable budget on cyber security solutions that typically add no additional business value.

However, the right PAM solution actually makes employees more productive by giving them access to systems and applications faster and more securely. Implementing a PAM solution secures access to sensitive systems and reduces the risk of getting compromised by disclosed passwords on the dark web. PAM also reduces cyber fatigue and simplifies the process of rotating and generating new complex passwords. All of these save valuable employee time which translates directly into cost savings for the business.

The bottom line is that today’s easy-to-implement, easy-to-use and cost-saving PAM solutions are not your father’s Privileged Access Management. Even old IT hands bearing the scars of earlier implementation attempts cannot afford to avoid PAM for much longer.

About the author

Joseph Carson has over 25 years’ experience in enterprise security, is the author of “Privileged Account Management for Dummies” and “Cybersecurity for Dummies”, and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist and CISO at Thycotic.