The enterprise cyber security landscape is both multi-layered and multi-vectored. Solutions and platforms have been designed and developed to protect the entire enterprise—from the perimeter to infrastructure to users—and all of the apps and data contained within. Any IT professional can attest to the complexity of enterprise cyber security, and any security-focused IT professional can attest to the pain of crafting and executing a comprehensive strategy.
One of the more critical functions of a comprehensive cyber security strategy is privileged access management (PAM). What exactly is PAM, and why does it matter? I'll attempt to dissect this in the following few paragraphs (click here for a more detailed dive on the topic).
Defining the PAM problem
Privileged accounts are ubiquitous in the enterprise. They represent people, applications, cloud environments, IoT devices, things, bots and more. And as necessary as these privileged accounts are to a business's success, they are arguably the most significant vulnerability in an enterprise IT environment. This is partly due to the transitory nature of today's business; an application or function may only need privileged access for a limited duration, but the account is not terminated after use.
This PAM challenge is also the result of poor privileged account management hygiene. IT security teams, already overwhelmed, cannot accurately track the potentially thousands of accounts that reside in their environments. Further, techniques like the continuous integration/continuous development (CI/CD) part of a DevOps methodology can limit the purview of IT security professionals.
The result of these challenges is not hard to imagine; these dangling administrative and root-level accounts with stale credentials are ripe for exploitation. And once exploited, hackers can traverse the enterprise, planting rootkits and looking for IP and data to steal. If this sounds farfetched, recall the timeless tale of the Target breach, in which bad actors lifted the credentials of a local HVAC service provider to hack the retail giant. Want something a little more recent? How about the supply chain attack on SolarWinds? This attack’s global impact ended up costing north of $90B (about $12M per affected organization).
The bottom line is that while privileged access management is both complex and time-consuming, it is a critical leg of any comprehensive zero trust security strategy.
What is a PAM solution?
PAM solutions effectively help IT security organizations manage all privileged access accounts required to run the modern business. Those application and data interfaces are used to help an organization support its customers and partners.
Per a research brief I authored, PAM solutions should:
- Include a digital vault to securely store passwords, secrets, SSH keys and other access credentials used by people, applications and machines
- Provide mechanisms to automatically update and rotate credentials based on policy
- Isolate and track privileged sessions to contain threats, prevent malware spread and simplify audits
- Include threat analytics capabilities to automatically detect suspicious behavior and anomalous activity
- Protect on-premises, cloud-based applications, and IT resources
- Be deployed on-premises or in a public or private cloud, or delivered as a service
Comprehensive PAM solutions extend value to broader Identity Security programs, adding capabilities to manage:
- Employees who use privileged accounts and credentials to administer systems, Windows domains, applications, CI/CD tools, etc.
- Privileged accounts and credentials that third-party IT service vendors use to administer and support systems and infrastructure remotely
- Secrets that applications, bots, machines and automation scripts use to access and configure IT resources
- Endpoint security by removing local administrative rights from endpoints and escalating privileges on-demand
- Entitlements and identity and access management configurations in public cloud environments
The three P's of privileged access
Any strategy and plan to address privileged access (and IT security in general) should have three equal parts: people, processes and products (technology). Teams must share a vigilance on managing access. Moreover, everyone must ensure that security guides each action, including business users and IT professionals alike.
When talking about process, I’m referring to both the standard operating procedures and corresponding activities that establish a secure environment and test an organization's defenses. Clearly document how to maintain a secure state and respond appropriately to attacks. Equally (perhaps more) necessary is the regular testing of such plans, updating them based on the ever-evolving threat landscape.
Finally, none of the above works without the right solution to effectively manage privileged access across the enterprise. As with any mission-critical function, when selecting a PAM vendor, one should strongly consider solution maturity, comprehensiveness and reach. I suggest prioritizing PAM solutions that are proven across diverse customers and environments.
The PAM landscape – who's who?
The PAM landscape is crowded. To list every vendor in this blog would be a disservice to the reader, but know that it is populated by larger companies that address PAM as a checkbox in an overall portfolio of services and smaller companies with point solutions or cloud offerings that look to simplify the process of managing privileged access.
In between these two types of companies are providers like CyberArk. While this company doesn't have the size or scope of, say, IBM, it is truly a pioneer in the PAM market and tends to be on the front end of the innovation curve for privileged access management. What makes the company unique, in my mind, is its maturity and stability combined with its innovative approach to supporting enterprise IT.
You don't need 1,200 words to tell you that it's a dangerous world for enterprise IT and that the cybersecurity landscape can be very complex and hard to navigate. Nor do you need 1,200 words to reinforce what is known by enterprise IT: effective cybersecurity strategies must be rooted in the three Ps: people, processes and product.
It is worth spending some words explaining the importance of privileged access management. This is especially true for organizations in the throes of digital transformation, where DevOps drives the business while bots, cloud, and IoT populate the IT landscape.
As an IT security professional, how do you manage this threat landscape? And what is your selection criteria for a PAM solution partner?