October 04, 2024

Threat actors prioritize hacking or social engineering privileged accounts, such as admin users, because this gives them greater access to an organization’s sensitive information. As a result, managing privileged accounts without disrupting operations is necessary but much more challenging to achieve.

In this article, we discuss: 

• How does privileged access management (PAM) work
• Why do you need a modern PAM cybersecurity solution
• The evolution of PAM solution into PAMaaS (PAM-as-a-Service)

How Does Privileged Access Management Work?

PAM cybersecurity solutions work by identifying the right level of permissions for each user, technology or process.

For example, an admin or a country manager in your organization can access the personal information of all your users. However, a customer support associate must only access the least information needed to serve a user's support request.

Why Do You Need a Modern PAM Cybersecurity Solution?

A modern PAM cybersecurity solution helps you minimize sensitive data misuse cases by providing just-in-time activity-based access, implementing multifactor authentication (MFA), rotating passwords automatically and improving auditability.

Image

Verizon’s Data Breach Investigations Report revealed that 61% of over 5000 confirmed data breaches involved compromised credentials. Various other sources estimate between 80 and 90% of data security breaches are due to stolen and/or misused credentials.

The most common attack pattern used to obtain stolen credentials is social engineering, comprising over a third of all analyzed attack patterns according to Verizon’s report. So, unlike the clumsy amateur phishing attempts that most spam filters catch, spear phishing to gain unauthorized access of privileged accounts are far more sophisticated. So, you need a competent PAM cybersecurity solution to ward off this threat.

A modern PAM cybersecurity solution will offer the following capabilities:

Automated password rotation: a key feature of PAM, significantly reduces the possibility of a successful spearfishing attack against an unwary employee or contractor by removing the password itself as something a user knows. An attacker masquerading as a help desk employee or senior executive to pressure a user into sharing their password would be met first with confusion (“I don’t have that information.”) and then mistrust (“Who is this really? You should know I don’t have this information.”) at the request.

Dual access control: allows for just-in-time provisioning and separation of duty specific to high-risk credentials. To check out a password for a privileged account, an administrator must initiate a checkout process in which another party must review and approve the checkout request before the administrator can obtain the password.

 Privileged session monitoring: takes auditability to a whole new level of transparency and accountability, recording every keystroke and mouse movement and archiving the recorded session for future review.

Such capabilities make malicious actions difficult to hide even when performed by capable and determined internal actors with complex systems and organizational knowledge.

Because these controls can be applied to conventional credentials sets and API keys, hashes and certificates, PAM is not wholly dependent upon RBAC or identity governance to deliver an effective security control for high-risk credentials and secrets.

The Evolution of PAM Solutions and Related Challenges

Increasing threat complexity, evolving business needs, shortage of cybersecurity skills and lack of expertise in preparing for unknown threats make fully managed PAM-as-a-Service attractive.

As organizations continue migrating critical services and data to cloud providers to improve operational resiliency, efficiency and cost savings, the typical data infrastructure footprint expands in scale and complexity. Organizations that had previously operated in a handful of data centers with nearby offices now, through the adoption of cloud-based solutions and third-party integrations, must adapt to secure sensitive systems and data replicated across hundreds of third-party platforms on often-opaque physical infrastructure.

3 Factors That Have Compounded the Need for PAM Solutions

1. Increasing number of endpoints

Accelerated by a global pandemic and the unprecedented pressure to embrace workforce decentralization and bring-your-own-device (BYOD) policies further compound the difficulty of securing your official network, endpoints and accounts.

2. Sensitive Data Sprawl

Businesses now face a progressive confusion of where sensitive data physically resides. As a result, most businesses need to reformulate their security strategy, laying emphasis on a context-based approach to data access. A critical component of a context-based Zero Trust strategy is role-based access control (RBAC). A well-defined RBAC hierarchy, combined with identity governance processes and automation, helps create an authoritative source to the question, “Who should have what access and when.”

3. Growing Need for Access Controls

Not all entities that access critical data readily conform to the RBAC models or identity governance processes. For example, non-person identities – machine and service accounts responsible for processing data as part of automated workflows – do not follow the same lifecycle an end-user does and do not generally conform to RBAC models based on specific job functions. Similarly, high-level administrator accounts – those with root-level access to entire Active Directory forests, server farms, database clusters, production cloud tenants, etc. – are typically distinct credential sets from ordinary daily login profiles. Such accounts and profiles are able to conform to RBAC and identity governance, but at the same time also possess broad unfettered access that can defeat many security controls that would typically restrict a non-elevated account.

The Best PAM Solution for Your Business Needs

Preserving uninterrupted business operations and client trust often depends on an administrator’s ability to rapidly restore a corrupted database, reroute network traffic, or push a critical update to thousands of servers. In the wrong hands, however, such unrestricted permissions have the potential to do an equal or greater amount of harm. A malicious actor possessing a set of administrator credentials might instead choose to exfiltrate sensitive data for future sale on the dark web, make proprietary prototype details publicly available, or push zero-day malware to unpatched devices. Privileged credentials are, undeniably, the keys to an organization's kingdom.

Solutions capable of effectively delivering such capabilities require both platform-specific skillsets and in-depth knowledge of applied PAM strategy. Much as misconfiguring a firewall rule can misroute or refuse valid network traffic, misconfiguring a PAM platform can result in authentication failures leading to business process failures (e.g., payment processing), the inability of systems administrators to utilize elevated credentials to deliver support properly and other costly business disruptions.

Additionally, PAM platforms are not “set it and forget it” monoliths. As organizational needs evolve and new processes, roles and applications are introduced, an organization’s PAM platform must evolve in parallel to reflect the current state.

For organizations that still need to get a formalized identity access management (IAM) program or are currently attempting to manage their Identity tech stacks through a more generalist security team, building in-house identity knowledge and skill sets can prove costly and time prohibitive. CyberSeek, a project partially funded by the National Initiative for Cybersecurity Education, estimates approximately 600K unfilled cybersecurity job openings.

The same source estimated the total U.S. cybersecurity workforce at just over one million. This means approximately 38% of current cybersecurity labor demand remains unmet: a shortfall that is unlikely to change soon. The Bureau of Labor Statistics’ 2020-2030 Employment Projections predicts job growth over four times that of the broader job market over the next decade, suggesting the gap in security talent will only continue to widen over the coming years.

Image

 

However, such metrics categorize cybersecurity skill sets in generic terms, failing to accurately represent the need for knowledge and experience in specific cybersecurity technologies. Thus, the skill sets needed to support a PAM solution are not well quantified by available labor market statistics but are assuredly far rarer than what even the broader cybersecurity labor market would indicate. Such acute scarcity, as dictated by fundamental laws of supply and demand, drives resource costs up significantly, often well beyond what the modest budgets of smaller security organizations can bear.

Managed PAM and PAMaaS Reduces Cost and Complexity

Most businesses will benefit from a fully managed PAM or PAMaaS solution. Instead of internally hiring experts to manage a PAM cybersecurity solution's infrastructure, complexity and scope, you are better off investing time and effort into building your core offering and differentiating it from the competitors.

Optiv offers a lightweight, affordable and modern PAM cybersecurity solution that delivers best-in-class capabilities managed by a team of seasoned identity engineers with top-level technology certifications and decades of combined Identity management experience.

Check out our managed privileged access management service or contact us with your custom requirements.