Why security teams cannot neglect privileged access management
Christopher Owen, CTO, NetGraph writes why with the right approach, PAM represents a crucial line of defence in its ability to stall an attacker’s progress through a network
The widespread inability and refusal of organisations to effectively deal with privileged access management (PAM) is alarming to say the least.
Recklessly granting employees unnecessary access to business-critical systems and data is analogous to parents giving their young child a set of house keys, their social security numbers and bank passwords – it’s senseless and is just asking for trouble.
Privileged access management essentially serves as the key to an organisation’s most important digital assets – get it wrong and will it always constitute a critical vulnerability that is ripe for exploitation and abuse from disgruntled and careless employees.
Various high profile data breaches have been the result of sub-standard access monitoring – Marriott International was just one example of a global brand that paid a heavy price, with records of 380 million customers leaked in 2019. Heavy fines beckoned.
Forrester estimates that 80% of security breaches involve the misuse or abuse of privileged credentials. The average cost of a data breach is $3.92 million, according to the Ponemon Institute, while One Identity research reveals that 86% of organisations do not change administrative passwords after each use, and, worse still, 40% have never even changed their default administrative passwords.
The reality is that complacency around PAM creates an attractive prospect for attackers – it represents one of the most direct and devastating ways to infiltrate a network. Not only are access vulnerabilities relatively easy for hackers to exploit, they are also much harder for organisations to monitor or anticipate as most insider threats are the result of user ignorance, not malicious activity.
The challenges associated with PAM aren’t going away. Granting access across large organisations is becoming more complex, with a broader range of business units needing access to a wider range of shared virtual resources. Hundreds of routine tasks that are now entrusted to IT systems also require privileged access, and the problem is only becoming more complex.
Security teams are in a difficult position – they don’t want to be seen as a cause of friction, as a function that deliberately chooses to deny employees access to certain resources. Get in the way, and you’re perceived as an inhibitor, a nuisance that stops progress.
The alternative? A cavalier approach to granting access, the results of which carry the consequences of potentially significant damage to the business. Mismanaged PAM makes it easy for attackers to manoeuvre through an organisation’s network once they have gained access.
The flip side of this is that with the right approach, PAM represents a crucial line of defence in its ability to stall an attacker’s progress through a network, in many cases nullifying the threat they possess by preventing them from accessing a higher level of privilege.
Monitoring the use of privilege through behaviour analytics is essential. This provides insight to security teams that can save them months in the time it takes them to detect and then mitigate threats. Having a means to report on and map out activity from privileged accounts on devices, systems and applications is absolutely essential, while responsible IT governance provides a framework for doing things the right and responsible way.
As with so many necessary processes that cause IT security teams chronic headaches, the option of using managed security services should always be top of mind. This gets rid of the associated heavy lifting and allows security experts – who already have their hands full – to allocate their time towards fighting other, more imminent threats.