Your Privileged Access Management (PAM) Must Evolve

April 11, 2022

  • Privileged accounts are the keys to every organization’s kingdom and access to them is a priority for hackers (high payback)
  • A robust and effective privileged access management (PAM) program can be a heavy lift, requiring specific features and hard-to-find skillsets
  • Organizations need to holistically secure and administer privileged credentials via end-to-end planning, the leveraging of AI and other technology, and ongoing skilled management

 


 

Part One in a Series

 

As organizations continue to migrate critical services and data to cloud providers to improve operational resiliency, efficiency and cost saving, the typical data infrastructure footprint continues to expand in both scale and complexity. Organizations that had previously operated in a handful of data centers with nearby offices now, through the adoption of cloud-based solutions and third-party integrations, must adapt to secure sensitive systems and data replicated across hundreds of third-party platforms on often-opaque physical infrastructure. At the same time, accelerated by a global pandemic and the subsequent Great Resignation, organizations face unprecedented pressure to embrace workforce decentralization and BYOD policies, compounding the difficulty of drawing even a logical line between an organization’s critical data and the rest of the world.

 

This progressive confusion of where data physically resides has led to a reformulation of a security strategy that emphasizes a context-based approach to data access. A critical component of a context-based Zero Trust strategy is role-based access control (RBAC). A well-defined RBAC hierarchy, combined with identity governance processes and automation, helps create an authoritative source to the question, “Who should have what access and when.” However, not all entities that access critical data readily conform to the RBAC models or identity governance processes. For example, non-person identities – machine and service accounts responsible for processing data as part of automated workflows – do not follow the same lifecycle an end-user does and do not generally conform to RBAC models based on specific job functions. Similarly, high-level administrator accounts – those with root-level access to entire Active Directory forests, server farms, database clusters, production cloud tenants, etc. – are typically distinct credential sets from ordinary daily login profiles that, while able to conform to RBAC and identity governance, often possesses such broadly unfettered access that they can defeat many of the security controls that would typically restrict a non-elevated account. Preservation of uninterrupted business operations and client trust are often directly dependent on an administrator’s ability to rapidly restore a corrupted database, reroute network traffic, or simultaneously push a critical update to thousands of servers. In the wrong hands, however, such unrestricted permissions have the potential to do an equal or greater amount of harm. A malicious actor possessing a set of administrator credentials might instead choose to exfiltrate sensitive data for future sale on the dark web, make proprietary prototype details publicly available, or push zero-day malware to unpatched devices. Privileged credentials are undeniably, the keys to an organization's kingdom.

 

Image
cpi-pamass-must-evolve-blog-credentials-data-breach@2x-100

 

Verizon’s 2021 Data Breach Investigations Report revealed 61% of 5000+ confirmed data breaches involved credentials. Various other sources estimate somewhere between 80 and 90% of data security breaches are due to stolen and/or misused credentials, the higher figures encompassing a broader array of cases including malicious internal actors and accidental misuse. And while many security solutions focus on the strength of encryption algorithms that render any intercepted password hash unusable, the most common attack pattern used to obtain stolen credentials is social engineering, comprising over a third of all analyzed attack patterns according to Verizon’s report. This data suggests that, unlike the clumsy amateur phishing attempts caught by most spam filters, spear phishing is a proven and effective method for gaining unauthorized access to data when properly executed by a clever attacker.

 

Privileged access management solutions are designed specifically with the above threats in mind. Automated password rotation, a key feature of PAM, significantly reduces the possibility of a successful spearfishing attack against an unwary employee or contractor by removing the password itself as something a user knows. An attacker masquerading as a help desk employee or senior executive to pressure a user into sharing their password would be met first with confusion (“I don’t have that information.”) and then mistrust (“Who is this really? You should know I don’t have this information.”) at the request. Another PAM feature, dual access control, allows for a form of just-in-time provisioning and separation of duty specific to high-risk credentials. To check out a password for a privileged account, an administrator must initiate a checkout process in which another party must review and approve the checkout request before the administrator can obtain the password. Privileged session monitoring in PAM takes auditability to a whole new level of transparency and accountability, recording every keystroke and mouse movement and archiving the recorded session for future review. Such capabilities make malicious actions extremely difficult to hide even when performed by capable and determined internal actors with complex systems and organizational knowledge. And because these controls can be applied to conventional credentials sets and API keys, hashes, and certificates, PAM is not wholly dependent upon RBAC or identity governance to deliver an effective security control for high-risk credentials and secrets.

 

Solutions capable of effectively delivering such capabilities require both platform-specific skillsets and in-depth knowledge of applied PAM strategy. Much as misconfiguring a firewall rule can misroute or refuse valid network traffic, misconfiguring a PAM platform can result in authentication failures leading to business process failures (e.g., payment processing), the inability of systems administrators to utilize elevated credentials to deliver support properly, and other costly business disruptions. Additionally, PAM platforms are not “set it and forget it” monoliths. As organizational needs evolve and new processes, roles and applications are introduced, an organization’s PAM platform must evolve in parallel to reflect the current state.

 

For organizations that do not yet have a formalized identity access management (IAM) program, or are currently attempting to manage their Identity tech stacks through a more generalist security team, building in-house identity knowledge and skillsets can prove both costly and time prohibitive. CyberSeek, a project partially funded by the National Initiative for Cybersecurity Education, estimates approximately 600K unfilled cybersecurity job openings to-date. For context, the total U.S. cybersecurity workforce is estimated by the same source at just over one million. This means approximately 38% of current cybersecurity labor demand remains unmet: a shortfall that is unlikely to change any time soon. The Bureau of Labor Statistics’ 2020-2030 Employment Projections predicts job growth over four times that of the broader job market over the next decade, suggesting the gap in security talent will only continue to widen over the coming years.

 

 

However, such metrics tend to categorize cybersecurity skillsets in fairly general terms, failing to accurately represent the need for knowledge and experience in specific cybersecurity technologies. Thus, the skillsets needed to support a PAM solution are not well quantified by available labor market statistics but are assuredly far rarer than what even the broader cybersecurity labor market would indicate. Such acute scarcity, as dictated by fundamental laws of supply and demand, drives resource costs up significantly, often well beyond what the modest budgets of smaller security organizations can bear.

 

The solution: PAM strategy assessments complemented by expert automation and management in Privileged Access Management as-a-Service (PAMaaS). This offers a lightweight, affordable solution that delivers best-in-class PAM capabilities managed by a team of seasoned identity engineers with top-level technology certifications and decades of combined Identity experience.

 

It’s time for your PAM program to evolve into one that can holistically secure and administer privileged credentials in the cloud via end-to-end planning, organizational change management, technology implementation and ongoing management services. Check out PAMaaS to learn more.

Ben Radcliff
Director, Cyber Operations | Optiv
Ben Radcliff is a security practitioner with over a decade of experience in security and IT operations. As Director of Security Operations within Optiv’s Cyber Defense and Applied Security group Ben currently supports a large team of security professionals across a wide array of sub disciplines including Identity and Access Management, Vulnerability Analysis, Public Key Infrastructure, and perimeter security. Ben joined Optiv in 2019 to lead Optiv’s nascent Managed Identity Practice, where he helped develop and mature Optiv’s Privileged Access and Identity Governance managed service capabilities. He holds a Master of Science degree in Cybersecurity and Information Assurance from Western Governors University.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights

Image
PAMaas-list-image

 

PAM as-a-Service

 

Optiv’s Privileged Access Management as-a-Service offers planning, implementation & maintenance to protect privileged accounts in a flexible as-a-service model.

Image
privileged-access-manamgement-list-image

 

Optiv’s Privileged Access Management Services

 

Optiv's PAM services provide solutions for privileged access and roll out of industry-proven programs.

Image
generic_list_476x210

 

PAM - Privileged Access Management

 

PAM polices privileged accounts (how administrators login to critical IT resources they must manage). Since access rights associated with admin privileges are high level, they are often the target of cyber attacks and must be uniquely secured.