Identity, Content

How Privileged Access Management (PAM) Must Evolve

Digitally generated image of man standing on staircase in front of neon portal. Concept of chosing the right path.

As organizations continue to migrate critical services and data to cloud providers to improve operational resiliency, efficiency and cost saving, the typical data infrastructure footprint continues to expand in both scale and complexity.

Organizations that had previously operated in a handful of data centers with nearby offices now, through the adoption of cloud-based solutions and third-party integrations, must adapt to secure sensitive systems and data replicated across hundreds of third-party platforms on often-opaque physical infrastructure.

At the same time, accelerated by a global pandemic and the subsequent Great Resignation, organizations face unprecedented pressure to embrace workforce decentralization and BYOD policies, compounding the difficulty of drawing even a logical line between an organization’s critical data and the rest of the world.

Zero Trust and Role-Based Access Control (RBAC)

This progressive confusion of where data physically resides has led to a reformulation of a security strategy that emphasizes a context-based approach to data access. A critical component of a context-based Zero Trust strategy is role-based access control (RBAC). A well-defined RBAC hierarchy, combined with identity governance processes and automation, helps create an authoritative source to the question, “Who should have what access and when.”

However, not all entities that access critical data readily conform to the RBAC models or identity governance processes. For example, non-person identities – machine and service accounts responsible for processing data as part of automated workflows – do not follow the same lifecycle an end-user does and do not generally conform to RBAC models based on specific job functions.

Similarly, high-level administrator accounts – those with root-level access to entire Active Directory forests, server farms, database clusters, production cloud tenants, etc. – are typically distinct credential sets from ordinary daily login profiles that, while able to conform to RBAC and identity governance, often possesses such broadly unfettered access that they can defeat many of the security controls that would typically restrict a non-elevated account.

Preservation of uninterrupted business operations and client trust are often directly dependent on an administrator’s ability to rapidly restore a corrupted database, reroute network traffic, or simultaneously push a critical update to thousands of servers.

In the wrong hands, however, such unrestricted permissions have the potential to do an equal or greater amount of harm. A malicious actor possessing a set of administrator credentials might instead choose to exfiltrate sensitive data for future sale on the dark web, make proprietary prototype details publicly available, or push zero-day malware to unpatched devices. Privileged credentials are undeniably, the keys to an organization's kingdom.

cpi-pamass-must-evolve-blog-credentials-data-breach@2x-100

Verizon’s 2021 Data Breach Investigations Report revealed 61% of 5000+ confirmed data breaches involved credentials. Various other sources estimate somewhere between 80 and 90% of data security breaches are due to stolen and/or misused credentials, the higher figures encompassing a broader array of cases including malicious internal actors and accidental misuse. And while many security solutions focus on the strength of encryption algorithms that render any intercepted password hash unusable, the most common attack pattern used to obtain stolen credentials is social engineering, comprising over a third of all analyzed attack patterns according to Verizon’s report.

This data suggests that, unlike the clumsy amateur phishing attempts caught by most spam filters, spear phishing is a proven and effective method for gaining unauthorized access to data when properly executed by a clever attacker.

Privileged Access Management (PAM) Overview

Privileged access management solutions are designed specifically with the above threats in mind. Automated password rotation, a key feature of PAM, significantly reduces the possibility of a successful spearfishing attack against an unwary employee or contractor by removing the password itself as something a user knows. An attacker masquerading as a help desk employee or senior executive to pressure a user into sharing their password would be met first with confusion (“I don’t have that information.”) and then mistrust (“Who is this really? You should know I don’t have this information.”) at the request.

Another PAM feature, dual access control, allows for a form of just-in-time provisioning and separation of duty specific to high-risk credentials. To check out a password for a privileged account, an administrator must initiate a checkout process in which another party must review and approve the checkout request before the administrator can obtain the password. Privileged session monitoring in PAM takes auditability to a whole new level of transparency and accountability, recording every keystroke and mouse movement and archiving the recorded session for future review. Such capabilities make malicious actions extremely difficult to hide even when performed by capable and determined internal actors with complex systems and organizational knowledge. And because these controls can be applied to conventional credentials sets and API keys, hashes, and certificates, PAM is not wholly dependent upon RBAC or identity governance to deliver an effective security control for high-risk credentials and secrets.

PAM Platforms Require Cyber Management Pros

Solutions capable of effectively delivering such capabilities require both platform-specific skillsets and in-depth knowledge of applied PAM strategy. Much as misconfiguring a firewall rule can misroute or refuse valid network traffic, misconfiguring a PAM platform can result in authentication failures leading to business process failures (e.g., payment processing), the inability of systems administrators to utilize elevated credentials to deliver support properly, and other costly business disruptions.

Additionally, PAM platforms are not “set it and forget it” monoliths. As organizational needs evolve and new processes, roles and applications are introduced, an organization’s PAM platform must evolve in parallel to reflect the current state.

For organizations that do not yet have a formalized identity access management (IAM) program, or are currently attempting to manage their Identity tech stacks through a more generalist security team, building in-house identity knowledge and skillsets can prove both costly and time prohibitive.

CyberSeek, a project partially funded by the National Initiative for Cybersecurity Education, estimates approximately 600K unfilled cybersecurity job openings to-date. For context, the total U.S. cybersecurity workforce is estimated by the same source at just over one million. This means approximately 38% of current cybersecurity labor demand remains unmet: a shortfall that is unlikely to change any time soon. The Bureau of Labor Statistics’ 2020-2030 Employment Projections predicts job growth over four times that of the broader job market over the next decade, suggesting the gap in security talent will only continue to widen over the coming years.

However, such metrics tend to categorize cybersecurity skillsets in fairly general terms, failing to accurately represent the need for knowledge and experience in specific cybersecurity technologies. Thus, the skillsets needed to support a PAM solution are not well quantified by available labor market statistics but are assuredly far rarer than what even the broader cybersecurity labor market would indicate. Such acute scarcity, as dictated by fundamental laws of supply and demand, drives resource costs up significantly, often well beyond what the modest budgets of smaller security organizations can bear.

What Is Privileged Access Management as-a-Service (PAMaaS)?

The solution: PAM strategy assessments complemented by expert automation and management in Privileged Access Management as-a-Service (PAMaaS). This offers a lightweight, affordable solution that delivers best-in-class PAM capabilities managed by a team of seasoned identity engineers with top-level technology certifications and decades of combined Identity experience.

It’s time for your PAM program to evolve into one that can holistically secure and administer privileged credentials in the cloud via end-to-end planning, organizational change management, technology implementation and ongoing management services. Check out PAMaaS to learn more.


Author Ben Radcliff is director of cybersecurity operations at Optiv, the cybersecurity consulting and solutions provider. Read more Optiv blogs here.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.

You can skip this ad in 5 seconds