Today, businesses everywhere are investing in infrastructure to support growth – whether that’s moving to the cloud or automating tasks and processes. However, the newly introduced devices, application stacks and accounts that come with this modernization all present additional opportunities for attacker exploitation. For any organization – big or small – identifying and addressing security risks across this expanding attack surface can be a formidable challenge.
Privileged access management (PAM) programs that secure pathways to critical business information are foundational to an effective corporate cybersecurity program. Why? Attackers view privileged accounts as one of the best ways to gain a foothold within an organization’s infrastructure. In fact, the vast majority of cyber attacks involve compromised privileged credentials and PAM solutions provide a critical layer of defense.
But, while securing privileged access consistently tops the lists of projects that can reduce risk and improve operational efficiency, some misconceptions surrounding PAM persist. Today, we’re going to bust five of the most prevalent PAM myths.
Myth #1: Because privileged access exists everywhere, it is impossible to secure.
While the scope of privileged access can be intimidating based on the complexity of your environment, dedicated PAM solutions and related policies can actually shrink the attack surface by shutting down pathways to critical resources.
Leading PAM solutions can automatically map privileged credentials across cloud and hybrid environments, saving security teams significant time and effort. And for those unsure of where privileged accounts exists, there are free tools like CyberArk Discovery & Audit to help organizations gain visibility into their privileged account landscape.
Additionally, modern PAM tools also incorporate automatic rotation of SSH keys and other privileged credentials at regular intervals to eliminate the time-consuming and error-prone manual tasks required for regulatory compliance. Meanwhile, automatic session monitoring capabilities systematically record all privileged account sessions and identify which users are operating privileged accounts.
Finally, the best PAM tools also provide detailed session monitoring recordings that can be sorted into searchable metadata for compliance and incident response teams and leverage user behavior analytics to automatically detect and suspend risky privileged sessions.
The impossible just became achievable. Between account mapping, automatic credential rotation and detailed session monitoring, privileged access can be uncovered, managed and secured.
Myth #2: Privileged access management tools are challenging for administrators to manage.
That may have been true in the past, but today’s PAM solutions greatly ease and simplify administrator workloads. Collecting all privileged accounts in a centralized vault eliminates the need to manually search for and manage privileged credentials. In increasingly dynamic network environments, centrally locating the necessary tools to appropriately manage users’ privileged access can improve the efficiency and efficacy of IT projects. Automation tools also enable administrators to eliminate time-intensive tasks in favor of more strategic initiatives.
Especially as organizations move to the cloud, PAM tools can be particularly useful to address emerging risks of cloud migration. When adopting a hybrid or public cloud infrastructure, even slight misconfigurations can create new vulnerabilities. Having holistic tools in place to discover risks associated with privileged access can improve an organization’s security posture.
Myth #3: Identity and Access Management (IAM) solutions are sufficient to protect privileged access.
It’s true that IAM tools and Multi-Factor Authentication (MFA) methods are strategic investments – but they do not replace the value of a PAM solution. PAM solutions can independently protect privileged accounts with human and non-human identities like application accounts used in robotic process automation (RPA) or DevOps – something IAM solutions simply aren’t designed to do.
Focused on risk reduction, PAM tools can also protect privileged business users from sophisticated social engineering attacks capable of bypassing MFA. Most importantly, IAM tools require direct connection to user databases like Active Directory (AD). These connections are often hosted on-premises. If any on-premises server is compromised, attackers can gain control over AD to implement Kerberos attacks, such as Golden Ticket, and exist undetected in a company’s network. PAM can provide a vital security layer for servers hosting IAM’s direct connection to user databases like AD.
To create a strong enterprise security fabric, IAM systems and PAM solutions should be deployed as collaborative tools.
Myth #4: Privileged Access Management solutions interfere with operational efficiency.
The truth is that the daily tasks of most workers don’t require elevated privileges – and therefore PAM solutions won’t impact them at all. For those who do require elevated privileges, leading PAM tools offer a variety of user-friendly formats, including RDP, SSH and web-native access, to provide credential vaulting and session management in the background of their daily workflows. Native and transparent access provides organizations with comprehensive privileged session recordings while minimizing disruption for end users.
In fact, using PAM tools to automate time-consuming tasks for IT and security employees can improve productivity by freeing up time for higher-value projects. Audit teams can achieve the same benefits by automating compliance tasks — especially in highly regulated industries like healthcare and banking. Manually sorting through all sessions that involve privileged credentials to find high-risk activity can be extremely time consuming. PAM solutions can automate these tasks and identify risky behavior for audit teams, freeing them up to spend their time on other critical tasks.
Modern PAM solutions can actually be a boon to operational efficiency – not an impairment.
Myth #5: It’s Difficult to Calculate ROI for Privileged Access Management solutions.
The average cost of a data breach in 2019 came in at nearly $4 million dollars. Notably, this figure does not include the additional costs of lost business from reputation damage and theft of intellectual property. Privileged access is a focal point for organizations to demonstrate where security solutions can have a high impact.
In any security program, cost-efficiency is key. Organizations must take a risk-based approach, applying finite resources where they can achieve quick wins and long-lasting impact. And it’s in this area where PAM solutions can really shine. PAM is a high-leverage point where modest investments can achieve outsized ROI and risk reduction.
After deploying a PAM solution, organizations can scan their systems to see the decrease in the number of unsecured and unprotected systems. Since any unmanaged privileged account is a potential attack vector, each privileged account that has been discovered, secured and protected by a PAM solution is a direct reduction in the exposed attack surface and proof of ROI.
Effective security starts with protecting an organization’s most valuable information, and as a common target in most cyber attacks, unmanaged and unprotected privileged access represents a significant threat. By locking down privileged credentials, organizations deprive attackers of their preferred routes to critical data and assets. Simultaneously, session monitoring and threat detection capabilities can help teams detect and investigate misuse of privileged credentials — improving an organization’s response time to in-progress attacks.
Furthermore, many PAM solutions can PAM solutions can integrate with other enterprise software solutions – from IoT device gateways DevOps tools and network devices to vulnerability management systems – enhancing their value and streamlining security operations on the whole.