5 Common Privileged Access Management Mistakes

5 Common Privileged Access Management Mistakes

What are the five most common privileged access management (PAM) mistakes? How can you avoid those mistakes and make your enterprise’s identity and access management stronger? What can you do to support your business cybersecurity through PAM? 

Your enterprise may not notice the privileged access management mistakes lurking in its cybersecurity infrastructure. However, you should, and immediately at that. These privileged access management mistakes don’t just cause minor communication problems or employee disputes. A single issue with your PAM could easily become the root of a significant and devastating data breach. After all, over 70 percent of data breaches begin with compromised privileged credentials, according to Centrify. 

Most of the real mistakes begin because of misunderstanding proper deployment strategies or utilization of their capabilities. You need to correct the privileged access management mistakes facing your enterprise. Here’s how:  

The Five Common Privileged Access Management Mistakes     

1. Failing to Discover All Privileged Accounts

One of the most common privileged access management mistakes involves visibility; as always, visibility can make or break your enterprise’s cybersecurity. Generally, you can’t protect what you can’t see, and this includes privileged accounts. 

However, so many enterprises fail to even look for all of the privileged accounts connecting to their networks. Indeed, Thycotic found that nearly three-fourths of enterprises fail to discover all of the privileged access accounts in their networks. Also, 40 percent never bother to look for all of their network’s privileged accounts. 

Often, the problem facing enterprises, in this case, involves legacy privileged access management solutions. Sticking with a PAM solution which can’t offer you next-generation capabilities, such as improved visibility, leaves you vulnerable. Additionally, legacy solutions rarely possess the threat intelligence necessary for proper identity and access management. 

One way you can solve privileged access management mistakes like this is through integration with other targeted identity management solutions. For example, identity governance can pair with PAM solutions to identify all connecting users and their permissions.

Additionally, a next-generation solution can help ensure proper and prompt offboarding processes; a failure to offboard employees and users tends to cause the majority of unmonitored accounts and orphaned accounts.  

This discussion leads nicely to a different but still dangerously frequent mistake…     

2. Not Properly Provisioning (The Principle of Least Privilege)

So many enterprises make this mistake with their PAM; they assume privileged credentials exist in a vacuum, rather than as a part of both your network infrastructure and your business processes. The permissions and privileges each user holds directly affect how they complete their everyday job roles but also how others complete their jobs. 

Let’s take a look at one example. Alice needs to fill out Form One to send to Beth. Beth needs to verify it to send it to their Client. However, if Alice can’t access Form One, or can’t access the information needed to complete it, then she stays stuck. Moreover, Beth also becomes stuck waiting for the Form, which probably doesn’t endear her to the Client. So the whole workflow becomes clogged up due to privileged access management mistakes; let’s not forget your IT Team also needs to take the time to give Alice the proper permissions to do her job. 

Of course, the opposite problem can prove just as, if not more, troublesome and dangerous. In this scenario, Alice receives privileges to a database for Form Four. Alice doesn’t need access to this database—her workflows never involve it. Alice now has privileges way beyond her job title, and this can pose a serious risk. She could initiate an insider threat if she feels sufficiently wronged. If a hacker ever gets her credentials, they can inflict far more damage on your enterprise. 

So your privileged access management must enforce the Principle of Least Privileges; this guideline ensures users only have the permissions they absolutely need to fulfill their roles. Of course, this minimizes the damage credentials misuse can cause on your network. It also helps guide the initial provisioning of onboarding.       

3. Failing to Deploy Multifactor Authentication (MFA)

You need to consider multifactor authentication an essential component of your modern identity and access management. Many privileged access management mistakes begin with failing to recognize this. 

The general rule of thumb concerning authentication states the more layers between request and access, the more secure the data remains. For example, hackers can easily circumvent and bypass a single-factor authentication process. Since the majority of these use passwords, hackers now possess multiple tools to exploit passwords—phishing, social engineering, crackers, credential stuffing, etc. 

Even adding one more layer to your identity management increase the security of your credentials. Adding as many as five layers could make your enterprise seem night-impervious to the majority of threat actors. Moreover, this doesn’t have to negatively impact your business processes—many authentication protocols do not require active factor input. These include time-of-access request monitoring and geofencing.   

Additionally, next-generation privileged access management offers you an opportunity to enact continuous authentication and session management. Only enforcing privileged access management at the login portal can actually leave you vulnerable in the long term. Hackers could compromise the credentials (even in MFA systems with enough time and resources). Once they get past your perimeter, you should have tools in place to evaluate their validity and make sure they use their privileges appropriately. 

4. Becoming Overconfident in Your PAM

Obviously, you should never take your cybersecurity for granted. After all, due to the evolution of the threat landscape, cybersecurity functions better as a marathon than a sprint. Yet so many enterprises continue to feel overconfident in their cybersecurity, especially in their privileged access management

Indeed, a recent study Centrify and TechVangelism found a majority of enterprises fail to enact major privileged access management capabilities. For example, 52 percent of enterprises don’t use a password vault, and 79 percent of enterprises don’t have a mature PAM platform. However, simultaneously 93 percent express the belief they can handle threats to their privileged access. 

Of course, this constitutes one of the most insidious privileged access management mistakes enterprises make. You cannot neglect to deploy the latest identity management and privileged identity capabilities; simply believing in yourself does not make you capable of deflecting attacks on your privileged credentials.

Instead, work with your IT security team to determine what they need to keep your enterprise safe and make sure to provide them with those capabilities. The short term cost and learning curve are ultimately small prices to pay for increased security.       

5. Believing in Antivirus

Of course, some of the most popular privileged access management mistakes begin in ignorance. Majorly, some enterprises assume legacy antivirus solutions protect their users or form a solid cybersecurity foundation. Unfortunately, they couldn’t be any more incorrect their assumptions. 

In fact, not only does antivirus not offer you protection at your login portals, it can’t even fortify your digital perimeter properly. Antivirus only belongs as a capability of your endpoint security, not as a consideration of your identity management. Instead, identity security must form your digital perimeter, with privileged access management as a critical component. 

The era of antivirus has long since past. The era of identity is only just beginning, and privileged access management leads the charge. 

You can learn more from our 2019 Identity Management Buyer’s Guide or the PAM Buyer’s Guide.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner