Privileged Access Management and Identity Hygiene

privileged access management identity hygiene

In cybersecurity we tend to think of privileged access management (PAM) and identity and access management (IAM) as two separate fields. Sometimes, privileged access management is treated as if it is a branch off of the identity management tree rather than as a fully fledged subsector of cybersecurity. From a certain perspective, this philosophy makes sense yet it can hamper your identity hygiene efforts.

Privileged access management can serve as a guiding principle for your identity and access management platforms, allowing for a top-down approach that can improve your enterprise’s identity hygiene and therefore create a more secure IT environment.

What is identity hygiene? And how can PAM help specifically? Here’s what you need to know:

By the Numbers: Privileged Access Management

Before diving into identity hygiene best practices, we need to get a sense of the current state of enterprise-level privileged access management. Some key statistics include:

  • 81% of hacking-related data breaches utilize stolen or weak passwords, according to Identity Automation.
  • The global average cost of a data breach is $3.62 million.  
  • 54% of enterprises still use paper or an Excel spreadsheet to store their privileged credentials.
  • 44% of data breaches involved privileged access credentials, according to Balabit.
  • Only 41% of those privileged accounts are assigned to permanent internal employees. The majority are assigned to third-party actors.
  • 71% of enterprises stated the number of privileged accounts increased over the past year.
  • Only 48% of enterprises can account for all of their internal privileged access credentials, and only 44% can account for third-party privileged access.

PAM Facilitates Digital Identity Hygiene Best Practices

Identity hygiene relates to how your enterprise handles the credentials of both internal and external actors: ensuring that the digital identities have access appropriate to their positions, that the users with those identities are who they say they are, and that both are monitored. Without adequate identity hygiene, the chances of an external hacker obtaining those credentials or an insider threat occurring increase substantially—never a good thing.  

Privileged access management’s key capabilities can improve your enterprise’s digital identity hygiene significantly by allowing for greater visibility into user credentials and granular control over them.

Those PAM key capabilities include:

Administrative Control and Role Management

One of the key benefits of privileged access management is the insight into your enterprise’s IT environment via the high level of inherent administrative controls. For example, the different departments in your enterprise require privileged accounts for their leaders: the CEO will need privileged access, as will your IT director and CFO.

Yet each will need their own distinct privileged credentials: the CEO doesn’t need the same permissions as the IT director. Giving block privileges to all privileged users asks for trouble: it opens the door to potential insider threats whether accidental or deliberate and makes these credentials prime target to external cybercriminals.

Privileged access management can help enforce identity hygiene best practices by delegating privileged permissions to individual roles rather than people. This will prevent permissions creep—an individual continuing to gain privileges as they move through your enterprise—which can increase the chances of an insider threat. Furthermore, the administrative controls offered by PAM allows for greater visibility into your permissions, including who has what access and when they are using it. Thus PAM allows your IT security team to make adjustments or revoke permissions if they see a discrepancy, improving your enterprise’s overall identity hygiene.

Removing Orphaned Privileged Accounts

An orphaned account is an account that still exists in your enterprise’s networks even though the user no longer works at your enterprise or no longer uses those credentials. For privileged access management, an orphaned account is a nightmare for security teams—super credentials with no user to monitor their behavior or notice discrepancies lays out the welcome mat to hackers. They are identity hygiene disasters, the equivalent of ignoring a symptom of an illness.

Privileged access management solutions repair this damage by allowing IT security teams to evaluate the privileged accounts on your networks, find orphaned accounts, and remove them. It’s certainly the easiest way to improve your identity hygiene.

Employing The Least Permissions Principle

Related to the capabilities above, the principle of least privileges is a model in which each user on your network only has the permissions they absolutely need to perform their roles—and no more. This means preventing permissions creep, as mentioned above, as well as revoking privileges that users don’t need or setting temporary privileges for when a project requires it.  

The principle of least permissions is a key component of identity hygiene, as it maintains tight control over privileges and permissions within your network. That’s what privileged access management boils down to—better control. 

Identity hygiene is about tight control as well—almost like a digital diet. It takes discipline and constant vigilance to do it properly, and the habits have to be maintained. Privileged access management can help you maintain that control.

Is it time for you to start your digital diet?

For more information, you can download the Gartner Best Practices for Privileged Access Management Report courtesy of Centrify.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner