Privileged Access Management is More than Just Privileged Credentials

Privileged Access Management is More than Just Privileged Credentials

We speak with no hyperbole when we say privileged access management (PAM) is one of the most crucial aspects of any enterprise’s digital identity platform and strategy. Research indicates stolen or weak privileged credentials account for around 80% of all enterprise data breaches. Access creep in your privileged accounts could render your entire network vulnerable and porous. Moreover, poor privileged access management can increase the risk of insider threats as average employees obtain credentials above their job descriptions.

Your privileged access credentials serve as the keys to your enterprise. Yet privileged access management is about more than just credentials. Your enterprise’s identity security may hinge on understanding this.

Why is this the case?

Privileged Credentials For Sale

Unfortunately, security experts are facing a new reality concerning identity security and cybersecurity overall: the hackers can find the data they need easily. The proliferation of enterprise-level data breaches, repeated or weak privileged credentials, and other poor identity security practices combine to make stolen credentials available for cheap. According to cybersecurity solution provider McAfee, the privileged credentials for an airport security system sold on the Dark Web for only $10. Privileged access account information for over 1 million UK law firm staff members was also for sale.

In other words, if a hacker or insider threats wants into your network via credentials, they can find a way without even implementing a phishing scam. But privileged access management is not a lost cause. Far from it, in fact. According to identity and access management solution provider Centrify, C-Level executives can improve their identity security by rethinking and reformatting their strategies.

How?  

Privileged Access Management for the New Age

The real issue at the heart of so many data breaches appears to be single-factor authentication. This system relies on passwords—notoriously insecure and much reviled by users—as the sole means of an enterprise’s identity security. However, with identity rapidly becoming the new IT perimeter, this will simply not do.

Instead, here are some privileged access management strategies for the new age. Keep in mind this list isn’t an extensive list nor does every strategy fit with every enterprise’s identity security needs:

Implement Zero Trust Security

Zero Trust Security has at its core a simple foundation: entering a privileged credential isn’t enough to verify a users’ identity. Instead, it draws identity information from device validation and behavioral analysis. This behavioral analysis can be as straightforward as using their typical work behavior as a baseline for future activity to monitoring their typing habits to look for discrepancies. Under zero trust security, nothing and no login is trusted.

Zero Trust Security is related to…

Implement the Principle of Least Privilege

No idea in modern privileged access management is as pervasive or as influential as the principle of least privilege. Under this system, every user (including super users) only has the access entitlements they absolutely need to perform their job functions. If users need special permissions for certain projects, those permissions are only granted by the security team, on a timed basis, and are thereafter revoked. In other words, your HR department’s privileged accounts shouldn’t be able to access the financial department’s sensitive databases.  

The principle of least privileges operates at the intersection of PAM and identity governance and administration in preventing access creep. By doing so, even stolen privileged credentials can only cause so much localized damage instead of a devastating enterprise-wide attack.

Multifactor Authentication

Two-factor authentication and multifactor authentication are perhaps the most stable and sensible defenses enterprises have against privileged credentials theft. Making your security less dependant on passwords is always a positive step forward, and the more layers you can put on your identity security the better.

The factors in two factor or multifactor authentication can include biometric factors—physiological factors like fingerprints or behavioral factors like typing patterns—device recognition, a hard token, a pin number, and geofencing in addition to privileged credentials. The idea is to combine something known like a password with something the user has such as a token. Hackers may easily get their hands on one, but not the other…hampering their efforts.   

Don’t Allow Password Reuse

In so far as this is possible, don’t allow your employees and your super users to use the same passwords as they use for other accounts. The more your super users user their privileged credentials outside your enterprise network, the more vulnerable they are to being stolen in an unrelated breach. This can be a difficult mandate to enforce, but well worth the effort.    

Close Orphaned Accounts

When a privileged account user leaves your network under any circumstances, make sure their credentials are removed from the network entirely as part of the off-boarding process. Otherwise, those privileged credentials continue to linger as an orphaned account—an account you can’t monitor because there isn’t a user truly associated with it.

When you find a privileged access management solution, use it to scan your network for lingering orphaned accounts and shut them down before they fall into the wrong hands.  

A data breach can cost your enterprise well over $3 million on average. Getting a handle on your privileged credentials is one step in saving that money. The next step is getting a handle on your privileged access management overall.   

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner