What exactly is privileged access management? How does it compare to traditional identity and access management? How are enterprises adapting to the necessity of protecting their most prized credentials?
To get a handle on privileged access management in the modern age, we spoke with Mark Klinchin, Co-Founder and CEO of solution provider Xton Technologies. Here’s our conversation, edited slightly for readability:
Solutions Review: In your opinion, what is the current state of privileged access management? How are enterprises adapting to the new demands of privileged identity security?
Mark Klinchin: Privileged access management (PAM) technology has evolved greatly since its inception in the 1990s. It was originally designed to help larger organizations who had a high level of automation. These early solutions were bulky, expensive, and required installing agents on hundreds of devices as well as additional service contracts.
The explosion of the internet for business, industrial, and social transactions has made privilege access management a top priority for improving information security and privacy. More companies are operating in the cloud, automating processes, using IoT, and have distributed workforces that require mobile access to systems.
Today, most companies—even small to mid-sized ones—have more privileged accounts than individual ones. Without proper management of these accounts, they pose a significant risk to businesses. In fact, Gartner recently listed PAM as the number one security project that chief information security officers (CISOs) should explore in 2018.
When we started XTON Technologies, customers told us they have many assets in the cloud and on premise and also have access to their partner’s and customer’s data. They are looking to implement solutions with a secure vault for their most sensitive information (credentials) and allow authorized access to these secrets in a highly secure and auditable fashion.
SR: What have been the worst trends or behaviors enterprises have engaged in concerning PAM? How have they responded to the flood of data breach headlines?
Mark Klinchin: Over the last few years, organizations have ignored or de-prioritized PAM. This trend has left many companies vulnerable and at risk of security breaches. Companies traditionally react to potential security threats by increasing perimeter security and doing more penetration testing to protect against an invisible remote attacker. All these measures are useful.
However, today’s modern network perimeter is porous. There are multiple access points open to the outside workforce, remote partners, or clients. This type of network architecture prioritizes access workflow, distribution or and rotating shared credentials, and tracking accountability. These are all traditional PAM functions.
Second, acceptance of privileged account management requires recognizing the realities of shared and automation driven access. The familiar identity management strategy, when users access resources using their personal accounts based on permissions, does not apply to shared resources such as Windows Administrator, a network device, or the root of an IoT device. Enabling shared access is not a mistake. It’s the mismanagement of shared credentials that opens up companies to risk.
Lastly, the complexity and expense of traditional PAM systems make some organizations ignore privileged access problems, even when they realize the consequences.
SR: Do enterprises need to reconsider what they consider “privileged” in identity?
Mark Klinchin: Yes, companies need to rethink privileged accounts. Privileged access management suffers from the terminology of the early implementations of the late 1990s.
Identity and access management (IAM) covers individual accounts and access. In the IAM world, passwords should be remembered, individuals should never share their credentials, and permissions should be granted to users to access required resources. Some employee accounts will enable them to perform privileged activities such as constructive (or destructive) network infrastructure work or access (or modify) vital corporate data. None of these relate to privileged account management.
PAM focuses on the accounts, access, and credentials which are NOT covered by IAM. A root account of an IoT device such as a video camera, a printer, or a CAT scanner does not have much privilege from an overall network perspective. However, used in large numbers these devices can act as a cybersecurity weapon to take down or take over services and vital resources.
Moreover, losing control over some of these accounts threaten not only the owner of the account but can also threaten other unsuspected entities. This makes PAM a shared common service when the overall information security of the Internet depends on its weakest participant.
SR: Will AI and/or machine learning truly affect privileged access management, and if so, how and when?
Mark Klinchin: One of the major challenges of information security is the lack of professionals interested and capable to work in this area. While the recent spike in demand will certainly attract talented individuals, the sheer scale of security problems requires a high degree of automation. AI can help a security professional tremendously by reducing the number of events that they need to investigate. AI can automate manual tasks as well help with monitoring and data analytics.
SR: Besides AI, what other new technologies or trends do you feel optimistic about?
Mark Klinchin: We are very optimistic about bringing PAM to companies of all sizes. XTON recently released an MSP version of our solution. We think that MSPs are the key to reach even the smallest businesses by providing an affordable, enterprise-class solution for managing privileged accounts.
All businesses are going to be asked by their customers, governments, and partners how they are protecting their sensitive information stored on their systems. Auditors want a company to prove they have control over the credentials that are used to access this information. PAM solutions help address these requirements and are simple to implement, affordable, easy to maintain and operate. Implementing a PAM solution no longer needs to be a long and expensive process.
Thanks again to Mark Klinchin, Co-Founder and CEO of Xton Technologies, for his time and expertise!
- The Best Books for Identity Security Available Now - September 16, 2021
- Authentication Apps: Best of 2021 and Beyond from Solutions Review - September 15, 2021
- Authentication Platforms: Best of 2021 and Beyond from Solutions Review - September 14, 2021