What’s in a Privileged Access Strategy?

What's in a Privileged Access Strategy?

Identity and access management (IAM) as a field is evolving at a rapid pace. Identity is being hailed as the new perimeter, supplanting traditional firewalls. In fact, identity may end up becoming the pinnacle of cybersecurity overall. Therefore it is not a surprise that IAM solutions are diversifying and specializing for different needs and use cases.  

Some of these subfields, including both traditional identity and access management and biometric authentication, tend to draw more attention than others. However, one of the most important and yet most neglected aspects of IAM may be privileged access management. Privileged access management is what protects your most powerful network credentials from abuse—either internally or externally.     

No cybersecurity solution can guarantee 100% success in protecting your enterprise’s digital privileged identities from unwanted eyes. But a solution incorporated into a privileged access strategy can help protect your enterprise from the worst blows.       

So what do you need for your enterprise’s privileged access strategy?

Understand How Privileged Access Management Works

The first step in your privileged access strategy is to understand how privileged access and privileged identity solutions work. If you do not know what the solutions can actually offer, you won’t be sure if it can solve your enterprise’s issues. This, of course, comes with a crucial caveat: you need to understand the cybersecurity problems your enterprise faces. Without this knowledge, you won’t have the wherewithal to deploy the solution properly.  

While the individual capabilities may differ in general, a privileged access management solution should:    

  • Monitor, manage, and audit identities and permissions across your enterprise’s network.
  • Reduce privilege creep (employees inadvertently gaining credentials as they move through your enterprise).
  • Highlight unusual user behaviors to identify potential threats.
  • Perform regular audits on privileges and sensitive data storages.   

Know What to Look for in your Solution

Every enterprise is different—in size, in mission, in industry, etc. By extension, every privileged access strategy will be different. Therefore, the privileged access management solution you select needs to fit enterprise and your strategy. There is no one size fits all PAM solution; it requires careful consideration. Some examples of what to look for in your privileged access solutions:  

  • Make sure your PAM solution can integrate with your other software and cybersecurity solutions. Integration problems often create security issues further down the line…and thus new headaches for your security team to handle.   
  • Ensure your PAM solution can handle hybrid and cloud deployments. This principle applies even if your enterprise is still using on-premises deployments— you don’t know if your enterprise will transition anytime in the near future.
  • If you have compliance concerns, your privileged identity solution should provide audit trails in easy-to-use dashboards.

Once you know what to look for, you’ll what capabilities are most critical and can design your privileged access strategy around them.

Two-Factor Authentication May Not Be Enough

Authentication procedures and protocols must be a part of any privileged access strategy. Relying on single-factor authentication—usually dependent on insecure and easily cracked passwords—is typically the default authentication procedure. However, the security of single-factor authentication has long been considered unreliable at best.

Upgrading to a two-factor authentication system seems like a solid strategic move, but your enterprise needs to be careful how you implement such policies. Reddit, one of the best-known internet forum platforms, recently suffered a data breach allowing a hacker to access usernames, passwords, and email addresses. The attack vector: intercepting the SMS two factor authentication—sending a fake text message for password confirmation to unsuspecting employees.

As part of your privileged access strategy, you need to consider how you implement you two-factor and multifactor authentication to fit with your business needs and your employees. SMS might not be as secure for your employees has a carried hard token, as an example. Additionally, part of this evaluation is training your employees to securely use two factor and multifactor authentication—authentication is a two-way street.

Furthermore, your enterprise needs to ensure you deploy the correct authentication for the different databases. Not every database or employee’s credentials will need extensive multifactor authentication. You should know what resources and assets require the most security…and thus how to shape your privileged access strategy accordingly.   

Least Privilege is the Principle

The principle of least privilege states employees should only have as many entitlements as they absolutely need to function in their role. An employee in the finance department shouldn’t have access to databases relevant to human resources, as just one example.

Privileged identity management enforces the principle of least privilege for both regular employees and your most powerful superusers. Your enterprise must build your privileged access strategy around the principle of least privilege in order to most completely secure your enterprise. Remember: you can always make careful exceptions later on.

IT Team Involvement is Key

The phrase “set-it and forget it” remains a pie-in-the-sky hope for enterprises seeking a privileged identity management solution. However, any cybersecurity expert worth their salt will state with confidence that set-it-and-forget-it is more like an impossibility or fool’s errand.

Having the right privileged access management solution is one part of your enterprise’s cybersecurity platform. However, it needs to be coupled with an active IT security team as part of your staff. These security experts can continually evaluate your PAM policies on their effectiveness, find inconsistencies or security holes, and implement patches to protect against weaknesses. If finding security staff proves a significant obstacle, then looking into a managed security service might be the right move for your enterprise.

Having your own IT staff and partners requires investment in personnel, often a difficult proposition with the cybersecurity staffing crisis. But technology is a tool. Humans hands still need to wield it.   

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner