Privileged Account Management (PAM): what you should be thinking about
Los Angeles, Calif. – May 23, 2018
I recently spoke at the FS-ISAC conference and it became clear that even in the financial services space, safeguarding user identities and managing access permissions across the enterprise is one of the biggest challenges faced by CISOs!
Last year, Herjavec Group contributed to an Identity and Access Management (IAM) Report with Cybersecurity Ventures that discussed just that – and we gave the market as a whole a below average grading in terms of digital transformation, real time adaptability, user authentication services and artificial intelligence. While I’d like to think that market wide our “grades” have improved over the last 12 months, even the most mature enterprises continue to struggle with these universal identity challenges.
Let’s start at the top – When you think about IAM, do you think about Privileged Account Management (PAM)? In my opinion you should – and it may terrify you.
So who do we define as a privileged user?
A privileged user is someone with administrative access to critical systems such as organizational-wide email accounts, HR and payroll apps, CRM and ERP systems, etc. Every employee has a certain level of access to corporate information based on their role, department, seniority level, etc.
In every organization, there are one or more people with access to a CEO’s login credentials for email and many other apps. Do you know who these people are in your organization? Have they been properly vetted? When is the last time they changed roles and their access was altered? What happens when they go on vacation? Are your boardroom and C-Suite executives aware of who has access to their login credentials?
Let’s assume that we have the right user access in place – meaning the right people can access the right information at the right time, and most importantly in my opinion – for the right reasons. How do you ensure ongoing controls of this access and protect these privileged users from hackers that may target them?
After all – privileged credentials are the ultimate espionage asset. According to CyberArk, these credentials allow attackers to access your organization’s most critical data by posing as a trusted insider.
In fact, even the infamous Yahoo breach was largely successful because the attackers were able to exploit privileged credentials to get the information they wanted. With privileged credentials in hand they compromised the Yahoo user database and forged authentication tokens. Essentially, they were able to become any Yahoo user. And this wasn’t limited to just Yahoo – many high profile breaches in the past couple of years (SWIFT, Ukraine power outage, the DNC – you name it) have occurred in the same way.
“Privileged users have the keys to the kingdom,” says Steve Morgan, founder and Editor-in-Chief at Cybersecurity Ventures. “An inadequate PAM solution can expose organizations in unimaginable ways and lead to disastrous results.”
In many organizations today, certain users will have elevated privileges attached to their day-to-day accounts, meaning the same account they use to access their email can have domain-level administrative function privileges (such as the ability to modify security policies on a firewall).
That’s all well and good because everyone has a job to do, and we all have processes – yes yes I’ve heard it before. But when it goes wrong – when the employee has a bad day, when someone is let go, when they leave their laptop open in a public place, what is the recourse?
I can’t emphasize enough without a proper Privileged Account & Identity Solutions in place, your organization will be vulnerable to internal and external threats. You have to balance stringent process and appropriate technology. There are tools you can use to help and I happen to be a strong advocate for the integrated SailPoint & CyberArk solution set. It’s too much to do alone – so leverage the tools out there to improve your access controls, and develop stronger identity governance & management.
We’re also seeing more and more organizations turning to their MSSPs for Identity Managed Services Support. This type of service helps many enterprises achieve policy & regulatory compliance and offers many benefits above and beyond a standard Managed SIEM Service including:
- 24×7 IAM platform health monitoring without increasing your security staff
- Gain visibility and control of user data and access permissions
- Quickly detect risks and amend access entitlement issues associated with privileged users
- Automate the user provisioning process based on groups, policies and
- Accelerate compliance efforts with unified top-down governance processes for all users
As I closed out my speech at FS-ISAC, my last slide asked the room, “Are we not all in the RISK business?”. There were a lot of head nods that followed.
At the end of the day, one of the fastest growing unmanaged risks for organizations is excess employee access and when it comes to protecting your crown jewels, it’s always better to be safe instead of sorry! Don’t take the risk with privileged IDs. Get the tools, build the process and leverage third party support to automate provisioning and controls wherever possible.
You – and your CEO – will be glad you did.
To Your Success,
Originally posted on Cybercrime Magazine.