Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Don’t Ignore Identity Governance for Privileged Users

It’s summer time, which means privileged users are away on vacations and contractors or co-workers are taking up the slack. Managing the temporary access that this requires is not something you want to leave to chance. 

It’s summer time, which means privileged users are away on vacations and contractors or co-workers are taking up the slack. Managing the temporary access that this requires is not something you want to leave to chance. 

Abuse of privileged access can be costly. On June 17th, Tesla reported a malicious insider attack on the Tesla Manufacturing Operating System that resulted in the loss of several gigabytes of data and a stock decline of six percent. That same week, we learned that a CIA employee was charged with providing hacking tools to WikiLeaks, stolen as part of the Vault 7 leak. 

Privileged Access Management (PAM) isn’t enough

According to Gartner, “PAM technologies help organizations to provide secured privileged access to critical assets and meet compliance requirements by securing, managing and monitoring privileged accounts and access.” 

In practice, PAM reduces the risk of privileged user abuse by limiting what privileged users (such as system administrators) can do on specified systems, during specified times or with specified commands. It can monitor and record their activity to offer misuse deterrence by collecting evidence for prosecution, and can provide more detailed compliance reporting than system logs. 

These capabilities are entirely necessary to protect against sensitive data loss from those who have the “keys to the kingdom.” But it isn’t enough.

The limitations of PAM

PAM is effective for those who work within it. But if an administrator acquires root access and works around the technology, then it isn’t much use. And there are scenarios where privileged users are given temporary access, such as when covering for other privileged users on vacation or contractors who only need access during a certain period of time, which isn’t revoked at the end of the temporary period. 

Advertisement. Scroll to continue reading.

Add to those scenarios the regular employee turnover, which typically doesn’t have a 100% accurate access deprovisioning process, and there can be an excess of privileged user accounts that could be abused by malicious insiders or outsiders who obtain their credentials. Access that doesn’t conform to the least privilege principle carries added risk. 

Identity governance is a necessary companion to PAM

Identity governance technologies discover access entitlements, and on a regular cadence such as every six months, manages a certification process whereby a manager or other authority must certify that the specified user holds the correct entitlements. More sophisticated identity governance tools will prioritize certifications based on users that hold privileged access and have unusual or elevated rights compared to peers, even providing for ad-hoc certifications out of band when the risk level is significant enough. 

Integration with PAM can provide identity governance a means of calculating this risk score. Additional risk scoring for privileged users should include usage of access that exhibits unusual patterns, such as during non-working hours or from an unusual location. Double-checking with managers or employees on the activity can identify malicious use, especially advanced persistent threats that often use stolen administrator credentials as an attack vector. The faster this is found, the more limited the damage that can be done. 

Identity governance is an additional control that can find privileged users working outside of the PAM system, and help enforce the least privilege principle. If you want to reduce the risk that privileged users present, explore how your organization can make these technologies work more closely together. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.