Connect with us

Hi, what are you looking for?


Identity & Access

Half Protected is Half Empty, Not Half Full

Threat actors tend to focus on the human element as the weakest link in the cyber-attack chain, often using stolen, weak, default, or otherwise compromised credentials to gain access to their victim’s environment.

Threat actors tend to focus on the human element as the weakest link in the cyber-attack chain, often using stolen, weak, default, or otherwise compromised credentials to gain access to their victim’s environment. From there, then typically move laterally to exfiltrate sensitive data they can monetize. There are endless examples for this tactic, ranging from Dunkin’ Donuts and Citrix to Marriot International. Fortunately, security professionals are taking notice. According to Gartner, privileged access management (PAM) has been one of the Top 10 information security projects over the last two years and spending on PAM is predicted to rank second in terms of growth among all IT security technologies in 2019. However, it appears that organizations are not taking full advantage of all that PAM has to offer, and instead are focusing on a small subset of its capabilities to stop identity-centric attacks.

Organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks, provides no protection against identity- and credential-based threats. Instead, they should consider re-allocating parts of their IT security budgets to fund PAM initiatives. 

Lack of Basic Security Controls

As a discipline and related set of commercial products, PAM has been around for over 15 years. Unfortunately, the adoption rate for PAM is still in the lower double-digit range. Shockingly, 65% of respondents to a Centrify survey said they still share root or privileged access to systems and data. In addition, many organizations still primarily use single-factor authentication (i.e., passwords) for digital identity verification. 

Even though most businesses have enforced stricter password strength policies (e.g., length and reuse requirements, renewal intervals) in recent years, end users and privileged account holders often have too many passwords to remember. This makes them prone to either sharing passwords across different environments or even openly recording and storing them. And that’s exactly what hackers are exploiting. Sadly, it often takes an audit finding and associated fines, or data breach to motivate an organization to consider using PAM tools as a long-term strategy for comprehensive risk mitigation. 

The PAM Myth: A Vault is Enough

Historically, many organizations – and analyst reports – have focused on Privileged Account and Session Management (PASM) or in simple terms, a password vault, and not true PAM. By applying PASM, privileged root accounts are protected by vaulting their credentials. Access to those accounts is then brokered for human users, services, and applications. PASM establishes sessions that support credential injection and full gateway-based session recording. In this scenario, passwords and other credentials for privileged accounts (application-to-application passwords and secrets like API keys, AWS IAM credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, IP addresses, and more) are actively managed too.

However, a password vault is only one side of the PAM coin, leaving the other side — Privilege Elevation and Delegation Management (PEDM) — as a neglected stepchild. Under a PEDM approach, specific privileges are granted on the managed system by host-based agents to logged in privileged users. This includes host-based command control (filtering) and privilege elevation, the latter in the form of allowing pre-defined commands to be run with a higher level of privileges. In addition, privileges are granted only for a short time period.

Advertisement. Scroll to continue reading.

While a password vault is a first basic step in the right direction, organizations need to keep in mind that many administrators continue to circumvent best practices which includes using shared privileged accounts by checking them out of the vault at 9:00 AM and camping out all day. Although the original audit finding is cleared, this has very little positive impact on reducing the overall attack surface and creates the risk of potential blind spots via the creation of SSH backdoor keys. It’s important to remember that password vaults were created for environments where implicit trust was the rule, not the exception. Unfortunately, the current reality demands that we assume bad actors are already present inside secure networks.

As a result, more and more analysts as well as industry and regulatory standards (e.g., NIST 800-63, PCI DSS) are recommending security controls that provide higher assurance levels than vaults alone. Moving to a more holistic view of PAM, host-enforced privilege elevation allows for a true reduction of the attack surface. As such, “don’t break glass” is the ultimate approach to security, whereby administrators check out shared privileged accounts only for emergency situations. On a day-to-day basis, they should be required to log in with their individual, low-privilege account. Only when they need to run a privileged application or command, should they use elevated permissions. 


PAM can play a critical role in improving an organization’s cyber security posture, reducing risk, and achieving regulatory compliance. Going beyond simply implementing a password vault by controlling, managing, and monitoring access to highly privileged accounts can prevent data breaches and IT infrastructure sabotage. PAM provides a full, not half, measure of control.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...