Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Identity & Access

Half Protected is Half Empty, Not Half Full

Threat actors tend to focus on the human element as the weakest link in the cyber-attack chain, often using stolen, weak, default, or otherwise compromised credentials to gain access to their victim’s environment.

Threat actors tend to focus on the human element as the weakest link in the cyber-attack chain, often using stolen, weak, default, or otherwise compromised credentials to gain access to their victim’s environment. From there, then typically move laterally to exfiltrate sensitive data they can monetize. There are endless examples for this tactic, ranging from Dunkin’ Donuts and Citrix to Marriot International. Fortunately, security professionals are taking notice. According to Gartner, privileged access management (PAM) has been one of the Top 10 information security projects over the last two years and spending on PAM is predicted to rank second in terms of growth among all IT security technologies in 2019. However, it appears that organizations are not taking full advantage of all that PAM has to offer, and instead are focusing on a small subset of its capabilities to stop identity-centric attacks.

Organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks, provides no protection against identity- and credential-based threats. Instead, they should consider re-allocating parts of their IT security budgets to fund PAM initiatives. 

Lack of Basic Security Controls

As a discipline and related set of commercial products, PAM has been around for over 15 years. Unfortunately, the adoption rate for PAM is still in the lower double-digit range. Shockingly, 65% of respondents to a Centrify survey said they still share root or privileged access to systems and data. In addition, many organizations still primarily use single-factor authentication (i.e., passwords) for digital identity verification. 

Even though most businesses have enforced stricter password strength policies (e.g., length and reuse requirements, renewal intervals) in recent years, end users and privileged account holders often have too many passwords to remember. This makes them prone to either sharing passwords across different environments or even openly recording and storing them. And that’s exactly what hackers are exploiting. Sadly, it often takes an audit finding and associated fines, or data breach to motivate an organization to consider using PAM tools as a long-term strategy for comprehensive risk mitigation. 

The PAM Myth: A Vault is Enough

Historically, many organizations – and analyst reports – have focused on Privileged Account and Session Management (PASM) or in simple terms, a password vault, and not true PAM. By applying PASM, privileged root accounts are protected by vaulting their credentials. Access to those accounts is then brokered for human users, services, and applications. PASM establishes sessions that support credential injection and full gateway-based session recording. In this scenario, passwords and other credentials for privileged accounts (application-to-application passwords and secrets like API keys, AWS IAM credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, IP addresses, and more) are actively managed too.

Advertisement. Scroll to continue reading.

However, a password vault is only one side of the PAM coin, leaving the other side — Privilege Elevation and Delegation Management (PEDM) — as a neglected stepchild. Under a PEDM approach, specific privileges are granted on the managed system by host-based agents to logged in privileged users. This includes host-based command control (filtering) and privilege elevation, the latter in the form of allowing pre-defined commands to be run with a higher level of privileges. In addition, privileges are granted only for a short time period.

While a password vault is a first basic step in the right direction, organizations need to keep in mind that many administrators continue to circumvent best practices which includes using shared privileged accounts by checking them out of the vault at 9:00 AM and camping out all day. Although the original audit finding is cleared, this has very little positive impact on reducing the overall attack surface and creates the risk of potential blind spots via the creation of SSH backdoor keys. It’s important to remember that password vaults were created for environments where implicit trust was the rule, not the exception. Unfortunately, the current reality demands that we assume bad actors are already present inside secure networks.

As a result, more and more analysts as well as industry and regulatory standards (e.g., NIST 800-63, PCI DSS) are recommending security controls that provide higher assurance levels than vaults alone. Moving to a more holistic view of PAM, host-enforced privilege elevation allows for a true reduction of the attack surface. As such, “don’t break glass” is the ultimate approach to security, whereby administrators check out shared privileged accounts only for emergency situations. On a day-to-day basis, they should be required to log in with their individual, low-privilege account. Only when they need to run a privileged application or command, should they use elevated permissions. 


PAM can play a critical role in improving an organization’s cyber security posture, reducing risk, and achieving regulatory compliance. Going beyond simply implementing a password vault by controlling, managing, and monitoring access to highly privileged accounts can prevent data breaches and IT infrastructure sabotage. PAM provides a full, not half, measure of control.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.