Threat actors tend to focus on the human element as the weakest link in the cyber-attack chain, often using stolen, weak, default, or otherwise compromised credentials to gain access to their victim’s environment. From there, then typically move laterally to exfiltrate sensitive data they can monetize. There are endless examples for this tactic, ranging from Dunkin’ Donuts and Citrix to Marriot International. Fortunately, security professionals are taking notice. According to Gartner, privileged access management (PAM) has been one of the Top 10 information security projects over the last two years and spending on PAM is predicted to rank second in terms of growth among all IT security technologies in 2019. However, it appears that organizations are not taking full advantage of all that PAM has to offer, and instead are focusing on a small subset of its capabilities to stop identity-centric attacks.
Organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks, provides no protection against identity- and credential-based threats. Instead, they should consider re-allocating parts of their IT security budgets to fund PAM initiatives.
Lack of Basic Security Controls
As a discipline and related set of commercial products, PAM has been around for over 15 years. Unfortunately, the adoption rate for PAM is still in the lower double-digit range. Shockingly, 65% of respondents to a Centrify survey said they still share root or privileged access to systems and data. In addition, many organizations still primarily use single-factor authentication (i.e., passwords) for digital identity verification.
Even though most businesses have enforced stricter password strength policies (e.g., length and reuse requirements, renewal intervals) in recent years, end users and privileged account holders often have too many passwords to remember. This makes them prone to either sharing passwords across different environments or even openly recording and storing them. And that’s exactly what hackers are exploiting. Sadly, it often takes an audit finding and associated fines, or data breach to motivate an organization to consider using PAM tools as a long-term strategy for comprehensive risk mitigation.
The PAM Myth: A Vault is Enough
Historically, many organizations – and analyst reports – have focused on Privileged Account and Session Management (PASM) or in simple terms, a password vault, and not true PAM. By applying PASM, privileged root accounts are protected by vaulting their credentials. Access to those accounts is then brokered for human users, services, and applications. PASM establishes sessions that support credential injection and full gateway-based session recording. In this scenario, passwords and other credentials for privileged accounts (application-to-application passwords and secrets like API keys, AWS IAM credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, IP addresses, and more) are actively managed too.
However, a password vault is only one side of the PAM coin, leaving the other side — Privilege Elevation and Delegation Management (PEDM) — as a neglected stepchild. Under a PEDM approach, specific privileges are granted on the managed system by host-based agents to logged in privileged users. This includes host-based command control (filtering) and privilege elevation, the latter in the form of allowing pre-defined commands to be run with a higher level of privileges. In addition, privileges are granted only for a short time period.
While a password vault is a first basic step in the right direction, organizations need to keep in mind that many administrators continue to circumvent best practices which includes using shared privileged accounts by checking them out of the vault at 9:00 AM and camping out all day. Although the original audit finding is cleared, this has very little positive impact on reducing the overall attack surface and creates the risk of potential blind spots via the creation of SSH backdoor keys. It’s important to remember that password vaults were created for environments where implicit trust was the rule, not the exception. Unfortunately, the current reality demands that we assume bad actors are already present inside secure networks.
As a result, more and more analysts as well as industry and regulatory standards (e.g., NIST 800-63, PCI DSS) are recommending security controls that provide higher assurance levels than vaults alone. Moving to a more holistic view of PAM, host-enforced privilege elevation allows for a true reduction of the attack surface. As such, “don’t break glass” is the ultimate approach to security, whereby administrators check out shared privileged accounts only for emergency situations. On a day-to-day basis, they should be required to log in with their individual, low-privilege account. Only when they need to run a privileged application or command, should they use elevated permissions.
PAM can play a critical role in improving an organization’s cyber security posture, reducing risk, and achieving regulatory compliance. Going beyond simply implementing a password vault by controlling, managing, and monitoring access to highly privileged accounts can prevent data breaches and IT infrastructure sabotage. PAM provides a full, not half, measure of control.