Privileged Access Management Solutions Are Shifting to the Cloud: Survey

Most companies are planning to move to, or adopt, cloud solutions for their privileged access management (PAM) deployments, at least according to a new survey suggesting that only 36% of companies plan to keep their PAM solution on-premise.

The survey was conducted by PAM supplier Thycotic, who questioned more than 200 security professionals at the 2019 RSA Conference in March. The need for a cloud PAM solution is compelling — the migration to the cloud is inexorable, and survey respondents suggested that unauthorized access as the top business risk to their new cloud environments.

“Compromising 20% to 30% of passwords is quite easy,” Thycotic’s chief security scientist and advisory CISO, Joe Carson, told SecurityWeek. “Organizations are often still using default credentials, or using easily guessable dictionary word passwords — easily cracked through brute force dictionary attacks.”

Once access is gained, the different passwords found on the network can be used, or if masked, easily cracked. This includes privileged accounts. These privileged accounts can then be used for lateral movement within the environment; but privileged accounts can also provide initial access into the network from the internet for things, and from web-facing systems.

Lateral movement is an increasingly dangerous threat. As manufacturers rush to converge their IT networks with their operational networks, often replacing the traditional airgap that separated them with inadequate segmentation, unprotected privileged accounts can give intruders direct access to the companies’ plants.

“This is often surprisingly easy,” said Carson. “It depends upon the individual setup, but there are usually a lot of misconfigurations in the segmentation — so, often an attacker only needs to compromise one account to get access to both segments. Some organizations have done proper network segmentation, but many have basically left it, so the same account has access to both networks.”

This provides the disturbing scenario where a determined attacker could gain access to the IT network, cross over to the operational technology (OT) network, and drop ransomware on the plant itself. “We will see this type of attack in the future,” said Carson. “While most manufacturers manage their two networks separately, few have full and adequate logical separation.”

In some cases, privileged credentials can adversely affect operations without needing to access the operational network. For example, in aircraft, the entertainment system equates to IT while the flight controls equate to OT. Sometimes, sensors in IT have a direct effect on OT. Since flight safety applies as much to the passengers as the crew, some aircraft have safety systems on the IT side that have a direct effect on flight controls.

“If you were able to get to the pressure sensor,” continued Carson, “you could send a signal to the flight deck saying the passenger pressure has been compromised — which could trigger a descent of the aircraft. This is a major attraction for cybercriminals — finding out about subtle cross-overs between IT and OT that can be used to their advantage.” It simply becomes much easier if the attacker can get control of privileged credentials; and effective control over privileged credentials in today’s large and complex networks requires proper privileged access management.

Where organizations have adopted a cloud only policy, then any PAM solution will also be in the cloud. Where the policy is cloud first, then it makes sense to use a cloud-based solution for a hybrid environment. But cloud PAM deployment also makes sense for an entirely on-premise environment. The only real difference between local PAM and cloud PAM is the company resources required. 

“For most companies,” said Carson “the biggest problem they have with PAM is the resources to manage it. Organizations — especially small and medium businesses, may not have — or be able to afford — expertise in all the necessary aspects of operating PAM. Where security-as-a-service is used, managing cloud PAM can be handed off. All the organization then needs is to have the resources to use — as opposed to manage — the PAM service. This saves a large amount of money on both infrastructure and human skill costs. PAM as a service from the cloud enables PAM for everyone, no matter what size of the organization, nor whether the infrastructure is hybrid between on-prem and cloud.”

Related: Security Gaps Remain as OT, IT Converge 

Related: Organizations Failing Painfully at Securing Privileged Accounts 

Related: Many Enterprises Fail to Protect Privileged Credentials 

Related: Don’t Ignore Identity Governance for Privileged Users