Connect with us

Hi, what are you looking for?


Cloud Security

Privileged Access Management Solutions Are Shifting to the Cloud: Survey

Most companies are planning to move to, or adopt, cloud solutions for their privileged access management (PAM) deployments, at least according to a new survey suggesting that only 36% of companies plan to keep their PAM solution on-premise.

Most companies are planning to move to, or adopt, cloud solutions for their privileged access management (PAM) deployments, at least according to a new survey suggesting that only 36% of companies plan to keep their PAM solution on-premise.

The survey was conducted by PAM supplier Thycotic, who questioned more than 200 security professionals at the 2019 RSA Conference in March. The need for a cloud PAM solution is compelling — the migration to the cloud is inexorable, and survey respondents suggested that unauthorized access as the top business risk to their new cloud environments.

“Compromising 20% to 30% of passwords is quite easy,” Thycotic’s chief security scientist and advisory CISO, Joe Carson, told SecurityWeek. “Organizations are often still using default credentials, or using easily guessable dictionary word passwords — easily cracked through brute force dictionary attacks.”

Once access is gained, the different passwords found on the network can be used, or if masked, easily cracked. This includes privileged accounts. These privileged accounts can then be used for lateral movement within the environment; but privileged accounts can also provide initial access into the network from the internet for things, and from web-facing systems.

Lateral movement is an increasingly dangerous threat. As manufacturers rush to converge their IT networks with their operational networks, often replacing the traditional airgap that separated them with inadequate segmentation, unprotected privileged accounts can give intruders direct access to the companies’ plants.

“This is often surprisingly easy,” said Carson. “It depends upon the individual setup, but there are usually a lot of misconfigurations in the segmentation — so, often an attacker only needs to compromise one account to get access to both segments. Some organizations have done proper network segmentation, but many have basically left it, so the same account has access to both networks.”

This provides the disturbing scenario where a determined attacker could gain access to the IT network, cross over to the operational technology (OT) network, and drop ransomware on the plant itself. “We will see this type of attack in the future,” said Carson. “While most manufacturers manage their two networks separately, few have full and adequate logical separation.”

Advertisement. Scroll to continue reading.

In some cases, privileged credentials can adversely affect operations without needing to access the operational network. For example, in aircraft, the entertainment system equates to IT while the flight controls equate to OT. Sometimes, sensors in IT have a direct effect on OT. Since flight safety applies as much to the passengers as the crew, some aircraft have safety systems on the IT side that have a direct effect on flight controls.

“If you were able to get to the pressure sensor,” continued Carson, “you could send a signal to the flight deck saying the passenger pressure has been compromised — which could trigger a descent of the aircraft. This is a major attraction for cybercriminals — finding out about subtle cross-overs between IT and OT that can be used to their advantage.” It simply becomes much easier if the attacker can get control of privileged credentials; and effective control over privileged credentials in today’s large and complex networks requires proper privileged access management.

Where organizations have adopted a cloud only policy, then any PAM solution will also be in the cloud. Where the policy is cloud first, then it makes sense to use a cloud-based solution for a hybrid environment. But cloud PAM deployment also makes sense for an entirely on-premise environment. The only real difference between local PAM and cloud PAM is the company resources required. 

“For most companies,” said Carson “the biggest problem they have with PAM is the resources to manage it. Organizations — especially small and medium businesses, may not have — or be able to afford — expertise in all the necessary aspects of operating PAM. Where security-as-a-service is used, managing cloud PAM can be handed off. All the organization then needs is to have the resources to use — as opposed to manage — the PAM service. This saves a large amount of money on both infrastructure and human skill costs. PAM as a service from the cloud enables PAM for everyone, no matter what size of the organization, nor whether the infrastructure is hybrid between on-prem and cloud.”

Related: Security Gaps Remain as OT, IT Converge 

Related: Organizations Failing Painfully at Securing Privileged Accounts 

Related: Many Enterprises Fail to Protect Privileged Credentials 

Related: Don’t Ignore Identity Governance for Privileged Users

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.