Challenges and Pitfalls of Privileged Access Management

It’s a reality of the threat landscape today that most attacks rely on or exploit privileged access management in some way. A recent report claims that 95% of breaches could have been prevented—and many of those are the result of abusing or exploiting privileged access. Limiting or removing privileged access to sensitive applications and data is an effective cybersecurity strategy that would prevent compromise, so why don’t more organizations have a dedicated privileged access management (PAM) solution in place?

Remediant, a provider of PAM solutions, wondered the same thing and set out to answer that question. Remediant commissioned Enterprise Management Associates (EMA) to conduct a survey of IT and cybersecurity professionals around the world. Survey participants—most of whom are directly involved in managing privileged access in their organization—span a broad range of industries and various company sizes.

The survey sheds light on the current state of PAM and the trends projected for the foreseeable future. It also revealed some of the challenges and pitfalls companies face with PAM and how many efforts to manage privileged access fall short of the intended goal.

Issues With Effective Management of Privileged Access

Many organizations expressed concerns or disappointment related to their current tools and processes for managing privileged access. However, there seems to be significant confusion about what PAM is, and many organizations are using manual processes or relying on tools that were not really designed for PAM. It’s easy to understand why companies that rely on password vaults or identity and access management (IAM) solutions are having issues with PAM; it’s because they don’t really have any.

Among the organizations that reported a violation of privileged access management policy in the last year, the average number of violations was 3.2. Organizations that don’t feel PAM is important pay the consequences for that belief. The average number of privileged access management policy violations is more than double—seven violations, on average—for those companies.

Some of the more surprising or concerning findings in the survey, though, relate to organizations that are currently using a dedicated PAM solution. Companies that have a dedicated PAM solution ranked in the top three for most PAM policy violations, with an average of 3.62 per year.

The amount of time involved in managing PAM—granting and revoking access—is also a significant issue. Half of those surveyed said that manually granting temporary privileges is either very (29%) or extremely (21%) time-consuming. The manual effort to revoke temporary privileged access is also an issue for half of the organizations surveyed, with 33% claiming it is very and 17% extremely time-consuming. Clearly, a dedicated PAM solution that can automate the granting and revoking of temporary privileged access would make a huge difference.

Implement Better PAM

Despite the challenges with privileged access management and the perceived pitfalls of dedicated PAM solutions, the Remediant survey also found that most of the companies that don’t currently have a dedicated PAM solution plan to implement one soon. Three-fourths of organizations that lack a dedicated PAM solution stated that they plan to have something in place in the next five years. Nearly two-thirds plan to implement a PAM solution in the next one to two years, and that number grows to 75% within five years—two-thirds within the next two years.

While that may be better than not having any dedicated PAM solution at all, the survey also revealed there are issues with some dedicated PAM solutions as well. As organizations explore options and move forward to select and implement a dedicated PAM solution, it’s crucial to understand that privileged access is not something that should be granted indefinitely in most cases. Privileged access should be granted on an as-needed basis, and only for as long as it’s needed.

Featured eBook
The State of DevSecOps

The State of DevSecOps

For years now, IT’s mantra has been “move quickly and break things.” To increase agility, companies adopted innovative and quick development practices. Great redesigns took place in the wake of DevOps. However, in this rush to implement forward-thinking practices, many teams eschewed security. No longer can institutions disregard security requirements within their DevOps environment. The ... Read More
Security Boulevard

Tony Bradley

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 2 dogs, 4 cats, 3 rabbits, 2 ferrets, pot-bellied pig and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@techspective.net. For more from me, you can follow me on Twitter and Facebook.

tony-bradley has 73 posts and counting.See all posts by tony-bradley