It’s a reality of the threat landscape today that most attacks rely on or exploit privileged access management in some way. A recent report claims that 95% of breaches could have been prevented—and many of those are the result of abusing or exploiting privileged access. Limiting or removing privileged access to sensitive applications and data is an effective cybersecurity strategy that would prevent compromise, so why don’t more organizations have a dedicated privileged access management (PAM) solution in place?
Remediant, a provider of PAM solutions, wondered the same thing and set out to answer that question. Remediant commissioned Enterprise Management Associates (EMA) to conduct a survey of IT and cybersecurity professionals around the world. Survey participants—most of whom are directly involved in managing privileged access in their organization—span a broad range of industries and various company sizes.
The survey sheds light on the current state of PAM and the trends projected for the foreseeable future. It also revealed some of the challenges and pitfalls companies face with PAM and how many efforts to manage privileged access fall short of the intended goal.
Issues With Effective Management of Privileged Access
Many organizations expressed concerns or disappointment related to their current tools and processes for managing privileged access. However, there seems to be significant confusion about what PAM is, and many organizations are using manual processes or relying on tools that were not really designed for PAM. It’s easy to understand why companies that rely on password vaults or identity and access management (IAM) solutions are having issues with PAM; it’s because they don’t really have any.
Among the organizations that reported a violation of privileged access management policy in the last year, the average number of violations was 3.2. Organizations that don’t feel PAM is important pay the consequences for that belief. The average number of privileged access management policy violations is more than double—seven violations, on average—for those companies.
Some of the more surprising or concerning findings in the survey, though, relate to organizations that are currently using a dedicated PAM solution. Companies that have a dedicated PAM solution ranked in the top three for most PAM policy violations, with an average of 3.62 per year.
The amount of time involved in managing PAM—granting and revoking access—is also a significant issue. Half of those surveyed said that manually granting temporary privileges is either very (29%) or extremely (21%) time-consuming. The manual effort to revoke temporary privileged access is also an issue for half of the organizations surveyed, with 33% claiming it is very and 17% extremely time-consuming. Clearly, a dedicated PAM solution that can automate the granting and revoking of temporary privileged access would make a huge difference.
Implement Better PAM
Despite the challenges with privileged access management and the perceived pitfalls of dedicated PAM solutions, the Remediant survey also found that most of the companies that don’t currently have a dedicated PAM solution plan to implement one soon. Three-fourths of organizations that lack a dedicated PAM solution stated that they plan to have something in place in the next five years. Nearly two-thirds plan to implement a PAM solution in the next one to two years, and that number grows to 75% within five years—two-thirds within the next two years.
While that may be better than not having any dedicated PAM solution at all, the survey also revealed there are issues with some dedicated PAM solutions as well. As organizations explore options and move forward to select and implement a dedicated PAM solution, it’s crucial to understand that privileged access is not something that should be granted indefinitely in most cases. Privileged access should be granted on an as-needed basis, and only for as long as it’s needed.