Privileged accounts exist nearly everywhere within the organizational environment. Managing and protecting these privileged accounts has led to the rise of Privileged Access Management (PAM) solutions. These tools enable companies to centralize user administration, improve controls for granting user access, and more effectively manage and monitor privileged access to critical assets.

PAM solutions have traditionally relied upon a password-first approach over the last two decades, where the credentials of privileged accounts were often put inside a password vault to try and reduce the risk of credential theft. Since that time, most privileged access management solutions have relied upon these password vaults to verify credentials. However, the reliance on password vaults will likely decrease with more stringent compliance regulations now in place or on the horizon for 2020.

With the realization that password vaults are not as secure as once thought, organizations are moving toward a password-free future in privileged access management that relies more heavily on solutions like multi-factor authentication (MFA). Multi-factor authentication leverages an identity verification process using multiple identifiers rather than a single identifier. For example, rather than just requiring a user password, multi-factor authentication could request something from the user’s device through a push notification or ask for something from the user personally through a biometric scan, like a fingerprint or facial recognition. Ultimately, multi-factor authentication is intended to strengthen and improve access security by requiring multiple identifiers for identification verification.

So when it comes to privileged access management, what role does MFA have and what does a world using PAM without passwords look like? Further, how can organizations also begin to adopt a more agile approach to privileged access management to meet increasing regulatory compliance? Let’s start by examining the impact of the past on the current regulatory environment.

Past Challenges Inform Present Mandates  

During the 1990s and early 2000s, many notable scandals occurred that required major changes in the way that businesses operated and led to the rise of privileged access management—from HIPAA to ensure sensitive health information is protected to the Enron scandal that eventually led to the landmark passage of Sarbanes-Oxley Act of 2002. In addition, as payment fraud began to increase, the Payment Card Industry Data Security Standard (PCI-DSS) was established in late 2004. Over the years, mandates have intensified, and additional legislation has either gone into effect like the General Data Protection Regulation (GDPR) in the European Union, or the new consumer privacy law from the California Consumer Privacy Act of 2018 (CCPA), set to go into effect in 2020.

In addition, heavily regulated industries continue to undergo change and intensify in their compliance requirements. For example, according to the PCI Security Standards Council, the current version of PCI-DSS 3.2.1 now mandates that organizations use multi-factor authentication for all non-console administrative access. This means that in addition to a unique ID, administrators and users must use something they know, including a password or passphrase, something they have, including a token device or smart card, or something they are, like a biometric scan. In addition, with many card services supporting retailers across the world on shared facilities, these new explicit requirements mandate that no shared accounts exist for customers. These types of stipulations from PCI and other industry standards will only continue to increase over time.  

In financial services, two significant developments have recently occurred to advance regulatory compliance in the industry. Even as a commercial entity, SWIFT, which provides secure financial messaging services, will see the first edition of its own regulations going live in January 2020, requiring banks and financial houses to verify internally they are compliant with the new SWIFT standards. If an organization’s installation is non-compliant, SWIFT reserves the right to withdraw services from that organization. Financial institutions have until June 2020 to remediate and completely certify their installations. Over time, these new SWIFT regulations will move toward external auditors certifying financial institution infrastructure, and continue to intensify in their mandates.  

The New York State Department of Financial Services (NYDFS) has also created a baseline of minimum requirements taken from best practices in Tier 1 Banks and financial institutions registered in the State of New York. The NYDFS will now require that all banks, credit unions, mortgage companies, insurance companies, and other financial institutions operating within New York to be registered or licensed by the DFS, and meet ongoing regulatory compliance. This means any financial institution that does business in the state is subject to these new regulations beginning in January 2020—affecting more than 1,400 U.S. banks, 1,800 insurance companies, and 75,000 financial-related organizations.

Passwords Are Inherently Unsustainable

With increasing regulatory compliance across industries and geographies, some of the most trusted infosecurity and technology companies have also stated their desire to end passwords. For example, Microsoft has repeatedly asserted that passwords are inherently flawed. Specifically, a 2018 blog post indicated that ‘the reasons to eliminate passwords are endlessly compelling and all too familiar to every enterprise IT organization. Passwords are insecure. Inconvenient. Expensive. Nobody likes them.’ The company also recently announced that in next spring’s release, it will require multi-factor authentication to log into Windows servers, using Windows Hello with facial recognition or fingerprint ID.

With MFA serving as the most popular and secure authentication technology today, organizations are expected to keep up and incorporate this state-of-the-art solution in their security practices, moving beyond passwords to authenticate their systems and applications. This includes those organizations critical to national infrastructure and suppliers that support those critical verticals. Companies in these industries are also trying to implement security frameworks, such as NIST SP 800-53, COBIT or the ISO 27000 series. The increasing number of industry mandates that organizations face today means that privileged actions on a network, application, process, or system are moving away from password-based authentication toward multi-factor authentication as the current standard for security.  

PAM Solutions That Respond to a Dynamic Environment

With business requirements and infrastructure decision making processes speeding up all the time, leading organizations have recognized the importance of building an environment that can change and flex over time. Alongside privileged access management tools, role-based management, access requests, and entitlement management are essential for clearly defining and managing roles within the production infrastructure.

PAM solutions should be flexible enough to adapt to infrastructure shifts of the organization. This means the solution must integrate seamlessly with all major public and private cloud infrastructures. Finally, an effective PAM solution has to support multiple different MFA providers in parallel. For example, if an MFA provider or manufacturer cannot replace keys in the event of a significant weakness, or if a business process is critical during a standard key replacement cycle, then the organization must be ready to jump to another vendor.  

Staying Compliant with Leading-Edge PAM Tools and Strong Multi-Factor Authentication

It is possible to run an IT infrastructure without passwords and also meet increasing compliance requirements that now demand multi-factor authentication. Using MFA for user authentication, leading privileged access management solutions like Powertech Identity & Access Manager (BoKS) from HelpSystems enable organizations to ban password authentication in their Linux or UNIX infrastructure with just the click of a button. This means you can reduce credential theft and decrease the risk that a bad actor will be able to hack into your systems, increasing your overall security posture. Our PAM solution also scales depending on the needs of each IT infrastructure, providing strong authentication to servers and workstations to organizations of all sizes.

The growing mandate to move away from passwords and password vaults means the time is now to make the shift toward a password-free future in your organization. It is essential that you consider how privileged access management solutions can work in concert with a strong MFA solution, and plan how to adopt this latest standard for authentication in your organization. Remember, rather than adding on disparate solutions that slow down your security team, you can achieve greater operational efficiency with centralized PAM solutions and enable your organization to operate at a higher level.