It’s Time to Get Serious About Managing Privileged Accounts
Managing privileged account access isn’t going to get easier, so the right strategy is more important than ever
With people working from home in greater numbers, security professionals are rightly concerned about the risk of data loss. One recent survey found that more than half of employees admit they cut security corners while working from home. Some are distracted by working off-site. Others may let their guard down because they believe the IT team isn’t watching activities closely. And some simply don’t have the systems or structure in place to handle secure remote work.
New business practices have increased the number of privileged accounts to manage, which also raises the stakes of compromised credentials. If hackers gain access to the credentials of an employee or contractor with administrator-level privileges, they can modify, extract or dump information or inject ransomware or malware into the system to destroy company value.
Managing Privileged Accounts Is a Top Priority
This heightened risk has security professionals reviewing their privileged account management processes and technology. Changing business practices keep expanding the list of privileged account users. IT, the original superusers, have always had extraordinary account privileges since IT professionals need that to support system, software and operational accounts.
There have also always been privileged business users, people who require access to sensitive data such as HR records, payroll, financial information, intellectual property, website code, etc. And now privileged accounts often also include employees engaged on special projects, developers working on applications or third-party contract workers.
The expanded set of people with privileged accounts makes privileged access management (PAM) more of a challenge, but it also makes control of those accounts more critical than ever. Changes in business practices are just one reason to pay more attention to PAM; security professionals also must comply with government and trade organization regulations.
As more services take place online, business practices change and digital transformation drives business activities to the cloud, the attack surface expands. That’s why Gartner named PAM No. 1 in its 2019 Top 10 Security Projects list, noting that privileged accounts “are attractive targets for attackers” and that PAM “should be prioritized via a risk-based approach.”
Options for Strengthening Control of Privileged Accounts
As Gartner put it, a PAM project can help “address the changing needs of cybersecurity and reduce risk.” So, what should security and risk professionals look for in a PAM solution? Basic PAM covers core functions such as a vault to secure credentials, password rotation, privilege elevation and delegation control and session monitoring/recording.
A comprehensive and integrated PAM solution might include those basics plus more advanced features such as user behavior analytics, threat protection, a privileged account governance program, automatic onboarding and provisioning functions and just-in-time access management, working in conjunction with endpoint privilege management.
PAM solutions in the marketplace vary. In addition to features, risk and security professionals would also want to determine whether a prospective PAM product has an open architecture and open APIs, since that makes it easier to integrate with the IT infrastructure as well as other elements of the company’s security ecosystem, such as SIEM, ITSM, IAM, etc., products.
Factors to Consider When Selecting a Solution
Other factors to consider are ease of deployment and management. The last thing risk and security teams need now is an expensive, resource-heavy deployment. Some PAM solutions require investment in multiple servers to support the PAM architecture, which drives up the total cost of ownership and requires costly, complex maintenance. Simplicity is the key.
The company’s compliance needs should also be considered when choosing a PAM solution. Region-specific regulations are already in force, and more legislation to protect privacy and data is undoubtedly on the way. Companies with global customers have to comply with all of them. A certified-compliant PAM solution is a good indication of reliability for compliance purposes.
With the attack surface expanding and the number of attacks increasing, more risk and security professionals are considering a comprehensive approach to PAM and making a PAM upgrade their top priority. Managing privileged access isn’t going to get easier, so the right strategy is more important than ever. It’s time to get serious about privileged access management.