Why Your Privileged Access Management (PAM) Solution isn’t Enough for Database Security

Your organization’s data is at more risk than ever before, as proven by the staggering 422 million victims that were exposed in 1,802 data breaches in 2022 — only 60 short of the record set in 2021. That number likely would have shattered records had Russia-based cybercriminals not been distracted by the invasion of Ukraine.

The consequences of a data breach are immediate, long-lasting, and financially devastating (the average U.S. breach cost $9.44 million in 2022). With the ever-growing number of cloud services and remote workers, your data has never been more dispersed. That means securing it has never been more complicated.

Data is at the core of everything your organization does, and in the wrong hands, it’s downright volatile. We’ve all heard that “identity is the new perimeter,” and no one can be assumed to be safe, secure, or authorized. Everyone and everything requesting access to your data must have their identity verified and their privileges assigned. Otherwise, a data disaster is all but inevitable.

The World of Identity and Access Management (IAM)

Spending on Identity and Access Management (IAM) solutions will reach $20.75 billion in 2023, which comes as no surprise. With the collapse of the traditional corporate network, stationing “gatekeepers” around cloud infrastructures, APIs, and individual assets is the only way to balance productivity with security.

Privileged Access Management (PAM) is one subset of IAM, and it’s an important one because 80% of all data breaches involve some form of privileged credential abuse. PAM solutions like StrongDM and Teleport authenticate a user’s identity and then grant privileges to your most critical data based on that identity. PAM is a vital tool for modern cybersecurity, with 70% of organizations using some form of it. By 2029, the PAM market value is expected to reach $2.9 billion.

So applying PAM to your databases should solve your data security problem by using a tool that’s already in your security stack, right?

It sounds like a win-win, but don’t be deceived.

Privileged Access Management (PAM) Seems Like the Obvious Solution… But It’s Not

At first glance, the case for using PAM to grant database access looks strong. The problem is that PAM solutions are not data or database aware — meaning they don’t interface with data or databases effectively. That means they don’t manage access effectively either, and everything from security to accessibility suffers as a result.

You will benefit from having StrongDM, Teleport, or another PAM solution elsewhere. For database access, though, PAM is an obstacle at best and a massive liability at worst. It’s explicitly the wrong tool for the job, and it’s important to understand why.

4 Reasons Why Your PAM Solution Fails at Database Security

If you applied your PAM solution to your database, it would work something like this: does your privilege grant you access to this database? If yes, come inside. However, that approach creates issues in four key areas:

1. Authentication

PAM solutions like StrongDM and Teleport focus on privileged user authentication, but privileged users are only a small portion of what accesses your database. The number of apps, browser tools, microservices, and BI tools that access databases is growing much faster than actual users, yet PAM solutions don’t support them. As a result, all of these tools would have to circumvent your PAM solution in order to access the database, which defeats the security purpose of PAM.

Even for users, PAM requires rigid, agent-based deployments and certificates to authenticate properly to databases, which also breaks down at scale. Good authentication should make access easier for anything or anyone with permission. PAM does exactly the opposite.

2. Authorization

PAM solutions are very binary — access is either granted or denied. They are not equipped to grant privileges in databases based on who or what is accessing the data, what they are accessing, and for what purpose. Instead, your PAM solution will authorize everyone to do the same thing.

Airtight data protection means having the right privileges (e.g. admin, read/write, read-only), field-level controls (e.g. data masking), and real-time governance (e.g. Just-In-Time access) to specific users and user groups. Without these types of fine-grained controls, access is either too restrictive, which limits productivity, or too relaxed, which increases risk. Databases require granular authorization but, once again, PAM does exactly the opposite.

3. Auditing

One of the main challenges with database security is that traditional products like PAM are not database-centric. They serve as a jump-host to the database server, and they don’t provide any audit capabilities beyond which users log into them to access the database. They are unable to provide any visibility into what native accounts may be used by users or apps that can be used to bypass the PAM server itself. There is no accounting of what data resides in the database and if it is actually accessed by anyone, and no visibility into any application activity. All of these limitations result in challenges for security, operations, and compliance teams.

4. Speed and Scale

In addition to being ineffective, PAM solutions are incredibly difficult to implement at speed or scale. Agent-based systems are obstacles to getting this initiative off the ground. Deploying PAM in front of various data repositories in different environments requires a significant amount of work. Consequently, most attempts to put PAM on databases stall out before they even have a chance to underperform.

What Does Strong Database Security Look Like?

Understanding what your PAM solution can’t do makes it easy to imagine what the ideal solution looks like:

  • It must be able to authenticate anyone and any application from anywhere
  • It must work in a way that’s secure, efficient, and consistent
  • It must be able to apply security controls that carefully dictate privileges on the data layer

Checking these boxes doesn’t just fill the gaps in PAM solutions; it’s a catalyst for your entire data strategy. It gives you the power to connect more data consumers with more data sources, all while minimizing the risk of something dangerous getting inside the database. More queries get fulfilled and fewer (if any) breaches reach the data. That’s the true win-win.

Don’t be one of the enterprises with a security spend that falls short. Learn how to stop breaches at the target — the database — by downloading our guide “Why Data Security is Broken, And How to Fix It.

The post Why Your Privileged Access Management (PAM) Solution isn’t Enough for Database Security appeared first on Cyral.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - Cyral authored by Meghan Jordan. Read the original post at: