Busting the Top Myths About Privileged Access Management

Written by

As businesses reflect on the disruption caused by the COVID-19 crisis, ensuring agility and resilience have risen to the top of C-suite agendas everywhere. Today, enterprises around the world are investing in infrastructure to support future growth – whether that’s moving to the cloud, or automating tasks and processes. However, this modernization of IT presents additional opportunities for attackers to uncover security vulnerabilities.

Privileged access management (PAM) strategies that secure pathways to critical business information are integral to effective corporate cybersecurity programs. Attackers view privileged access – the credentials that allow access to critical information and controls – as one of the best ways to get to their chosen target within an organization’s infrastructure. In fact, the vast majority of cyber-attacks use compromised privileged credentials, so PAM solutions are a critical layer of defense.

However, while securing privileged access consistently can reduce risk and improve operational efficiency, some misconceptions surrounding PAM persist. Here we are going to bust five of the most prevalent PAM myths.

Myth One: As Privileged Access Exists Everywhere, it’s Impossible to Secure

While the scope of privileged access can be intimidating in complex IT environments, dedicated PAM solutions and related policies can shrink the attack surface by shutting down pathways to critical resources. This is done automatically by mapping where privileged credentials sit within cloud and hybrid environments, saving security teams significant time and effort. Additionally, modern PAM tools also incorporate the automatic rotation of SSH keys and other privileged credentials at regular intervals to eliminate the time-consuming and error-prone manual tasks required for regulatory compliance. Meanwhile, automatic session monitoring capabilities systematically record all privileged account sessions and identify which users are operating privileged accounts.

Finally, the best PAM tools also provide detailed session monitoring recordings that can be sorted into searchable data for compliance and incident response teams. They also use user behavior analytics to automatically detect and suspend risky privileged sessions.

Myth Two: PAM Tools Are Challenging for Administrators to Manage

Today’s effective PAM solutions greatly ease and simplify administrator workloads. Collecting all privileged accounts in a centralized vault eliminates the need to manually search for and manage their associated credentials. This can improve the efficiency and efficacy of IT projects. Automation tools also enable administrators to eliminate time-intensive tasks in favor of more strategic initiatives.

PAM tools can be particularly useful to address the emerging risks from organizations’ cloud migrations. When adopting a hybrid or public cloud infrastructure, even slight misconfigurations can create new vulnerabilities. Having holistic tools in place to discover the risks associated with privileged access can dramatically improve an organization’s security posture.

Myth Three: IAM Solutions Are Sufficient to Protect Privileged Access

While Identity Access Management (IAM) tools and Multi-Factor Authentication (MFA) methods are strategic investments, they don’t replace the value of a PAM solution.

PAM tools are focused on risk reduction, and protect privileged business users from sophisticated social engineering attacks that can allow attackers to bypass MFA. Most importantly, IAM tools require direct connection to user databases like Active Directory (AD). These connections are often hosted on-premises, and if any on-premises server is compromised, attackers can easily gain control over AD to launch an attack. When used in collaboration, PAM and IAM can create a strong enterprise security fabric, with the former providing a vital security layer for servers hosting IAM’s direct connection to user databases like AD.

Myth Four: PAM Solutions Interfere with Operational Efficiency

The majority of workers’ daily tasks don’t require elevated privileges – and PAM solutions therefore won’t impact them at all. For those that do require elevated privileges, leading PAM tools offer a variety of user-friendly formats to provide credential vaulting and session management in the background of their daily workflows.

In fact, using PAM tools to automate time-consuming tasks for IT and security employees can improve productivity by freeing up time for higher-value projects.

Myth Five: It’s Difficult to Calculate ROI for PAM Solutions

The average cost of a data breach in 2019 came in at nearly $4m. Notably, this figure does not include the additional losses caused by reputational damage and theft of intellectual property. Privileged access acts as a focal point for organizations to demonstrate where security solutions can have a high impact. In any security program, cost-efficiency is key and PAM is a high-leverage point where modest investments can achieve outsized ROI and risk reduction.

Deploying a PAM solution allows organizations to scan their systems to see the decrease in the number of unsecured and unprotected systems. Since any unmanaged privileged account is a potential attack vector, each privileged account discovered, secured and protected by a PAM solution directly reduces the exposed attack surface and provides proof of ROI.

Effective security starts with protecting an organization’s most valuable information, and unmanaged, unprotected privileged access represents a significant threat. By locking down privileged credentials, organizations deprive attackers of their preferred routes to critical data and assets. Simultaneously, session monitoring and threat detection capabilities can help teams detect and investigate misuse of privileged credentials – improving an organization’s response time to in-progress attacks.

Click here for CyberArk’s eBook featuring actionable tips and essential insight on privileged access management.

Brought to you by

What’s hot on Infosecurity Magazine?