PAM in the Enterprise: Pros Versus Cons

Written by

Nish Gopal, Governance, Risk and Compliance Specialist
Nish Gopal, Governance, Risk and Compliance Specialist

PAM in the Enterprise: The Pros

Historically, it has been a challenge for organizations to protect against negligent and deliberate misuse of privileged access.

Getting access to privileged accounts is like hitting a goldmine for cyber-criminals. Whether the breach comes from outsiders or disgruntled insiders, a single access point is often all it takes to cripple an organization and cause irreparable damage.

One of the issues faced has been understanding and controlling when a user should be accessing information. If there was a way to provide access to only the information and systems a user needs to do their job, this would be an important step towards minimizing the risk of cybersecurity breaches. This is known as the principle of least privilege.

Privileged Access Management (PAM) solutions are designed around this principle. They enable the streamlined authorization of privileged access. With PAM, it becomes possible to manage access across an organization in a secure way. Here are some of the key benefits of using PAM within your organization.

Password Vaulting and Automation

Passwords are the weak link in cybersecurity if they are not correctly stored. If a cyber-criminal were to get hold of the right password, they could bring down a system, steal data or hold your company to ransom. PAM solutions store passwords in digital vaults which are encrypted, and the vaults also require authentication to access. By storing passwords securely with access control policies, you can reduce the risk of password misuse.

Another aspect of password security is automation. PAM solutions automate new password creation. Static passwords are dangerous because they can be reused by criminals to illegally access information and systems.

Session Management

Sometimes it is beneficial to apply certain restrictions to sessions. One example is not requiring a password for a session and instead injecting a password during the session. The user never gets to see the password and it is not stored. PAM solutions facilitate this, so that privileged information has no ‘written-down’ access point.

Another aspect of session management is recording. PAM solutions offer the ability to record sessions for security purposes. Recording privileged sessions or taking screenshots is useful for audits and investigating incidents.

Emergency Access Provision

Should you need to provide emergency access to certain individuals, such as when an operation-critical system breaks, you can implement emergency access to individuals at specific access points. This enables you to maintain control over what the user accesses, in line with the principle of least privilege.

Revoke, Deny and Monitor Privileged Access

PAM solutions allow you to restrict, revoke, deny and monitor access to systems and information across your organization in real-time. The ability to automatically terminate sessions, thus denying access, and the ability to revoke a user’s privileged access, as well as deny requests, makes managing security across an organization easier. This is especially useful for internal users.

So what about external users? PAM works here too. You can grant and revoke access for remote users and third parties without any complicated services or clients. Third parties and external users can be managed the same as internal users.

Auditing and Compliance

Every organization that handles data must abide by security compliance requirements in some form. The nuances of your obligations depend on the type and extent of data you handle, but in all cases, PAM solutions play an important role. As part of an audit, you must be able to identify all the privileged accounts in your organization and identify what controls you have to safeguard access.

Since PAM solutions control all these accounts and manage access, they provide a means to meeting audit and compliance requirements. In addition, PAM records and reports on password requests and transactions. This monitoring covers another aspect of IT compliance, accountability.

When privileged accounts are used in unintended ways, organizations are at a significant risk of costly security incidents. The core benefit of PAM solutions is that they tackle these security risks by providing ultimate control over what users can access and monitoring what they do.

Homayun Yaqub, Global Security Strategist, Forcepoint
Homayun Yaqub, Global Security Strategist, Forcepoint

PAM in the Enterprise: The Cons

The world of work has become remote. While it’s likely that how we use the office in the future will never be the same, the priority has been making data and services available to the legions of staff now working from kitchens and spare rooms. This has meant the traditional security perimeter organizations need to manage – which was already starting to fade before – is well and truly eroded. Staff are connecting from all manner of locations and home networks, and there’s a real need for a security model that can continually evaluate and react to changes in risk.

In the race to make this switch, many organizations have quickly opened access rights and enabled user privileges to give employees the files they need. However, this has offered up a great deal of sensitive information, IT resources and system access. Many employees rightly need this in order to do their jobs, but the risks of unmitigated privileged access should not be underestimated. Whether it’s phishing or malware that tricks staff into sharing data, or even threats from inside an organization, security risks increase in line with wider access being granted. In this new environment, modern security can’t be built on static, legacy policies that must be manually configured.

Blanket Access Rights

Forcepoint recently collaborated with the Ponemon Institute to understand how commercial and governmental organizations are managing their privileged access. They found access rights are often liberally given – more than a third of staff (36%) across the UK and the US reported having access to data that isn’t required for their job. Only around 50% said monitoring is handled through background checks or identity management.

The 36% of those who said they did not need privileged access to do their jobs but have it anyway cited two primary reasons – either everyone at their level has privileged access (even if it is not required for their day-to-day tasks) or their organization failed to revoke their rights when job roles changed. This suggests that the policies around privileged access are too rigid, and rely on staff manually updating them. It’s no surprise, then, that such blanket access is often given to everyone as a way of coping with the sheer volume of access change requests.

Information Overload

The risks of privileged access are magnified when visibility is reduced. Indeed, 43% of respondents said they were not confident their organizations know who has access across all systems, or whether those users are compliant with policies. Security teams are often stuck in a permanent firefighting mode, navigating the noise and alerts from a dizzying array of point products.

More vendors and tools do not equal better security, and while security tools have rightly become more specialized and tailored, there’s a real risk of information overload for IT teams. The situation with privileged access is a prime example.

Focus on People, Not Policies

Complicating matters is the fact that most of us are working remotely and will be for some time. Security tools need to be flexible enough to cope across platforms, devices and network locations, and behavior and user activity monitoring can be a big help in informing changes and shifts in restrictions. Implementing a blanket, static policy doesn’t do enough.

In this context, it’s useful to look at risk more closely. It’s a constantly shifting and dynamic factor in security – an individual user could be sharing data insecurely one day and be changing their passwords to be stronger the next. Once we understand that organizational risks come from people and their activities, suddenly it becomes a shared responsibility for the whole organization, rather than just one for IT or security teams to manage. When user activity monitoring is done with the right intentions, context of user actions suddenly becomes much more obvious.

What’s more, security can be much more adaptive and responsive – stepped up when it’s needed, and scaled back when it isn’t. For things like privileged access, this could mean policies automatically changing when job roles change or when projects end, eliminating the need for support tickets or costly IT helpdesk time.

The principle of zero-trust – never trust, always verify, and begin with least privilege – is a good rule of thumb here. Continuous adaptive risk and trust assessment depends on this principle, simply because the way data, applications and cloud tools are accessed and used is very dynamic, depending on the ways they authenticate. Once a user is verified, that should not be the end of the interaction. With the granular visibility that human-centric security approaches provide, organizations can proactively spot and react to potentially malicious activity before something more egregious occurs.

The steady stream of data breaches, ransomware attacks and user compromises never ceases. Poorly managed privileged access is not just unnecessary, it’s also a security risk. Organizations need to do a better job of continuously monitoring data access, as well as user behavior associated with that interaction once access is granted.

What’s hot on Infosecurity Magazine?