Protecting Privileged Identities: Why IAM starts with PAM

Written by

Organizations are under constant attack, with hackers targeting privileged accounts for the treasure trove of data they provide.

Many recent high-profile breaches have one thing in common: they were accomplished by compromising user passwords and privileged accounts. In fact, analyst house Forrester estimates that 80% of data breaches involve compromised privileged account credentials.

In many cases, the passwords were hacked through various social engineering techniques. As a result, the increase in sophisticated, targeted security threats by external attackers and malicious insiders have made it extremely difficult for organizations to protect sensitive information. 

It is a complete misconception that any one organization might not be a target for attackers; every single connected system is at risk. Privileged accounts are everywhere in the IT environment in the form of both user and service accounts, requiring passwords to access them.

The problem here is that hackers have many tools in their arsenal which are designed to crack these passwords. Despite this, traditional methods of identifying and managing privileged accounts still rely on manual, time-consuming tasks conducted on an infrequent or ad-hoc basis. 

Moving beyond the perimeter
Traditionally, organizations have protected their information with typical security perimeter tools such as firewalls and anti-virus. In this digital era, building a fence around critical assets no longer works: the new cybersecurity ‘perimeter’ needs to focus on protecting the identity and access of not only employees but also contractors and third-parties.

Like any good security measure designed to protect critical information assets, managing and protecting privileged accounts requires both a plan and an ongoing program. Identifying these accounts should be a continuing priority, as well as ensuring only those who need access to them have it.

A frequently underestimated aspect of Privilege Account Management (PAM) – and any subsequent Identity and Access Management (IAM) project – is the breadth of systems and the variety of accounts that are involved. 

The impersonal administrator
Cyber-attacks on UK businesses are on the increase, with the National Cyber Security Centre reporting growing threats from ransomware, data breaches and supply chain weaknesses. The problem is, privileged accounts are behind almost every major cyber-attack in recent years – exploiting these credentials is now a key tactic for modern hackers.

Privileged access is often the simplest way into the network and, as organizations move to the cloud, streamline supply chains and invite third parties to access their infrastructure, attackers are increasingly targeting these accounts.

As a result, these privileged accounts are often referred to as ‘the keys to the kingdom’ among cybersecurity professionals and a compromised privileged account can mean the difference between a simple network breach and a total cyber catastrophe.

When a single system is compromised, it is typically easier to mitigate, isolate and eradicate the risk, but when a privileged account is hacked, it allows the attacker to impersonate a trusted employee and move around the network undetected.

For example, in 2017, British financial services business Deloitte was hit by a sophisticated hack where the attacker is believed to have gained access to the company’s email server using an administrator account. 

It’s not just standard user accounts that organizations need to consider. Many of the privileged accounts within an IT system are, in fact, generic privileged access points such as root and service accounts, which are not directly managed and therefore unlikely to have their credentials properly maintained. 

Detect and protect
Any standard IAM tool can give users access to the services they need, but the success of the system relies heavily on the users securely managing their credentials. This is where a good PAM solution is invaluable: building a solid foundation to manage and secure privileged accounts helps organizations to be more scalable and flexible when adapting to new technologies whilst protecting critical assets and ensuring only trusted employees access the relevant data and systems.

PAM doesn’t have to be an insurmountable challenge; any organization can control, protect and secure its privileged accounts.

  • Avoid manual methods when implementing PAM. Too many organizations still rely on spreadsheets to track privileged account passwords, sharing them amongst employees as they are needed. These practices are dangerous and inefficient, yet easily mitigated by implementing an automated PAM solution which can greatly reduce the risk of being hacked. By automating the discovery and management of privileged accounts, organizations can curb privileged account sprawl, identify potential insider abuse and reveal external threats.
  • Protect privileged account passwords. Proactively manage, monitor and control privileged account access with password protection software. This strategy should automatically discover and store privileged accounts, schedule password rotation and manage individual privileged session activity to quickly detect and respond to malicious activity.
  • Limit IT admin access to systems. Implement a policy of least privilege, where privileges are only granted when required and approved. Enforcing a least privilege policy on end-users and their devices keeps employees configured to a standard user profile, only elevating their privileges when absolutely necessary. 

Privileged account management is more than just managing a few administrators and shared accounts, especially in an era where sophisticated, targeted threats by both external attackers and malicious insiders are making it increasingly difficult for organizations to properly protect critical and sensitive information.

In today’s hyper-connected world, implementing an effective and continuous PAM program will empower an organization to properly track and secure its privileged accounts, protecting against the threat of external attackers and malicious insiders.

What’s hot on Infosecurity Magazine?