Over the past several years, the landscape of cyberattacks and data breaches has expanded and dramatically worsened. First, threat actors are getting smarter, and using less obvious attack tools and techniques to blend in and be less conspicuous. Furthermore, they’re increasingly finding and leveraging privileged credentials as part of their attack path.
In Verizon’s 2019 Data Breach Investigations Report, use of stolen credentials and privilege abuse each consistently rank amongst the top threat actions, both in terms of number of incidents and full-blown breaches. This trend has been underway and for years, too, and the security community knows it. Additionally, the proliferation in privileges and avenues by which privileged access can be exploited have been a growing challenge for IT. Why, then, don’t we focus more on privileged access management (PAM)? The answer is…complicated.
Many organizations maintain long, firmly held beliefs about privileged access management (PAM) tools and concepts that don’t hold up to much scrutiny. These misconceptions can cause IT teams to overlook easy, and highly attainable ways to reduce risk, and also cause organization to use dangerous tactics and workarounds that inflate their organization’s risk surface.
For instance, organizations still commonly enable a risky “browse up” security model, where administrative tasks and actions can be performed from low-trust end user systems like mobile devices, laptops, etc. To make this work and still maintain security, many organizations have tried using dedicated “jump boxes” and bastion hosts that are locked down extensively for all remote admin and privileged activity. While this can be an effective approach that has some merit, it’s often impractical and inconvenient for users, which consequently leads to efforts to circumvent this access model altogether (and we know where this can lead).
There’s no doubt that it’s time to prioritize PAM, but we need to be looking at a realistic model and tools that are operationally sustainable. To overcome mental barriers to PAM adoption, we also need to address myths and misperceptions about PAM.
It’s long been thought that any robust PAM implementation requires the use of shared accounts, which present a security risk in their own right. Some organizations have struggled to change admin and other privileged user behaviors around shared accounts, and that struggle will likely continue…but PAM shouldn’t be a contributing technology factor here.
Likewise, to some, PAM seems to imply that only privileged accounts and access is attainable, but modern enterprise PAM tools should facilitate any type of controlled connectivity, with password and session management, various integration elements with authentication, federation, and other security services, as well as robust logging and monitoring of activity.
And contrary to some misconceptions, PAM solutions extend far beyond Active Directory. In fact, any enterprise-class PAM platform should also completely address privileged accounts on Unix and Linux, as well as mobile devices, and non-traditional devices, like IoT.
Today’s best PAM tools can truly address an expansive list of use cases, such as vendor remote access and other more granular access needs. Some have tried to equate this to a “zero trust” implementation, but accomplishing a full-fledged “zero trust” model is exceedingly difficult to achieve. While PAM is one facet of “trust limitation and monitoring”, it shouldn’t be misrepresented as providing a complete “zero trust” model. Let’s start debunking PAM myths here—not create new ones!
Above all, there’s been a misconception that PAM is difficult to implement and manage. This shouldn’t be the case! There’s no better time to look into PAM, given the current threat landscape we face, and it’s best to find options that integrate into your environment without enormous headaches and operational demands.
For a deeper dive into unwinding PAM myths and setting the facts straight, check out my on-demand webinar: Debunking Dangerous Misconceptions about Privileged Access Management.
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.
