With the recent Colonial Pipeline breach highlighting the risk of lost credentials, it’s time to get serious about multi-factor authentication (MFA) and privileged account management (PAM). In fact, the “The One-Two Punch risk” is an existential justification for PAM – as I highlighted in last week’s BeyondTrust webinar. But to successfully protect the business, PAM projects must start with the basics and align the solution well with IT stakeholders and their business processes.
In fact, the “The One-Two Punch risk” is an existential justification for PAM – as I highlighted in last week’s BeyondTrust webinar. But to successfully protect the business, PAM projects must start with the basics and align the solution well with IT stakeholders and their business processes.
PAM Architecture Must Now Cover Hybrid Cloud Environments
The universe of privileges required to maintain the new IT is expanding with cloud adoption and the ongoing requirement to support work-from-home (WFH) programs. Companies have more cloud console accounts, servers and services, device identities, and third-party vendor accounts or trust relationships than ever before. And this increased risk from the network edge pales in the face of elevated danger from advanced, well-equipped threat actors. Customers need a PAM solution to cover a broad set of environments and use cases.
Best Practices for Privileged Password Management
A “back to the basics” approach should start with best practices for privileged credential management and use by:
- Using separate accounts for privileged administration and day to day access
- Managing user credentials, Security Shell (SSH) keys, and application program interface (API) keys in an automated fashion
- Requiring strong, two-factor authentication
- Requiring “smart” (contextual) authentication that steps up the authentication challenges as privileged users attempt the most sensitive operations
- Deploying Just-in-Time (JIT) authorization for access to critical production systems
Think of – and Manage – PAM as a Program
PAM requirements, such as credential checkout from a vault and JIT access workflow approval, have the potential to disrupt busy system administrators or developers racing to meet business deadlines, keep production systems running, and troubleshoot an endless array of IT problems.
As necessary as PAM is in these days of ransomware and advanced persistent threats (APTs), it just won’t get deployed unless it adds on security in ways that still allow IT to meet business needs. But if done right, PAM can be a powerful business enabler. In fact, for IT and security respondents in a Forrester Consulting survey (sponsored by BeyondTrust), "Improved IT administrative efficiencies" was the most frequently cited benefit of privileged identity management. "Improved user experience" and Improved user productivity" also ranked highly.
To ensure your PAM program is a productivity enabler as well as a powerful risk-reduction force, ensure it does the following":
- Engages target users, stakeholders from start
- Integrates with enterprise identity management, IT service ticketing, and DevOps procedures
- Supports ease of use & high availability for IT admins
In my recent webinar, Back to the Basics: A Best Practices Approach to Privileged Password Management, I recommend starting with privileged password management best practices and solutions, building up a basic PAM architecture, and adding on JIT access, service account management, and other DevSecOps features, and sophisticated security monitoring to the solution.
You can now check out the webinar on-demand here, to learn more about counteracting the One-Two Punch, designing the phased PAM architecture, and managing PAM as a program to create a service that empowers your IT organization and secures your business.
Dan Blum, Cybersecurity Strategist and Author
Dan Blum is an internationally recognized strategist in cybersecurity and risk management. He was a Golden Quill Award winning VP and Distinguished Analyst at Gartner, Inc., has served as the security leader for several startups and consulting companies, and has advised 100s of large corporations, universities and government organizations. He consults with clients on identity management, PAM, risk management, and other topics. He's made his new book Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment freely available for Open Access via Apress, or on Amazon.