About 10 years ago, I thought a separate privileged identity and access management system was overkill. The idea of separate controls for super users as opposed to the rest of the workforce seemed an unnecessary use of resources. We just needed to build an honest, qualified and unified team to manage identity access across the board.
In reality, the ability to readily find and hire a highly qualified team isn’t a given. There has always been a talent shortage in cybersecurity. We have to manage with the resources we have, not the ones we wish we had. However, the core problem resides in how we approach identity access.
Today, my position on privileged access management – or PAM – has radically changed. PAM has become the most important of the disciplines of identity and access management (IAM) to get right.
A year ago, I had a “lightbulb on” moment about privileged accounts. When we think of privileged accounts, we think of Unix root accounts or Windows domain admins. We think of database administrator accounts, service accounts, shared accounts, and so on. But we should treat every account as a privileged account.
It’s rare for a hacker to get control of a root account or a Windows domain account. That’s not where they start. It’s more likely they’ll send a phishing email hoping someone clicks on a link, installs malware, and gets redirected to a place where the hacker harvests the victim’s ID and password. Yes, they start with an average user account.
Every account has become a potential front door to an organization’s crown jewels. So, why aren’t we defending all accounts like they’re an entry-point for hackers to gain ownership of our systems?
Here’s why we should make all accounts privileged:
- Cybercriminals use employee accounts to laterally access admin credentials.
- External contractors nefariously gain access to corporate systems and data.
- Disgruntled employees steal corporate secrets and customer data.
- Hackers deceive users into opening websites with malicious software that downloads to their computers.
- Application vulnerabilities, and devices with open network ports, are used to access corporate assets.
The limits of Zero Trust
Consider the Zero Trust model, a networking concept that eliminates the privilege we extend to recognized devices on the network, as opposed to non-network devices. We extend trust simply by virtue of the user being on the network. Unfortunately, hackers easily defeated systems that assumed trust based on IP addresses.
What if the security team extends Zero Trust to all of its employees? Should I trust an employee just because they have a user ID and password? Chances are, the answer is no. Especially if some of those users attempt to access critical assets.
Here’s where behavioral analytics kick in, identifying anomalies around access requests, such as an IP address or geography. There are a number of signs that can indicate a compromise, like requests that come in the middle of the night. Additionally, was access attempted on data that normally isn’t accessed by that user?
Hackers usually attempt compromises with a non-root, non-DoingBusinessAs (DBA) account. Maybe it’s not even the next-tier of privileged accounts, like the executive leadership team, or heads of divisions. We should make all of these accounts privileged, as well as accounts in IT, HR, legal, or anyone with access to the company’s intellectual property.
Are there any individuals in the company who don’t have an account capable of compromise and exploitation? No. Anyone with online or physical access, and those handling cash and credit cards within the company’s point-of-sale system pose a threat. There’s a famous example where an engineering intern downloaded all of a company’s intellectual property, and walked out of the building with it. And that’s happened more than once.
A final pitch for PAM
Using privileged accounts takes time, energy, adds extra steps, and worst of all, it means the company doesn’t trust me. And won’t all this extra work stand in the way of getting my job done?
Unfortunately, it’s not about trusting our valued employees. It’s every person who sends emails that we’re concerned about. Not to mention the websites they visit.
New PAM platforms have recognized their success has become tied to ease-of-use, and have simplified the work of privileged account holders. They seamlessly integrate into the company’s day-to-day work process. Modern PAM platforms now deliver what all security teams want: little or no friction and an enhanced user experience.
James Quick, director, solutions and advisory, Simeio