Managing Privileged Access on Endpoint Devices in a Zero Trust Paradigm

Bart Allan

February 9, 2021

The current approaches to privileged access management are no longer enough to protect evolving IT environments in the face of ever-changing mounting cybersecurity threats. Networks have become a dynamic landscape, and the traditional methods that focus on keeping attackers out of the network are no longer enough because they are just as susceptible to users and devices inside. Closed environments and traditional perimeter-based security lacks the finesse and control needed to restrict breaches and attacks from within. IT leadership needs to take a more evolved and comprehensive approach to secure access across applications and environments.

Many organizations have moved to zero trust models to combat open and vulnerable architectures. In short, a zero trust approach trusts no one and assumes the network is vulnerable. It challenges the user or device to prove that they are not attackers. This shift demonstrates the need for many organizations to rethink their conventional techniques to address changing network environments. Moreover, IT decision-makers should also reexamine the very composition of the systems they’re protecting.

Reevaluating Established PAM Security Modes

While much of the focus of PAM solutions has pointed towards protecting cloud and on-premise server hosting environments, it's clear from this evolving network landscape that there are genuinely no "closed" systems. Therefore, IT decision-makers shouldn't overlook impacts to the end user (i.e., laptops and mobile devices) because organizations that grant users privileged access to their endpoint devices expose system infrastructures to elevated security risks.

On their own, techniques such as enforcing the use of strong passwords and periodic password resets have proven to be woefully inadequate in traditional systems that don't account for compromised users already present within the network. In fact, according to a recent poll from Enterprise Management Associates (EMA), which was sponsored by Hitachi ID, businesses that allow users to retain local administrator rights were 34% more likely to report incidents of compromised privileged account credentials. In addition, end-user device performance impacted by inappropriate privileged activity was reported twice as frequently by organizations that allow privileged device users than those that limit this access to qualified administrators.

Furthermore, even though many organizations grant end-users privileged access to reduce the day-to-day management burden on IT administrators, they often achieve the opposite outcome. One-third of surveyed organizations that allow end-users privileged access to their workstations report overall PAM processes are somewhat or very difficult to manage. Only 21% of businesses that restrict non-administrator privilege access to endpoint devices noted the same. This demonstrates more granular PAM policy enforcement requirements, such as limiting privileged access times and types, are simplified demonstrably by reducing the number of privileged users.

Managing Privileged Access On Endpoint Devices Matters

What does that mean to the management of privileged access on endpoint devices? The crucial takeaway from these findings is that modern businesses needing to grant local administrator rights to end users should adopt a PAM-specific platform that builds upon a zero trust framework. They should define and enforce policies that support “least privilege” requirements on endpoint devices, allowing access on as required basis, and the system must evaluate and establish trust in the user before granting access.

If your IT leadership is looking to implement a dynamic and capable zero trust model, Hitachi ID Bravura Privilege is a reference level solution that can revolutionize your digital identity program by leveraging the principles of least privilege. This dynamic and strictly enforced end-user authentication is the basis of zero-trust architecture that can effectively assess threats and adapt to open, changing network infrastructures and reduce management efforts while boosting security capability.

A Holistic Review

Whether your organization is considering an overhaul to its entire system or just reevaluating the management of endpoint devices within an existing PAM system, it’s clear best practices encourage moving away from perimeter based to zero trust security models. As the networks they are hoping to protect become less closed and endpoint devices become risks within the perimeter of security networks, IT leaders should look inward to protect the integrity of system infrastructures.

For more information on PAM best practices and key takeaways from EMA, you can access the full report here: Advancing Privileged Access Management (PAM) to Address Modern Business Requirements.