Many organizations are stuck between two unfortunate truths with their privileged access management (PAM) program. According to a recent poll of more than 150 IT professionals by Enterprise Management Associates (EMA), which was sponsored by Hitachi ID, nearly 90% of respondents experienced a privileged access policy violation in the last year, yet almost none of them are confident their PAM solutions will prevent privileged access security breaches. It is clear that currently adopted PAM processes are, in the majority of cases, insufficient to provide the level of protection they were introduced to achieve.
That’s a real problem, especially as more organizations turn to a Zero Trust model, but the solution seems clear: organizations need new PAM approaches and solutions to meet their security goals and inspire confidence as cyber threats become more prevalent. Despite this, the poll also found many organizations seem content to continue utilizing inadequate PAM solution configurations, as evidenced by the high overall satisfaction rates.
This begs the question: Why?
The reasons holding companies back from stronger, more resilient, scalable PAM solutions are many, but most fall into one of three distinct categories:
Overly Centralized PAM Deployments
Traditional PAM deployments are predicated on centralized administration and configuration which is time consuming, resource intensive and oftentimes crippling to a project as IT is not empowered to make credential management decisions on behalf of business stakeholders/users. PAM user communities within the business are accustomed to having free reign with their privileged/elevated access and are not inclined to hand such over to IT overnight. This leads to political in-fighting around how credentials will be managed and ultimately the stalling out of PAM programs and momentum to where customers can end up with a glorified static spreadsheet of passwords behind a nicer user interface.
Partnering with a PAM solution provider that can decentralize the credential lifecycle management processes and permissioning in order to enable business units and program stakeholders to take full ownership of their credentials should be the goal. This approach empowers users, reduces friction between IT/audit and business users all the while ensuring corporate security policy and standards are met and maintained. Furthermore, a provider that can deliver such in a standardized, pre-configured pattern that accelerates tedious and time-consuming delivery processes (implementation, migration, integration training, etc.) needs to be a key consideration when selecting a new solution.
PAM Management Challenges
Once organizations get past the challenges of getting the technology up and running, there’s the day-to-day use and expansion to consider. Customers can reduce program risk by measuring their use and system expansion carefully early on, ie. addressing key business systems and or user communities first and expanding from there. This approach demonstrates quick wins and early returns from a security/risk reduction perspective and allows you to maintain strong executive sponsorship to build further.
The system also needs to be flexible with respect to accommodating differing user populations and their preferred tools when connecting to downstream systems with admin credentials. Users are fickle and will want to leverage their existing tools/clients rather than change their ways, so ensuring that the brokering/disclosure of privileged access works in-line with how users operate today is imperative for customer satisfaction and adoption.
Like any other new system or application, it’s crucial that your PAM system integrate seamlessly with existing identity lifecycle and governance processes. As privileged/admin user types come and go, so should their rights and permissions within a PAM system, especially so for your supply chain actors. Many user lifecycle and governance challenges within your PAM program can be avoided with strong integration into your existing identity management system, something Hitachi ID is uniquely positioned to deliver in one integrated platform with Bravura Identity and Bravura Privilege under the broader Hitachi ID Bravura Security Fabric.
Competing Security Budget Priorities
Even before the impact of 2020, finding a budget for security and privilege programs has long been a challenge for IT teams. Organizations often prioritize funds for alternative methods of security management, such as security information and event management (SIEM) and threat detection systems. The problem is many of these solutions can’t prevent lateral movement if/when an attacker has breached your network the way that a strong PAM program can.
In addition, organizations that have the advantage of an enterprise-class PAM solution will realize reductions in operational risk and therefore better insulate themselves from a data breach which are costing organizations $4 million on average according to industry analysts.
Stop System Vulnerabilities Before They Start
The most effective approach to any enterprise security strategy is to prioritize solutions that address the organization’s greatest vulnerabilities first. The distribution of privileged access accounts needs to be towards the top of that list. With the right PAM solution in place, businesses can take the important step from reacting to systemic privileged policy breaches to proactively preventing them.
As the privileged access domain evolves and grows ever closer to identity governance and administration in terms of integration and processes alignment, organizations are starting to pursue zero standing privilege models as their baseline on the journey to a Zero Trust Architecture. As a result customer requirements now include privileged account lifecycle management to better support just-in-time admin/privileged access and reduce trust.
For more information on PAM best practices and key takeaways from EMA’s report, listen on in this on-demand webinar “Modern Requirements and Solutions for Privileged Access Management (PAM).” You can also access the full report here: Advancing Privileged Access Management (PAM) to Address Modern Business Requirements.