Posts Tagged ‘Privileged Access Management’

Managing Privileged Access on Endpoint Devices in a Zero Trust Paradigm

  February 9th, 2021

The current approaches to privileged access management are no longer enough to protect evolving IT environments in the face of ever-changing mounting cybersecurity threats. Networks have become a dynamic landscape, and the traditional methods that focus on keeping attackers out of the network are no longer enough because they are just as susceptible to users and devices inside. Closed environments and traditional perimeter-based security lacks the finesse and control needed to restrict breaches and attacks from within. IT leadership needs to take a more evolved and comprehensive approach to secure access across applications and environments.

Many organizations have moved to zero trust models to combat open and vulnerable architectures. In short, a zero trust approach trusts no one and assumes the network is vulnerable. It challenges the user or device to prove that they are not attackers. This shift demonstrates the need for many organizations to rethink their conventional techniques to address changing network environments. Moreover, IT decision-makers should also reexamine the very composition of the systems they’re protecting.

Reevaluating Established PAM Security Modes

While much of the focus of PAM solutions has pointed towards protecting cloud and on-premise server hosting environments, it’s clear from this evolving network landscape that there are genuinely no “closed” systems. Therefore, IT decision-makers shouldn’t overlook impacts to the end user (i.e., laptops and mobile devices) because organizations that grant users privileged access to their endpoint devices expose system infrastructures to elevated security risks.

On their own, techniques such as enforcing the use of strong passwords and periodic password resets have proven to be woefully inadequate in traditional systems that don’t account for compromised users already present within the network. In fact, according to a recent poll from Enterprise Management Associates (EMA), which was sponsored by Hitachi ID, businesses that allow users to retain local administrator rights were 34% more likely to report incidents of compromised privileged account credentials. In addition, end-user device performance impacted by inappropriate privileged activity was reported twice as frequently by organizations that allow privileged device users than those that limit this access to qualified administrators.

Furthermore, even though many organizations grant end-users privileged access to reduce the day-to-day management burden on IT administrators, they often achieve the opposite outcome. One-third of surveyed organizations that allow end-users privileged access to their workstations report overall PAM processes are somewhat or very difficult to manage. Only 21% of businesses that restrict non-administrator privilege access to endpoint devices noted the same. This demonstrates more granular PAM policy enforcement requirements, such as limiting privileged access times and types, are simplified demonstrably by reducing the number of privileged users.

Managing Privileged Access On Endpoint Devices Matters

What does that mean to the management of privileged access on endpoint devices? The crucial takeaway from these findings is that modern businesses needing to grant local administrator rights to end users should adopt a PAM-specific platform that builds upon a zero trust framework. They should define and enforce policies that support “least privilege” requirements on endpoint devices, allowing access on as required basis, and the system must evaluate and establish trust in the user before granting access.

If your IT leadership is looking to implement a dynamic and capable zero trust model, Hitachi ID Bravura Privilege is a reference level solution that can revolutionize your digital identity program by leveraging the principles of least privilege. This dynamic and strictly enforced end-user authentication is the basis of zero-trust architecture that can effectively assess threats and adapt to open, changing network infrastructures and reduce management efforts while boosting security capability.

A Holistic Review

Whether your organization is considering an overhaul to its entire system or just reevaluating the management of endpoint devices within an existing PAM system, it’s clear best practices encourage moving away from perimeter based to zero trust security models. As the networks they are hoping to protect become less closed and endpoint devices become risks within the perimeter of security networks, IT leaders should look inward to protect the integrity of system infrastructures.

For more information on PAM best practices and key takeaways from EMA, you can access the full report here: Advancing Privileged Access Management (PAM) to Address Modern Business Requirements.


Start Your PAM Deployment Off on the Right Foot: Spotlight These 7 Benefits

  February 2nd, 2021

Setting yourself up for success with an upcoming privilege access management (PAM) system requires finesse. Within any organization, many system administrators might be uncomfortable with the idea of a PAM system; they may be accustomed to unrestrained administrator-level credentials. At the same time, other IT decision-makers may have concerns about the system and network-wide changes digital transformation can bring to a familiar and well understood legacy system.

The latest data supports the shift: According to a recent study from industry leading analyst firm EMA, businesses that lacked automation capabilities for auditing privileged access were seven times more likely to experience a privileged access policy violation than organizations with that capability. And one out of five businesses suffering a policy breach experienced severe impacts on overall business performance, including a direct loss of revenue, a loss of customers, or damage to its reputation.

Statistics, however, can feel intangible. Before you launch a PAM solution such as Hitachi ID Bravura Privilege, you can set yourself up for success by evangelizing a list of benefits that is comprehensive and actionable. Focus on the following with the IT decision-makers at your organization to build the foundation for a successful PAM deployment:

1. Single Sign-on

The first aspect to highlight with your IT leadership is the simplified management of administrative passwords. Whereas legacy solutions require manual control, a PAM implementation supports single sign-on, enabling authorized users to log in to the requested portal once and then launch multiple login sessions to various systems and administrative accounts throughout the day.

2. Shareable Accounts

Network decision-makers appreciate PAM solutions because administrators can define and share account sets (collections of accounts frequently checked out together). Furthermore, this capability replaces awkward administrative logins and the need for personal administrative accounts.

3. Temporary Privilege Elevation

Instead of creating an abundance of high-level accounts, a PAM system elevates a user’s privileges. It adds them to a security group only for the duration of check-out and time required to complete a task. This capability is also a great way to limit privileged access to those who need it.

4. Plausible Deniability

In the case of a system outage or discovery of a problem, individual administrators who could have caused the issue can rely on the PAM system for accountability. They can demonstrate they were not at fault since they weren’t signed in at the time that the issue occurred.

5. Simplified Troubleshooting

With this PAM-empowered accountability in place, authorized users can match the introduction of a problem to a system with administrative access to the network(s). This ability narrows the list of suspects who might have made the configuration changes that caused the problem. You can start here when you begin to ask questions and seek to remedy the situation.

6. Knowledge Sharing

Whenever an IT user performs an incredibly complex task, they can record the session. This recording can later be shared as an inexpensive-to-produce “how-to” video, proving that session monitoring lends itself to more than just forensic audits, demonstrating additional value.

7. Streamlined Collaboration

Finally, when administrative access is gated through a PAM solution, authorized users can view who has access to the system(s), is currently connected, and who was connected recently. This awareness dramatically simplifies coordination changes to the structure of the solution. Additionally, it helps avoid situations where two people are working on the same system, making overlapping changes that interfere with one another, and circumvents duplicative work.

Leveraging these seven benefits across your organization is only the beginning of your PAM deployment strategy. Learn more by downloading our ebook: Deploying a Privileged Access System: 9 Actionable Strategies to Ensure Success.


The Starting Point: 3 Steps to Begin a PAM Implementation

  January 26th, 2021

Modern-day privilege access and cybersecurity needs can seem daunting. Security breaches of privileged accounts and related vulnerabilities have accelerated in recent years due to increased IT infrastructure complexities and the fragmented distribution of business critical services.

Add to this data points like 80% of organizations discovered that a privileged access policy violation had occurred within the preceding 12 months, and 87% of these businesses experienced a policy violation that resulted in significant impacts to business operations, according to leading industry analyst firm EMA. The need for privileged access management (PAM) to solve contemporary business requirements is definitive.

Many IT leaders recognize these intimidating numbers, challenges, and the necessity for privilege access management, but are unsure where to start a PAM deployment within their organization. It’s not as difficult as many imagine. Creating a PAM solution that’s self-sufficient and financially advantageous begins with these three best practices, crafting a PAM program destined for success.

1. Groom champions throughout your organization.

PAM systems will impact many individuals across an organization, so it makes sense to begin by identifying individuals who are not only stakeholders but also naturally inclined to support PAM deployment on grounds such as security and benefits. These PAM ambassadors can include everyone from developers and network operations staff to database administrators.

Start by training and giving them educational materials to build a knowledge base and share with colleagues. Provide them with a forum to contribute, raise concerns, request feature enhancements and additional documentation should they need it. Supporting these champions and adjusting project priorities (as required) will transform them into program advocates.

2. Deploy incrementally.

The number of shared, privileged accounts in an organization can be as much as three times larger than the number of people. These privileged accounts are present on every IT asset with many running on different platforms. Combine this exponential reality with the sheer amount of operations for credential access and configuring them all simultaneously is infeasible.

This exponential reality can make many network administrators apprehensive about a PAM transformation. Therefore, create a realistic and workable deployment that adds capabilities one or two at a time, migrates the resulting system to production use, re-prioritizes, and delivers again. By utilizing a steady, phased, and practical implementation, organizations will set achievable goals that IT leadership and stakeholders can get behind and applaud.

3. Maintain tight restrictions initially, then relaxed conditions if required.

When defining access and control policies, start with firm systems. For example, start with short limits on maximum check-out duration, require long and complex passwords, and do not allow plaintext password disclosure.

It’s much easier to begin with sturdy controls and relax them later on if needed than starting with lax rules and tightening them later. Users are more likely to object if that’s the case.

Building the foundation for your successful PAM deployment with these three measures is only the beginning of your PAM deployment strategy. Learn more by downloading our ebook: Deploying a Privileged Access System: 9 Actionable Strategies to Ensure Success.