01 Oct The path to cyber resilience is paved by PAM
We’re kicking off Cybersecurity Awareness Month with a closer look at privileged access management, by John Hathaway, Regional Vice President, iMETA at BeyondTrust.
IBM’s 2023 edition of its Cost of a Data Breach report puts the Middle East’s average at US$8 million, which is almost double the global mean. And the grand meme of cybersecurity is that the threat actors who cause all this damage no longer hack in; they log in. They use sneaky, subliminal messaging to phish credentials from unwary users and navigate laterally through security infrastructure, escalating their privileges as they go. An expanding attack surface (multi-cloud, remote work, shadow IT, and so on) brings with it an expanding threat from privilege itself. You want another meme? “Identity is the new perimeter”. Which means privileged access management (PAM) has become the cornerstone of modern cybersecurity.
Operating systems, applications, hypervisors, cloud management platforms, DevOps tools, robotic automation processes — they, and dozens of other IT assets, are governed by privileges. Simple lists of accounts and the things they can and cannot do have become central to our protection. And now that attackers are using machine learning and artificial intelligence (including generative AI), organisations that do not take PAM seriously are left wide open to nightmare scenarios.
If attackers are using smarter tools, then so should you. Going in search of the ideal privileged access management platform — or ‘Perfect PAM’, if you’ll allow me — requires the same due diligence you would bring to any procurement exercise. Consider the total cost of ownership, accounting for time-savings associated with automation. Factor in direct and indirect costs as well as estimating the system’s time to value.
Also, how soon will you see improvements in your risk profile and the efficiency of security operations? Never forget that you are a growing enterprise. Is the PAM platform sufficiently scalable to grow with you, adding things like SSH key management, DevOps secrets, and service or machine accounts? Will PAM integrate with IAM, service desk, SIEM, SOAR, and other elements of your cybersecurity ecosystem? In short, will PAM help you mature your threat posture, or will it impede your development?
The answer lies in whether it fulfils these six goals.
Control over identities
Perfect PAM must offer the means to automate discovery of privileged accounts and other credential types across the environment. There must be no place for an identity to hide because if there is, you can be sure it will not escape the notice of a determined threat actor. Human and non-human accounts must be placed under suitable management so they can pass muster with auditors. Many attacker inroads are rendered impassable with this simple approach and many others are made difficult. And to be clear, when we say ‘suitable management’, what we mean is the enforcement of regular password changes and rules as to their strength.
Secure remote access
Perfect PAM should dispense with ‘all-or-nothing’ remote access. Employees, contractors, vendors, and others should have explicitly defined roles that dictate their access requirements. The ideal PAM platform must allow for granular, role-based access. Where practical, even allotted time slots should be assigned to each user, appropriate to the task they are performing. Organisations must use a privileged remote access solution that facilitates access while protecting systems and data. This solution must be capable of being hosted on premises — via a hardened physical or virtual appliance — or on a secure cloud.
Least privilege for Windows and macOS
Perfect PAM must remove local admin rights to Windows (a recent BeyondTrust vulnerabilities report found that around 75% of critical Microsoft vulnerabilities could have been mitigated by removing admin rights) and macOS systems and be capable of controlling and auditing admin access. It should be able to impose granular control over applications without hampering user productivity. And it must be capable of removing privileges for those users while automating the enforcement of rules that allow elevation of application privileges during a session without elevating privileges for the user themselves.
Least privilege for Unix and Linux
Perfect PAM will give visibility and control to security teams for Unix and Linux, allowing them to implement least privilege and efficient delegation of privileges and authorisation on these OSes without exposing passwords for root or other accounts. The PAM platform must allow security teams to either eliminate password elevation tool sudo from the IT mix or layer functionality on top of sudo to resolve security and auditing deficiencies and make administration simpler and more accurate.
Integration for Unix and Linux into Windows
Perfect PAM would centralise authentication for Windows, Unix, and Linux environments. This is not just reducing complexity for its own sake. A more homogeneous environment improves efficiency (less logins, for example, and hence, less helpdesk calls) and reduces risk. An Active Directory bridging solution can streamline identity management, allowing organisations to leverage their Windows Active Directory infrastructure to deliver stronger identity security and audit capabilities. This will advance the organisation’s cyber maturity while boosting productivity for its technical and non-technical users.
Visibility and threat intelligence
Perfect PAM allows the SOC to proactively mitigate risk because the PAM platform grants rich, bird’s-eye views of identity ecosystems. This is an indispensable gift in the era of Tapestry IT, where multi-cloud and on-premises systems overlap, and multiple endpoints fall off the radar. Previously unseen risks come into view with Perfect PAM, and threat hunters can chase down attack paths that had thus far been obscured by tech sprawl. Data siloes are gone now, and identity hygiene reigns supreme, as PAM churns out actionable recommendations in time to prevent vulnerabilities becoming threats. Investigations are faster. Mitigations are proactive rather than reactive. Complex attack chains and their blast radii are laid bare for analysis, quickly leading security teams to compromised accounts.
John Hathaway, Regional Vice President, iMETA at BeyondTrust