As I was perusing the headlines this morning of what to write about, I came across a topic, which to be honest, I have never even heard of before. This is known as “Privileged Access Management”. OK, I may have come across it before, but never really thought about it too much, as I have on other topics.
I did more research into it, and from what I have discovered about it so far, there can be an entire series of blog postings just on this topic itself.
This is something I will get into later this summer, but long story short, at our place of employment, we usually are given a set of usernames and passwords. This is so that we can access certain parts of the organization’s servers in order to access files that we need to conduct our daily job tasks.
But if your company is smart enough, they will establish your credentials just up to the point where you need the most minimal level of access, and not anything more.
But of course, as you climb up the rung of job titles, this level of access will increase. For the instance, the IT staff more than likely will have root privileges to the entire infrastructure, and upper management and the C-Suite will be able to access everything as well (though they may not have the root access). These kinds of accounts are known as “Privileged Accounts”, well because, only a certain elite few can get these kinds of accounts.
But just like a normal employee account that you and I have, these so called “Privileged Accounts” need to be closely monitored as well. This is because you should not trust anybody explicitly or implicitly (in the world of Cybersecurity, this is known as the “Zero Trust Model”).
After all, you never know, even your CIO may have criminal intent to steal confidential and sensitive data. So, this is where the role of a Privileged Account Manager comes into play – it allows the IT Security staff to closely monitor all of the activity that is going on with each and every account. It is also known as a “PAM”, and it can be defined as well:
“Privileged Access Management (PAM) solutions enable you to manage and monitor privileged accounts and the people who have permanent authority to access them. They also provide a secure way to give your staff or third-party contractors temporary, controlled access to privileged accounts, without the need to provide them with an account password that they could reuse at a later date or share with unauthorized parties.”
However, the PAM should not be confused with another term that is more commonly used, which is called the “Identity and Access Management” solution or, “IAM” for short. This kind of solution only monitors user level accounts, again, like the ones that you and I have, not the privileged ones.
In other words, you can think of the PAM as a sophisticated Password Manager, which has been designed to monitor those usernames and passwords that are considered to be at the “super-user” level.
So, the next question you may have is how does a PAM exactly work? Here is a summary of it, listed below:
*It allows for the discovery of all instances of privileged accounts they can be securely monitored.
*It can help creating procedures and workflows for obtaining privileged access.
*It makes passwords available on-demand to various applications.
*The passwords can be “checked out” when needed and “checked back in” when the need for that for that particular password is needed.
*It can change passwords automatically whenever and wherever as needed.
*It controls the amount of privileged actions that IT administrators can execute, which largely depends upon their job title.
*It can keep track of and record any privileged access sessions, commands, and actions. for audit and forensic purposes
*Most importantly, it can help to enforce least privilege access policies.
In fact, the growth rate of PAM based solutions is expected to grow at a very strong rate, reaching almost $4 Billion by the year 2021. This is also further substantiated by a survey conducted by a Cybersecurity firm known as Thycotic, according to a research study that they conducted at the 2019 RSA Conference. Here is what they specifically discovered:
*47% of the companies polled are planning to adopt a PAM based solution;
*21% plan to make use of some sort of PAM solution that is based in the Cloud;
*26% of respondents plan to eventually migrate to a PAM solution in the Cloud, but a surprising 36% of them plan to keep it as On Premises solution;
*Overall, 65% of the respondents plan to make use of the security benefits that are offered by the Cloud.
But despite the benefits that the PAM brings in, and the intentions for Corporate America to adopt it, there are still a lot of hesitancy into actually using. Here is what the survey found in this regard:
*28% of the organizations polled said that they are having a hard time convincing their C-Suite into implementing it;
*24% of the respondents are having a difficult time educating upper management and even their IT Security staff into actually using it once it has been deployed;
*19% of the companies surveyed claimed that they simply do not have the budget for a PAM solution.
My thought on this?
As mentioned before, the subject of PAM based solutions is an expansive one, and in fact, one could even write a fairly lengthy whitepaper on it (yet, another idea for me to work on). So, the views I have on it so far are limited to the research I have done for this blog.
At first glance, it looks like PAMs are great solutions. After all, if you are going to monitor your normal employee’s network activities, the same should follow of the employees that have higher level titles.
After all, in the end, what is so special about them that they should not be monitored as well? After all, it is these employees with these kinds of titles that can launch an Insider Attack very easily with all of the access that they have.
Also, an organization as far as possible, should try to implement a PAM based solution into the Cloud versus having it as On Premises solution. Why do I say this? Well, suppose that your business has been hit with a Cyberattack?
The PAM solution that you have On Prem is one of the first things that the hacker is going to go after. They will have a much easier time doing this than trying to get it from the Cloud, because at this level there will be extra layers of protection that will be offered to you by the Cloud Provider.
So, I don’t quite get the last statistic mentioned that PAM solutions are too expensive. They shouldn’t be, if they are being used from the Cloud as an as a Service offering.
In this instance, there should only be a flat, monthly charge that is fixed and stay within your budget. But I can also see the hesitancy or even the reluctance of using a PAM solution. Although it is not a new concept, Corporate America are still creatures of habit, not wanting to change out of their old ways of doing things.
I am probably the best example of this. Although I am in Cybersecurity, I still do not use a Password Manager, which I should.
So, how do I remember all of my passwords? Well, we won’t say here . . . that is my best kept secret. LOL.