How Effective Research and Early Engagement can Drive Quick Wins
When I implemented my first Privileged Access Management (PAM) tool in 2001, the enterprise I was working with had 10,000 servers and the root credential on every single one was the same. We put in a bit of technology to randomize one default password and voila, a resounding success.
22 years later, times have changed. PAM has expanded from protecting non-internet-facing resources to cloud apps, processes, roles, IoT bots, third-party contractors, and more. While the traditional approach of rotating passwords and centralizing high-risk accounts in a vault might control some access, the reality is every single system, every single app, and every single user retains an element of privilege.
As security leaders take an “assume breach” posture and move toward a Zero Standing Privilege (ZSP) model (where all privileged accounts are removed except those needed for break-glass purposes), it’s important to keep in mind that no company can achieve a Nirvana ZSP state. However, there are important steps organizations can take to get as close as possible and keep risks very low. This is precisely why 75% of cyber-insurance providers are expected to mandate Just-In-Time (JIT) PAM by 2025.
What is Just-In-Time PAM?
The identity space is filled with a lot of confusing jargon and acronyms, but when it comes to privileged access, there are two key factors that we can control: scope and time.
- Scope: Least privilege or “Just-Enough Privilege” controls the scope of privilege, ensuring that individuals or systems only have the minimum access necessary.
- Time: Just-in-Time (JIT) Access controls the amount of time someone has privileged access to our environments.
ZSP is enabled by a JIT approach to privilege elevation.
Engaging the Right Teams
Even under optimal conditions, the implementation of PAM tools is hard, and it can be made even harder if users don’t want to use it — or if there are technical problems that need to be solved. This can lead to the implementation taking longer than planned, stalling out after reaching a baseline functionality (such as administrator account vaulting), or not happening at all.
So as you begin building support for your JIT PAM initiatives, getting buy-in from every department is critical. PAM programs affect different teams in different ways, so it’s helpful to understand the different roles, their relationship to risk, and the approach you should take to build consensus.
While they may be the most resistant to change, user buy-in is the most critical. To them, access may equal status, and many of them have had very high levels of privilege for long periods of time. They’re also busy people who are suspicious of anything that’s going to create additional friction in their workday. If they don’t like a tool, they will always find a backdoor around it.
Approach: Step one is understanding how they do their jobs. What apps and systems do they connect to and how do they access them? What tasks do they do when they are working in the environment? Try providing early access to the PAM tool to increase their comfort with the new processes. Technology shouldn’t be a barrier. It should be an enabler. The closer we can get our technology to fit normal user behavior, the better.
Management is in charge of keeping the organization secure against threats, so they’re going to understand different drivers for embarking on a PAM program. They know the stakes: data breaches cost businesses an average of $4.35M, and privileged access abuse acccounts for 80% of attacks. PAM tools help them stay ahead of these risks, so they’re the people that can help craft that all-important top down messaging,
Approach: It’s important to provide context on the business risks of NOT having a mature PAM program that supports just-in-time capabilities. Executive support can be helpful if projects get stuck.
These folks are tasked with getting ahead of risks and minimizing the attack surface. Their responsibilities include aligning to best practice frameworks, cyber insurance, and other mandates.They own the identity stack – including PAM, IAM, MFA, and SSO – and the rest of the security portfolio.
Approach: Since orgs have an average of 76 security tools to manage, they’re interested in tools that can help them cut out the clutter and consolidate vendors.
Audit and Compliance Teams
These teams are tasked with reporting on past or present-day risks. Above all, they need to know who has access to what — and what they’re doing with that access.
Approach: To them, intuitive reporting is key. If a PAM tool can help them automate the collection and analysis of data, it’s going to win hearts.
Gathering All The Facts
A thorough inventory of privileged access in your organization will require you to:
- Find who owns what systems, apps and accounts. These are your stakeholders who will have to make decisions about what the PAM tool can and cannot do. Because privilege may go back decades, pre-dating the current owner, people may be hesitant to make decisions.
- Understand what privilege currently exists. Any device or piece of software that supports users has a privileged account, so it’s important to scan every corner of your IT infrastructure for privileged accounts, such as IaaS, SaaS, AD, applications, databases, networking devices, endpoints and servers
- Document any interdependencies. To unravel ownership of shared, service, and application accounts, find out where these credentials are used and if they’re using services. Some privileged accounts may have been around for dozens of years and are interwoven in multiple apps and databases and potentially hard coded and embedded in scripts.
Stay on top of stakeholders and urge them to make decisions. Talk about the potential impact of managing and rotating accounts and what it means for apps. Show the teams that the tool is an enabler to do the job in a more secure manner.
Driving Quick Wins
Once you’ve documented the privileged accounts, what they access, and their accountable owners, you can build your implementation roadmap. Watch our JIT PAM webinar for insights on creating a risk vs. impact matrix. This can help you categorize accounts by the amount of risk they carry and the effort level involved in JIT PAM implementation. Any account that carries high risk –- but has a low level of effort to implement — would be a quick win.
Here are a few examples:
- Administrator and root accounts. They are easy to onboard into PAM tool. Users aren’t usually aware they’ve been onboarded because they are rarely used.
- Cloud workloads. While more susceptible to attack, they often are not tied to Active Directory, which means they are accessed via local accounts.
- Third party accounts. You are only as secure as your weakest link and your contractors’ and vendors’ security gaps become your problem. These accounts are usually not tied to Active Directory, so the impact to your staff is fractional.