With stricter underwriting requirements and rising premiums, modernizing your privileged access controls is no longer optional
When bad actors strike, cyber insurance can save the day. From intrusions to extortion threats, data breaches to denials of service—this essential liability coverage protects companies from suffering a fatal blow. But with a sharp uptick in cyberattacks over the last few years, cyber insurance providers are sustaining estimated 60 percent losses on these policies.
Five years ago, several well-known companies fell victim to notorious WannaCry and NotPetya malware. Then, between 2020 to 2021, high-profile ransomware incidents jumped 150 percent, while the number of ransomware payments spiked 82 percent.
In response, insurers have raised prices on cyber insurance premiums and ceased underwriting policies that include ransomware reimbursement. Considering the fact that compromised credentials are a leading cause of attacks, many underwriters are also looking for robust Privileged Access Management (PAM) controls when pricing cyber policies.
What exactly are insurers looking for? They want to understand how your organization discovers and manages privileged credentials, how you monitor privileged accounts, and how you isolate and audit privileged sessions.
What is PAM’s Role in Reducing Cyber Risk?
When we talk about “PAM,” we’re referring to the processes, systems, or technologies used to secure, manage, and monitor elevated access for human and machine identities. Since at least 80% of data breaches involve privilege misuse or compromise, an effective PAM solution is critical. When a bad actor attempts to move through your network and exploit high-level credentials to exfiltrate your data, take down your system, or carry out some other nefarious mission—PAM is your last line of defense.
However, it can be difficult for security teams to get their arms around PAM due to IT complexity, lack of holistic risk visibility, and privileged account sprawl. This murky visibility coupled with the complex relationships between entitlements allows excessive privileges to go unnoticed. As new resources or services are added, over-permisioning becomes an even greater risk
You can’t fix what you don’t know.
According to an IDC survey of CISOs in the US, 80% can’t identify excessive access to sensitive data in cloud environments. Two of the top three threats identified were lack of adequate visibility and permission errors. Organizations need effective tools to detect misconfigurations and related vulnerability gaps in order to remediate them—ideally through automated, policy-based preventative controls.
Traditional PAM solutions are built on on-prem infrastructure and generally work by locking shared privileged credentials into a vault and rotating passwords to these accounts. This approach merely centralizes known risk. Local privileged accounts may remain undetected, and therefore, unmanaged by the PAM tool. Also, infrastructure-based PAM tools scan environments at fixed intervals, which is insufficient against the dynamic nature of cloud workloads.
Reduce Risk by Removing Standing Privileged Accounts
Vaulting is necessary for critical standing accounts like admin accounts on Windows or root accounts on UNIX. These accounts need management and should be there for break-glass purposes only. But to effectively reduce their attack surface, organizations need to make zero standing privilege (ZSP) a primary goal of their PAM program.
Traditional privileged access tools aren’t built for the cloud
With a ZSP approach, privileged access is explicitly granted and usage is monitored, allowing machine learning algorithms to identify anomalous behavior. Access is also granted at the minimum level of privilege required and only for the time needed to perform the task. This enables organizations to detect breaches early before attackers move laterally across organizational IT ecosystems.
Getting to this nirvana ZSP state is easier said than done. In a traditional PAM tool world, this can mean deploying agents and setting up and maintaining complex access rules. This approach really isn’t practical for cloud or ephemeral workloads. Additionally, traditional PAM tools were not built with governance in mind. And without good PAM governance, it’s nearly impossible to continuously ascertain where privilege access risks lie.
Facilitate ZSP With an Identity-Based Approach to PAM
Saviynt recognized that the traditional approach to PAM was rooted in traditional data center infrastructure and credential vaulting. We knew that this approach requires too much care and feeding, and leaves organizations with too many blindspots.
To us, a true cloud PAM solution is converged with IGA capabilities. Saviynt’s Cloud PAM solution is built on our Enterprise Identity Cloud (EIC) which means that you can manage all identities and entitlements more efficiently, improve enterprise-wide visibility, and leverage identity intelligence and analytics to make better access decisions. This converged approach simplifies just-in-time PAM by enabling users to request elevated access to perform time-specific tasks with just enough (or least possible) privilege.
The EIC platform is powered by automation-driven analytics to help organizations discover privileged accounts and eliminate them, putting ephemeral privilege—or ZSP—well within reach.
How will new cyber insurance requirements impact your PAM program? Check out our Cloud PAM Buyer’s Guide below to learn more, or watch our Trends 2023 on-demand webinar and stay one step ahead of the curve.