Why is implementing PAM more critical now than ever before? If you attended the Saviynt hosted webinar on July 23, 2020, then you already have the answers. Sean Ryan, Senior Analyst for Forrester, and Vibhuti Sinha, Chief Cloud Officer for Saviynt shared their expertise and answered audience questions. Did you miss it? Well, the good news is this compelling discussion is recapped below and a video recording is available. Here are a few key points covered by these PAM experts:
“There’s more and more technology partners, business partners, suppliers, both upstream and downstream contractors, many who are outside your organization. They’re not your employees, but they need access to privileged information to do their jobs and help you.” ~ Sean Ryan, Senior Analyst, Forrester.
Security’s role as a business enabler rather than a business blocker was one of the many key insights that Sean shared. Too often, security is viewed as the department of “no” when in fact the point of a good security program is to facilitate business productivity not hinder it. In today’s world, a lot of changes are happening; not only the infrastructure that is used but in the processes and approaches organizations utilize. In the wake of a pandemic, even the ways that business is conducted experienced a huge shift. COVID-19 forced a move from brick and mortar “business as usual” to a more dynamic, technology-based “next normal” which accelerated innovation, advanced business functions, and how products and services were delivered. With these advances came more threats, new types of attacks, and increased security concerns. Sean presented crucial aspects of balancing security while maintaining business velocity.
“80% of data breaches have some connection to privileged credentials” ~ Sean Ryan, Senior Analyst, Forrester.
When making an attack on an organization, bad actors are constantly looking to compromise accounts that can give them deeper access to the network. While general user accounts can serve as a useful stepping stone, their primary goal is to acquire privileged accounts that can be used to change permissions, install backdoors, or access data that otherwise might be outside of the reach of an average user. When organizations have standing privileged accounts, they open the door to this risk and create a potential target for bad actors to go after.
Making this even more dangerous are accounts that have been given excessive permissions or abandoned. In many organizations, especially when they are growing their IT ecosystem, privileged accounts are given as much administrative access as possible in order to simplify account management. This allows infiltrators to use a single account to get in everywhere, switching systems quickly and access whatever they like. These privileged accounts are the holy grail for hackers and are the keys to the organization. Once a privileged account is compromised, there is little standing between a bad actor and every drop of your data.
“So it’s about making sure that you have visibility into all of these types of accounts, and if there’s [sic] unused accounts sitting out there, that you’re closing that door” ~ Sean Ryan, Senior Analyst, Forrester.
Orphaned accounts may not be as directly dangerous, but they still pose a significant risk. These forgotten accounts sit on the network, unused but still with the potential to be used for privileged access. In order to deal with these accounts, you first need to be able to identify these accounts before they can be disabled and removed. This is obfuscated by complex environments with multiple cloud and local applications to parse through. This calls for an automated solution to identify and disable these rogue accounts.
Vibhuti Sinha shared a list of the new challenges that modern PAM solutions must solve to be relevant in a world that relies on cloud or hybrid ecosystems. First off, to remain relevant, organizations need role-based PAM. Current PAM solutions lack fine-grained application entitlements such as Salesforce permission sets or Office 365 role assignments. Traditional PAM can’t fully deliver on Just-in-Time (JIT) permissions or zero-standing privilege for cloud assets. Zero-standing privilege ensures that no privileged accounts exist purely by default. Instead, every account must request permissions as needed. These permissions are granted “Just-in-Time” to create an audit trail of privileged access use. These security gaps are why Saviynt converged cloud security with IGA to alleviate the issues around fragmented solutions. Integrating these capabilities delivers a platform that reduces security risks while easing the audit process.
“If you are securing your ecosystem and wish to maximize the return on your investment, look for a consolidated platform which converges these technologies – IGA, PAM, cloud security, and DevSecOps.” ~ Vibhuti Sinha Chief Cloud Officer, Saviynt
When working in the PAM domain, there are five principles needed to make PAM cloud accessible. First is the convergence of IGA or IAM technologies with PAM in order to alleviate a lot of the issues around fragmented security. Second is ensuring least privilege is implemented and maintained. Doing this raises the importance of Just-in-Time access. Requested privilege must be fulfilled quickly to meet business needs. Third, it’s crucial to diversify across the cloud platforms. The old adage of not putting all your eggs in one basket applies here as well.
Everything from infrastructure workloads to applications can benefit from diversification. This requires role-based PAM to tie everything together and make it cohesive. The fourth critical principle is that of integrated governance. Leveraging preventative SoD checks, risk awareness, and micro certifications are imperative in the cloud ecosystem and must be a part of PAM functionality. This circles back to the first principle of convergence of IGA or IAM systems with your PAM platform. Finally, the fifth principle is to utilize native cloud technologies in order to capitalize on the benefits of their inherent elasticity, resilience, and delivery as a service. It is difficult for a PAM to be cloud-friendly if it does not embrace the principles of the platform that it is designed to protect.
Getting PAM Right Is Critical Now More Than Ever addressed many business concerns crucial for surviving in a world scrambling to deal with a suddenly remote workforce. If you didn’t have the chance to attend, we invite you to view this on-demand session at your convenience because now more than ever it’s vital to move at the speed of business.