Where We’ve Been – And Now Need to Go – to Secure the Modern Enterprise.
A few weeks ago, I published a blog on why modern enterprises must rethink PAM.
And I ruffled a few feathers.
But traditional privileged access management solutions just don’t secure cloud ecosystems (and the human and machine identities) that enterprises now deploy.
To the skeptics, I ask: how can PAM be “cloud-friendly” if it doesn’t embrace the principles of the platform it is supposed to protect?
The Genesis of PAM
PAM emerged in the 1980s (with Sudo for Unix/Linux), although the first commercial vault didn’t release until the early 2000s. At the time, randomizing passwords was the principal security feature. This helped prevent cyber criminals from moving laterally through networks.
Vendors originally created vaults to store passwords for infrastructure. The reason: Every server is built with an administrator (or, ‘root’) account – and often these accounts used the same password when built. Password vaults randomize these passwords and allow access to each by support teams when needed.
Then, we saw wider adoption of password management and new solutions around active directory bridging and least privilege, also for Unix/Linux. By 2007, Privilege Escalation and Delegation Management (PEDM) for Windows emerged, albeit with a focus on endpoints like desktops and laptops. This technology offered better application control and removal of local admin rights.
Many began describing these solutions as ‘PAM,’ although vaulting remained central. Yet, true privileged access management didn’t exist as we experience it today. Frank Dickson, Research Vice President, Worldwide Security Products at IDC, described it this way: “Password managers are just that. They allow a user to save a potpourri of user accounts, IDs and associated passwords.”
Concerningly, enterprises carried these solutions forward – even as ecosystems modernized. See, vaults were designed for shared accounts, not personal, application, or web accounts. Personal accounts include a variety of entitlements that do not lend themselves to management within a vault. But perhaps most concerning is that vaults don’t solve the worst security issue: excess privileges.
Old Tech Can’t Deliver Least-Privilege and JIT Access
Centralizing privileged accounts in a vault won’t reduce the number of privileged accounts or reduce the risk of these privileges. And it won’t guide an enterprise toward principles of least-privilege or just-in-time (JIT) access.
As attacks grew, the 2010s saw new defense measures and applications introduced. While robust, the solutions were piecemeal – and expanded enterprises’ architectural footprints. The result? A smorgasbord of tools including SIEM, IGA, SSO, MFA, and Vulnerability Management software to deploy and maintain.
Although more robust PAM solutions now exist, M&A dynamics further muddle things. Often, incumbent vendors try to fast-track innovation by buying up PAM tools. In this, customers miss out. Fragmented architectures blunt the full potential of PAM. Companies now suffer with different consoles, different reporting interfaces, and disparate agents in play. The technical debt alone debilitates even the most efficient IT/security teams.
The Cloud PAM Difference
Saviynt designed its platform with Zero Trust, zero-standing privilege, and JIT access in mind. Without an on-prem footprint, the platform adds versatility: secure privileged access and critical asset protection across the entire infrastructure.
As we trace the progress of PAM, we believe that the 2020s will be about consolidation and simplicity. To us, a true cloud-PAM solution is converged. This means integrated IGA and PAM capabilities.
For instance, the Saviynt platform works inside the cloud to attach rights and privileges to identities to streamline governance – no bolt-on software required. In contrast, traditional PAM focuses on infrastructure. Cloud-PAM leapfrogs this with built-in connectors, bringing JIT to applications and consoles, for example.
And rather than creating additional user accounts for privileged access that need monitoring, administrators can assign time-bound permissions to identities.
Old PAM Won’t Boost Governance
Sure, a solution may tell administrators who has access to what. But converged solutions expand this. Not only can they certify access, but they manage the lifecycle of the user and the privilege. They should also be able to govern what the machine a user uses and what access they have, even down to granular entitlements.
We’ve come a long way since the days when PAM was a fancy term for password vaulting. New PAM means so much more:
- Alignment to zero standing privileges for infrastructure, applications, and web apps
- JIT access to infrastructure, applications, and web apps
- Real-time discovery and onboarding of dynamic cloud workloads
- Governance-driven risk insights and reporting of cloud security
- Simplified onboarding – and more!
Clearly, times are changing. Fortunately, technology is too. Modern enterprises, it’s time to keep up.