Achieving visibility across the enterprise is critical to reducing risks in privileged user access – and reducing risks in the current environment will only get harder. The new Saviynt and Ponemon Institute State of Enterprise Identity research report offers insight into the challenges faced by IT teams as they try to secure privileged access in an increasingly digital world.
It’s not a moment too soon. The numbers and kinds of cyber attacks are ever-increasing. According to the 2022 Verizon Data Breach Investigation Report, “From very well-publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.” And privileged accounts are a favorite line of attack.
Yet privileged users are particularly complex to manage because, as superusers or administrators, their elevated level of access can present elevated risks if compromised. Privileged Access Management (PAM) refers to the processes used to secure, manage, and monitor elevated access for human and machine identities. PAM is a key component in preventing and mitigating both internal and external cyberattacks. It enables zero trust adoption, with least privilege access (restricting permission and access to resources to the minimum level required for each user to do their job) and zero standing privilege (eliminating standing privileges).
This blog post, the third in the series, will take a look at how organizations are currently managing the security of their privileged access and offer tips for improvement. For more information on the report, check out the first post in this series, Top Highlights from the 2022 State of Enterprise Identity Report, and the second post, How Companies Use Risk Data to Guide Cybersecurity Efforts.
If the findings from the Ponemon report are any indication, organizations need to improve the way they approach privileged access security. The report includes responses from more than 1000 IT and IT security practitioners, who are experts on their organizations’ programs and the solutions used to mitigate cybersecurity, identity & access, and compliance risks. Only 36 percent of respondents say their organizations are confident they can determine if privileged users are compliant with policies.
Respondents rated their confidence in important components of their privileged access management programs, along with their effectiveness in preventing internal threats involving the use of privileged credentials. Only 35 percent say their organizations are confident in the ability to identify and manage privileged access and only 32 percent of respondents are confident that privileged users are unable to work around its controls. Only 35 percent of respondents report having high confidence that their current controls are effective in preventing internal threats involving the use of privileged credentials. This data suggests that many organizations are still struggling to get clear, enterprise-wide visibility into privileged access.
Why is visibility of privileged access so difficult to achieve? The research report revealed four top challenges to visibility. IT teams say:
Today’s complex enterprise ecosystems only add to the difficulties. Digital transformation is accelerating, but because businesses are leveraging hybrid and multi-cloud IT environments and SaaS applications to effectively — and efficiently — transform, it’s crucial for businesses to secure their privileged accounts.
Many businesses are also looking for solutions to better support their remote employees and enable greater collaboration with non-employees (such as independent contractors or third-party vendors). According to Saviynt’s Vibhuti Sinha, “Businesses should require their privileged access management solution to offer the ability to integrate non-traditional identities and manage the entire identity lifecycle to ensure access doesn’t veer beyond a remote employee’s permission level — or a contractor’s predetermined engagement timeline.”
Remote & hybrid workers present significant security risks, according to the Ponemon report. Thirty-seven percent of respondents report their number one step to secure the hybrid, remote workforce is screening new employees. But achieving ongoing compliance is another matter.
Cloud technology and SaaS applications are now dominating most organizations’ digital transformation strategies, making dynamic, ongoing visibility into who is trying to access what and placing limits on the scope and duration of each user’s access on an as-needed basis requirements for modern identity security. Software solutions need to be nimble with the ability to detect suspicious activity and create alerts for fast remediation. This will be vital in the ongoing fight to prevent devastating breaches.
The report also found that only 40% of respondents are applying zero trust principles within their PAM program by removing standing privilege and only issuing privileged access for a specific time for a specific account to do specific things. Even fewer organizations — 37% — are performing the basic PAM controls of storing and managing privileged credentials in a technology vault. And only 44% of respondents say their PAM solution makes it possible to terminate access by locking down an application on endpoints. These gaps render organizations vulnerable to attack, leaving the door open for a determined adversary to find a privileged account and exploit it for nefarious purposes.
The pace of cloud adoption has exposed gaps in traditional privileged access management. The old approach of discovering and vaulting privileged accounts merely centralizes risk rather than reducing it. And with high on-premises infrastructure costs and limited oversight across hybrid multi-cloud, infrastructure, and SaaS applications, it’s no wonder organizations are seeking a more agile, risk-based approach to PAM.
A modern PAM solution would address the current lack of granularity in traditional PAM solutions to enable better visibility into today’s complex connections, policies, and entitlements, allowing organizations to reduce their vulnerability to the ever-growing threat of cyber attack.