The massive increase in the use of cloud platforms has made traditional network boundaries porous. As a result, from a security perspective, protecting user identity has become increasingly important.
With the increased importance of user identities – both human and machine – it has become a security imperative to ensure that authorisations are in place for each identity and that the lifecycle of the identity is managed properly.
That is, user identities need to be tracked from the moment a user joins an organisation, as the employee moves within the organisation to different roles, and also when they leave. It is important to manage the access levels at all stages of the user journey. This is because it is not uncommon for users to accumulate many different access rights over time as they change roles, and this will lead to excessive privileges that are, in turn, a security risk.
It is for this reason that an important part of identity management is privileged access management (PAM).
How does PAM contribute to identity management?
PAM consists of cybersecurity strategies and technologies for exerting control over the elevated or privileged access and permissions for users, accounts, processes, and systems across an IT or OT (operational technology) environment.
By right-sizing privileged access controls, PAM helps organisations reduce the potential attack surface that they face. PAM also prevents, or at least mitigates, the damage arising from external attacks, as well as from insider malfeasance or negligence.
PAM vs identity management: which is the biggest priority?
The question that often arises is what comes first. Identity management or PAM?
Actually, both are tied together, and prioritisation of both or either really comes down to what is most important within the organisation. For many organisations, PAM comes before identity management.
As far as the evolution of PAM itself, we have been very good at separating privileged accounts for a long time because this has been considered a best practice.
If we go all the way back to Windows Server 2003, as an example, Microsoft said (paraphrasing), “Hey, you need to have two accounts for administrators: one for their everyday usage, and one for their actual administrator duties”.
However, in actual practice, what has been observed is that the two accounts often share credentials, and if one is compromised, then the other is, too.
The problem with shared accounts
Back then, what we wanted to avoid was having shared user accounts. However, shared accounts introduce a number of benefits that make it hard for organisations to fully step away from—including lowered costs and possibilities for collaboration, to name a few. At the same time, they also pose a significant number of challenges.
One of the biggest problems is that there remains a strong possibility of losing control of the credentials if there is no auditing, reporting, recording, and accountability associated with those accounts or the actions taken with them.
There have been many instances of organisations having the credentials of shared accounts stored in spreadsheets, meaning there is no control or oversight, and there are limited restrictions on what users can do with the access provided by those accounts.
PAM helps organisations regain control
That’s where the PAM journey starts: by devising a method to effectively manage that privileged access in a secure manner. This is commonly known as Privileged Account and Session Management or PASM.
The first step in implementing PAM is discovering what exists on your network—because you can’t protect what you don’t know about. A whole network scan is undertaken to identify credentials, and then those credentials are automatically onboarded and managed. That’s a big step forward—the automation alone is very helpful for security personnel.
Such scanners also include things like session brokering, which allows administrators to hide or obfuscate credentials from users.
At BeyondTrust, we also offer a free Discovery app that helps organisations understand the extent of the problems they face today before implementing PAM.
The evolution of privileged access management
PAM has evolved to no longer encompass just PASM. It now also includes the management of privileges—that is, managing not just who can access what and when, but also providing granular control all the way down to what a user can do when they are accessing the device itself. This can also include managing access to systems by third-party users and remote employees.
Most users will start with a standard account with limited privileges. PAM then allows just-in-time elevation of privileges (not the user) and access to allow the user just enough access to accomplish the specific task they need to complete—and nothing else—for only the amount of time necessary.
This approach gives administrators better visibility, which in turn leads to a more secure environment.
How PAM can help IT leaders in Singapore
A survey done by BeyondTrust in collaboration with iTnews Asia found that over half of IT leaders in Singapore believe that many of their users are over-privileged.
In such a situation, it is all about gaining visibility. And that’s where BeyondTrust’s unique new solution, Identity Security Insights, can make a difference.
BeyondTrust believes this is the next evolution of PAM. What PAM needs to offer now—and what Identity Security Insights provides—is a holistic way to view identities, accounts, privileges, and the threats associated with them across the whole organisation.
Administrators can see across their organisation the full view of identities: where they are, who owns them, and any threats associated with them. For example, it is common for organisations to shift from Active Directory on-premise to Microsoft Entra (formerly Azure Active Directory) to set up a number of highly privileged service accounts.
Often, these service accounts become dormant and are never removed, becoming a security threat and a prime component of active directory security.
Along with identity threat detection, Identity Security Insights can also help with things such as cloud least privilege, and privilege creep prevention.
At BeyondTrust, our vision is a world where our identities and access are protected from cyber threats. We fight every day to secure identities intelligently, remediate threats and deliver dynamic access to empower and protect organisations around the world.
Access the iTnews Asia State of Security report: Here