In a world where people have become the new perimeter, the idea of “secure access” continues to evolve.
For VPNs, security means privacy.
For Firewalls, security means controlling network traffic.
For anti-virus software, security means clean devices.
For Privileged Access Management (PAM) tools, security means that the right user account is accessing the right resources. This marks a significant shift from securing the network to securing the user account. Securing the network is like setting up checkpoints at intersections, whereas securing accounts is like requiring drivers to pass a test to get their license.
Considering that unauthorized access stands as the leading cause of breaches, identity-focused security is a step in the right direction. But while PAM tools play an important role in ensuring secure access, they tend to function as single-point solutions and rarely cover an organization’s entire range of use cases.
Understanding what PAM solutions can and cannot provide is critical to guaranteeing that your organization is executing a robust and comprehensive secure access strategy.
When it comes to securing remote access, PAM strategies and tools form an important part of the equation. The perimeter model is no longer sufficient to protect critical systems, and PAM rightly places identity at the center of access management.
However, merely having a PAM solution in place doesn’t secure all remote access scenarios. PAM solutions must be backed by:
Connectivity tools: PAM tools don’t continuously authenticate users once they’ve gained access to the network, nor do they provide contextual awareness or logging of their activity.
Multi-factor authentication (MFA): PAM solutions rely too heavily on a single control mechanism that can be compromised by bad security hygiene, like shadow IT and weak password practices.
Solid policy: Before making security tooling decisions, organizations must identify who or what type of user is appropriate for each set of access permissions and establish an effective privileged account discovery process.
The remote environments from which employees access the network can be unpredictable and rife with vulnerabilities. PAMs can shore up some of the gaps in remote access, but multiple solutions will likely be needed to cover a majority of use cases. This leads to tool sprawl, which can quickly undermine itself by creating friction in the user experience and, paradoxically, causing bad user behavior like weak passwords.
PAM solutions have a role to play in any secure remote access strategy, but without additional security tools it is still too easy for an attacker to steal or otherwise obtain legitimate user credentials and log into the network.
Third-party access is now top-of-mind for organizations following several years of big-name breaches caused by compromised vendors — Okta, Kaseya, and SolarWinds to name just a few.
According to Ponemon, 59% of organizations suffered a breach caused by a third party in 2022, while 54% suffered a breach due to the breach of a third party. Even more alarming, Black Kite reports that every compromised vendor impacts 4-5 first-party companies on average.
Enforcing controls for third parties is extremely difficult. Even if vendors and contractors are issued an agented device (a substantial expense of both money and time), you still can’t gain visibility into the vendor’s network to assess their security posture. And even if you could, it’s impractical to expect a vendor to juggle various policies across all of their clients. This is why third-party vendors often request (and are usually successfully granted) over-permissioned user roles—to avoid getting stuck in a loop of perpetual access requests.
PAM is born out of the idea that sometimes regular users need to perform tasks that require elevated privileges. PAM allows the elevation of those privileges on an as-needed basis, rather than a permanent one.
Still, PAM solutions alone can’t mitigate the risk of bad hygiene on the side of the third-party, like shared accounts, improper device management, and others.
Mergers and acquisitions (M&A) are plagued by opportunities for breaches. In fact, over one-third of organizations suffer data breaches related to M&A integration, and over 60% of organizations say that cyber risk is their biggest concern post-acquisition. And integrating two systems and harmonizing policy sets can take months or even years of tedious work.
From a PAM standpoint, administrators must create new roles and migrate new users to the acquiring organization’s directory. This takes quite a bit of planning and configuration. Teams must determine compatible user groups and necessary permissions for all acquired employees and update authentication protocols and flows to configure IdPs from both organizations.
A common shortcut is for the acquiring organization to adjust firewall rules to allow all traffic from the acquired network, essentially duct-taping these two systems together. M&As often inspire ad hoc IT solutions to maintain productivity, which expands the attack surface. Implementing a compatible PAM configuration is difficult and resource intensive, so new users often resort to shadow IT to gain the access they need to do their old job under the new rules.
PAM solutions are an important part of a security program, but organizations need more control during M&As so they don’t have to choose between security and compatibility.
The last 10-15% of your systems landscape (aka, the “Last Mile”) are the hardest to secure. The last mile includes problematic assets like hosted, on-premises, custom-built, offline, and legacy applications.
These tough-to-secure resources are still in play for a reason. Modernizing them would be too disruptive or expensive, or no other system can do what these applications do.
PAM solutions and identity providers simply can’t communicate with legacy applications that predate the adoption of MFA, security assertion markup language (SAML), and other modern controls.
As an even more basic shortcoming, PAM solutions can’t evaluate the circumstances by which users arrive at an application and submit credentials. Organizations need the ability to integrate policy options into their identity controls and define what users can access based on risk, geo-location, time of day, and a long list of other factors.
Operational technology (OT) environments operate according to a set of principles distinct from those of information technology (IT) and often eschew security for the sake of a different priority: availability. As such, these systems are highly sensitive and vulnerable to attack.
PAM solutions are rarely built with OT in mind. The vast majority require a cloud connection, which makes them inapplicable to many offline, isolated, and legacy-based OT resources.
Additionally, when it comes to physical systems like blast furnaces or industrial boilers, latency and downtime mean danger. Because PAM solutions route traffic through the cloud, they can impede the system’s responsiveness and introduce friction for administrators.
PAM solutions play a pivotal role in implementing zero-trust frameworks — but, again, they come with some serious caveats.
Most PAM solutions manage passwords in their cloud, thus becoming a potential single point of failure. For true zero trust, all data, tokens, etc., must remain within the customer’s trust boundary at all times.
Zero trust requires other controls beyond the scope of PAM, like network segmentation, strong identity validation, and data encryption.
Zero trust means zero exceptions. While PAM tools can certainly help secure access scenarios involving cloud applications, they struggle with securing legacy or offline apps.
When we talk about “unauthorized access,” we’re usually talking about attackers. However “authority” applies to internal users, too. It all comes down to the principle of least privilege. An administrator may be authorized to access most or even all systems, but they should only be granted this authority on an as-needed basis. PAM enables this through the temporary escalation of access privileges or by supplying the user with a set of credentials that are different from the set they use for normal, low-risk, everyday tasks.
You may imagine the network as a highway and the admin account as a vehicle. A PAM solution ensures the vehicle belongs to the one driving it by checking their registration (aka credentials). But like network-centric security tools, PAM assumes that because a person holds the right credentials, they can be implicitly trusted after access has been granted.
PAM solutions don’t defend beyond the point of access by continuing to validate a user’s identity and monitoring their behavior inside the network. In effect, PAMs pull the driver over, check their driver’s license once, and then send them on their way with the assumption that they’ll continue to drive safely.
At the end of the day, PAM tools form a crucial piece of the secure access puzzle – but a complete zero-trust access strategy is needed to fully secure an environment.
Bad security practices like weak passwords, over-permissioned user roles, and shared accounts, along with problematic or legacy applications present gaps in the coverage of PAM solutions.
To fill these gaps and enable secure access to all resources for all users, organizations must bolster their PAM tools with technologies that perform all the requirements of zero-trust security, including network segmentation, data encryption, continuous authorization, and behavior analytics.