How to Add Privileged Access Management to Your IAM Practice
Highlights of Simeio’s August 19th “Ask Me Anything Coffee Talk Series”
This week we bring you another engaging and informative Coffee Talk session. Last Wednesday’s topic was “Privileged Identity Management.” The session hosts were Randy Fields, Director, Strategic Client Engagement at Simeio Solutions, and guest speaker, Sean Ryan, Senior Analyst Serving Security and Risk Professionals at Forrester. Here are some session highlights.
What are the benefits of adding PIM solutions to an IAM practice?
PIM is essential for any organization to secure access to their most critical assets. Employees have access to many functions and can get into the core systems. Our research at Forrester indicates that 80% of security incidents and breaches involve stolen credentials related to privileged accounts. Someone may get in through a phishing attack on a low-level employee and then move laterally until they get to the critical accounts. This gives them the keys to the kingdom, with domain-level control access within a Windows environment, and root-level access for a Linux environment. They can delete data, steal data, create new identities, and gain backdoor access. They get carte blanche to do whatever they want.
PIM becomes an important area to focus upon when considering the nature of security compliance and legislation regarding employee and customer data, and the potential risk factors.
We see many large companies that have implemented some aspect of PIM, and mid-size companies where there is a lot of green-field, and still doing PAM manually, with spreadsheets and sticky notes. Beyond that, it’s important to implement PIM with strong security measures and visibility into what’s going on across your networks and the key users that are the attack victims.
Identity is the new perimeter, and privilege is the threat surface. CISOs need to manage privileged accounts quickly and effectively within an environment where there is a diverse mix of products. From a Forrester perspective, we are great proponents of multi-factor authentication across the board, especially in conjunction with identity privilege management systems. It’s the best way to guard your business on the front-end.
Zero trust and identity are a big part of privileged management, especially as workforces are almost entirely remote. Relying on passwords isn’t going to cut it. Poor password hygiene puts businesses at risk. Enforcing strong policies, by making users rotate credentials and include special characters and wingdings to their passwords, just makes it more difficult. People undermine those policies all the time, making the business vulnerable to brute force attacks, credential stuffing, and bulk phishing attacks. Moving to multi-factor authentication done through an application, and involving things like biometrics and certificates, is a more secure approach.
You don’t want access to the password vault to be simple. Multi-factor for privileged users should be used as the gateway into your password vault. Access needs to be tied to that individual and have strong authentication controls.
How do you identify critical assets?
Discovery is a critical piece for PIM. Discovery is not just a data dump of logs. You need to have context with it and use the information to prioritize what you need to do. Unfortunately, there are heterogeneous systems from different generations, and new applications being on-boarded all the time. There are different types of privileged users and protocols. There is a ton of complexity, making it really difficult to accomplish.
Ultimately, you need to prioritize. Don’t try to take on everything at once. Secure every privileged user and asset. Employ every potential privileged access control tactic within your system. Step one is knowing who has access, especially superusers, like admins with domain and root-level access. Secondly, protecting those assets that are critical to operations and that have PII and customer credit card numbers. Be prepared for a journey. These are complex solutions, with lots of integration and customization. This is where service providers can help make things easier.
When we look at ITM or CNDT solutions, even the “good” ones only have 90% of assets under management. That 10% unknown makes security teams cringe. You can leverage existing business impact analysis from your business continuity audit, or DR team, to help identify the other critical assets that you can keep an eye on. We mentioned that MFA is on the front-end of protecting privileged assets. UPA is on the backend. If you bookend privileged accounts between them, you can limit log information to focus on what is most important.
What capabilities should we look for when evaluating PIM solutions?
The answer depends on the company’s stage of maturity, the type of assets you need to protect, and what kind of attacks you are trying to protect against. I look at the PIM vendor landscape in segments. There are big PIM suites, like BeyondTrust, CyberArk, Centrify, and CA/Symantec. They all have many capabilities, like vaults to secure credentials, monitoring for audit controls and forensics, real-time alerts, and real-time threat detection. These solutions help protect access and assets.
Another area is least-privileged access that prevents the over-granting of privileges. You have many admins doing multiple things, and often need to cover for each other. Therefore, you need flexibility for privileged escalation management for endpoints and servers. You need to provide access, but you don’t want it available all the time. Set it up so you can elevate an admin to gain access, do their work, and when the session ends, the access is removed. This limits lateral movement if a hacker tries to get into the system. Also, when an internal user elevates what they’re doing, you can monitor them more closely.
Additionally, companies need cloud governance for AWS, Azure, and Google Cloud Platform environments. This is becoming a pressing issue for companies that have already done PIM behind the firewall.
PIM is a subset of IAM. Yet, security leadership fails to have adequate IAM goals, let alone PIM goals. We often see companies buying tools before they talk about the problem they’re trying to solve. Beyond tool fatigue, the average CISO turnover is 24-28 months. By the time they buy a tool and integrate it, a new CISO brings in their new tools. It’s better to maximize the investments you’ve already made and have clarity about the purpose and purchase of new tools.
Tools don’t solve process or culture problems. All too often, a culture around privileged accounts is what needs to be corrected. A C-level person should stand up and say, “no more multiple logins, no more use of accounts without vaulting, or check-in/check-out, or MFA.” Otherwise, you’re just going to buy more tools, and realize they are ineffective because the culture around it is not supportive.
Make sure the admin user experience is good; you need to secure them. They are logging in hundreds of times every day. If you make it too cumbersome, they’ll reject it and find workarounds. Or they’ll complain so much before you know it, somebody starts looking for another tool.
Understand your own processes up-front. What needs to change for privileged users, and more broadly, your employees when you implement PIM? Look for solutions that are a seamless fit with what you already have in place. Be willing to change methods and processes in a way that aligns with a given tool.
How do you evaluate what PIM integrations are necessary, and the costs associated with them?
Costs can be complex; PIM is not a straight-forward pricing model. Each vendor does it differently, using different metrics, like per-user, per target system, consumption, and sometimes a combination of them all. Target systems can be defined differently. Some vendors charge separately for integration and customization. These less apparent costs need to be detailed by the vendors because the services component can be substantial. Trying to conduct side-by-side pricing comparisons can be very complicated. It can be challenging to determine what the real costs are going to be in the long run. Forrester has a report called Privileged Identity Management Pricing Insight For Buyer Advantage. This has essential information to help compare PIM vendor pricing side-by-side, and account for the all-in costs of buying and maintaining a PIM solution.
Comparing features and determining how much of a partner, the vendor will be is very important. This is where a services partner can help with vendor selection, assessments, identifying IAM and PIM goals. There are many factors to consider, like determining deployment phases, operations, the type of expertise you will need, and training.
We’ve just touched upon some of the conversation. If you want to learn more, you can watch this, and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.
Click here, to sign up for Forrester’s live virtual experience on Security & Risk, held on September 22 – 23.
We hope you can join our next Coffee Talk, where you can chat with IAM experts, ask questions, and gain insights into how you can lower operational costs and achieve greater security and privacy using IAM. Click here to sign-up.