Privileged Accounts Part II
Highlights from Simeio’s September 16th “Ask Me Anything Coffee Talk Series”
This week we bring you another informative Coffee Talk session. Last Wednesday’s topic was “Authentication of Privileged Accounts Part II”. The session hosts were Vikram Subramanian, VP of Solutions at Simeio, and Christopher Hills, Deputy CTO at BeyondTrust. Here are some session highlights.
When should a PAM solution be implemented?
Ideally, every company should have a PAM (Privileged Access Management) solution for centralized management. If you have secrets to keep, you need PAM. And if a key protects those secrets, put the key in a PAM box. Companies have high-profile service accounts, domain admin accounts, and accounts with sensitive data tied to PII or sensitive corporate information. Those accounts can be susceptible to cybersecurity breaches.
When I talk to organizations about best practices, I reference their portfolio that can be viewed in two ways. One is through the lens of an enterprise with these areas of account risk that need to be closed up through PAM. These approaches are how enterprises can mitigate risk from rotating passwords to controlling sessions with shared accounts and removing clear text passwords in scripts with APIs.
The flip-side perspective is addressing this from a cybersecurity criminal point of view. These accounts can be vulnerable and used against the organization through a breach. The bottom line is, the stronger the PAM footprint, the greater it helps in reducing risk. We’ve gotten to a stage in cybersecurity, where now it’s not a matter of if, but when, you will have a breach. The key is making sure you are well-prepared.
When and how should security risk and privacy officers evaluate risk and associating PAM to reduce the risk?
As a result of the COVID-19 pandemic, security risk and privacy officers will either not be thinking about PAM or implement PAM after witnessing the compliance manager worrying about how they will pass an audit. We are really talking about compliance. Now that everyone is working remotely, how can we prove the data held within the organization is not being compromised and stored locally? Maybe there is a BYOD policy in place. Perhaps IT doesn’t know how data is being brought out of the corporate network to a home computer. From a PAM perspective, session management is critical, versus having data downloaded externally through a VPN client that can expose the entire corporate network.
When people work from home, they may not have enough laptops for the family, and a family member uses the company laptop. The critical question is, how do we limit that exposure?
There needs to be a balance between meeting compliance and passing audits while continuing business continuity with a remote workforce. When COVID first came on the scene, there was a rush to get remote workers up and running. Now, as we hopefully see a time of getting back to normalcy, organizations will find mistakes that were made. They’re going to face shadow IT. They will need to clarify and clean up problem areas that were initially brought in due to the required changes.
Enterprise risk is heightened because of a lack of a controlled environment, and people are always the weakest link.
As we expand remotely, how do we reduce the human risk factor?
This is where a remote management solution adds excellent value for remote workers and onboarding contractors, and other third-party users. Those users must be enabled with session management, and the sessions must be recorded through a PAM solution to control the risk.
There are two types of cybersecurity threats, insider threats, and outside threats. As a result of this vast, remote workforce, we’ve added a third threat, the trusted external user. Just as the remote workforce evolves, so do the cyber-criminals, with new social engineering tactics. There is too little emphasis on cybersecurity and risk awareness that this new remote environment has created. Employees need to be educated and made more aware of the pitfalls associated with working remotely.
Do you recommend going down a path of shared accounts or privileged elevation?
Privileged elevation is about elevating user rights. In comparison, shared accounts are similar to named privileged accounts. I am a proponent of shared accounts where they make sense and are used for a dedicated purpose. The benefit is reducing the overhead of maintaining potentially hundreds of individual accounts, ensuring they are all in the right security groups, and making sure all the access management capabilities are fulfilled. Instead, you have just two or three shared accounts, with controls and accountability.
The caveat to shared accounts is when users give out their passwords to others. Shared accounts should be coupled with session management for adequate protection. For example, when a user logs into a centralized PAM solution, they check out the account, establish the RDP, SSH, web, or app connection, and record and control the session. From an audit and compliance perspective, the organization can go back and analyze who did what, when they did it, and why they did it. Now the organization has maintained compliance and accountability, and they have a record of what occurred. This is a best practice for using shared accounts.
PAM can be a challenging solution to adopt as a result of behavior. This is because it removes the ability for users to manage their own passwords. It takes away their admin access and requires connections through sessions. This can cause users to push back, as it is a culture shift for them. Communication is key to overcoming this cultural change. It’s essential to explain to employees how this solution protects the business, the company’s brand reputation, and the employee’s job. Let them know what might happen if the organization was to undergo a cybersecurity breach due to a compromised identity or password. It’s not to inhibit user productivity but to protect the user and the business from cybercriminals.
We’ve just touched upon some of the conversation. If you want to learn more, you can watch this, and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.
We hope you can join our next Coffee Talk where you can chat with IAM experts, ask questions and gain insights into how you can lower operational costs, and achieve greater security and privacy using IAM. Click here to sign-up.