Privileged Access Management: How It Works and How to Justify Budget
Highlights of Simeio’s April 29th “Ask Me Anything Coffee Talk Series”
On April 29, Simeio held its second “Ask Me Anything Coffee Talk Series”. The topic was “Privileged Remote Access (PRA)”. The session hosts were Bryan Hood, Director of Solutions Engineering at BeyondTrust, and Randy Fields, Director of Strategic Client Engagement at Simeio.
Extending credential management and control to protect corporate assets is critical for people using their own computers, smartphones, and tablets to access business systems and data.
Privileged remote access (PRA) and privileged access management (PAM) are subsets of identity access management (IAM). They enable IT to automate control, to manage, and monitor employees, vendors, and contractors accessing critical corporate assets.
PAM involves the management of all privileged credentials and sessions, by recording every session and controlling all credentials. Users not accustomed to working from home and encountering problems can overwhelm IT help desk personnel with log-in and connectivity issues. The value derived from IAM and subset functions like PAM and PRA is managing and controlling all users, devices, and applications. There are many PAM/PRA solutions to choose from, including BeyondTrust’s SaaS-based encrypted solution. An advantage of BeyondTrust is that it doesn’t directly network connect to endpoints. And therefore, it doesn’t expose critical systems over the Internet.
In today’s challenging environment with COVID-19 causing so many employees to work from home, trusted connectivity is an absolute necessity. VPNs are great for desktop and laptop computers connecting over a trusted network. But when employees, vendors, and partners access corporate assets with their personal devices from home or in the field, that trusted environment no longer exists. In fact, privileged credentials and remote access from non-trusted endpoints represent over 80% of data breaches.
How PAM works
A PAM solution will take the credentials of privileged accounts that provide administrative access, and put them inside a secure repository (or vault). This isolates the use of privileged accounts, reducing the risk of those credentials being stolen or misused. Once inside the repository, system administrators must go through the PAM system to access their credentials, at which point they are authenticated, and their access is logged. When a credential is checked back in, it is reset to ensure administrators must go through the PAM process the next time they want to use the credential.
Justifying budget for PAM
Risk posture and return on investment (ROI) are two approaches for justifying a PAM budget. An obvious way to justify the budget for any security solution is learning from the mistakes of those who have already experienced data breaches. The Verizon 2019 Data Breach Investigations Report (DBIR) offers many examples. DBIR includes critical perspectives on threats, using real-world data from tens of thousands of security incidents and thousands of data breaches throughout the world.
Reducing costs can have a great impact on management. Working with the IAM vendor, IT and security teams can show how an investment in IAM can save operational costs, over manually onboarding new employees and vendors, and managing service accounts. Automating local privileged accounts can deliver a quick ROI, by reducing service desk tickets. Reducing business opportunity loss is another area where PAM provides cost benefits, by reducing down-time and improving employee productivity. Companies are only as secure as their weakest link. While users are the front lines of defense, they are often the weakest link. PAM controls provide an additional layer of protection. Without this added protection, and a breach occurs, customer and corporate information will be vulnerable to theft. This can lead to a host of problems, from customers, regulators, and investors.
A holistic IAM approach to security and privacy
Securing access to corporate systems requires more than password protection. Today’s enterprises have servers, desktops, laptops, tablets, smartphones, IoT devices, and diverse applications and users that are internal and external. Employees access apps from private, public, and hybrid clouds, extending the network perimeter well beyond the corporate firewall and endpoints, to identities that can be located anywhere.
To protect corporate assets requires a comprehensive and holistic approach that leverages people, processes, and technology. A holistic solution will minimize multiple attack surfaces, control privileged users, sessions and file activities, analyze assets and user behavior, and integrate multiple, diverse systems into a cohesive solution. As opposed to the limited visibility of single-function tools, a holistic IAM solution enables IT and security teams with single-pane-of-glass visibility across all the integrated systems, apps, and users.
Want to learn more? You can watch this on-demand Coffee Talk session here.
We hope you can join our next Coffee Talk, where you can chat with IAM experts, ask questions and gain insights into how you can lower operational costs, and achieve greater security and privacy using IAM. Click here to sign-up.