Published on July 29th, 2019 | by Melanie Sovann
06 Critical Reasons Why a PAM Strategy is Critical for any IT Organization
The 2013 Target breach actually came from negligence on the part of an HVAC contractor (and negligence on the part of Target too, of course). Data was not properly secured, and individuals who should never have access to that data did. And what a nightmare it was.
Lest you think that targets are always larger enterprises, think again. Smaller organizations are deemed to be easier to hack because they do not have the level of security that the big boys have. In fact, in a May 2016 survey, 56% of small to mid-sized companies responding stated that they had experienced data breaches because of negligent or malicious employee behavior. And by mid-year, 2019, there have already been significant cybersecurity issues and breaches.
Which brings us to the issue of Privileged Access Management (PAM), and the development of a strategy to identify who, what, where, and when individuals of an organization have access to clearly confidential, proprietary, and at-risk data that can compromise the organization and/or its end users/customers.
Defining PAM
PAM is first and foremost a cybersecurity strategy for controlling access and permissions on the part of people, processes, and systems in an IT environment. Proper control means a reduction in both external and internal threats.
Critical to this control/management is the concept of “least privilege,” that is, reducing the number and amount of access/privilege given. This reduction obviously reduces threats. And that, of course, is the primary reason why a PAM strategy is so critical for any organization. This strategy, naturally, falls to the IT department.
The Risks and Threats that Require a PAM Strategy
Obviously, preventing data breaches, or at least minimizing the damage from such an event, is of paramount importance. Knowing the risks and threats of privileged access and minimizing them upfront will help IT administrators develop a good PAM strategy. Here is a list of such risks/threats.
1. Lack of Awareness of User Privilege
Over time, access privilege gets spread out. People leave the company; new staff comes on board. And it is easy to overlook how much access current and former employees have. And as the staff moves about within an organization, user privileges are often expanded.
2. Too Much Privilege Given Out
It is important to identify exactly which privileges each user needs in order for everyone’s workflow to proceed well. And as people move up within their departments, switch to other departments, etc. they are provided additional and different privileges. They end up having privileges they no longer need, and yet those are often not removed.
All of this unneeded access can create a “bloat,” and the bigger the bloat the greater the chance of attack – hackers stealing passwords or installing malicious code to be delivered as a user surfs the web or personal emails. This can all lead to attacks on networked devices as well.
3. Shared Accounts and Even Passwords
No matter how convenient it may seem, IT teams who share passwords and/or accounts increase vulnerability, and, if a breach should occur, difficult to identify the source.
4. Single Passwords for Multiple Accounts
When employees are provided privileged access to multiple accounts, each with a login activity, they may, again because of convenience, use the same password for all of them. When one account is hacked, then, it is nothing for hackers to gain access to all accounts through that single password. Unique passwords for each access are often not required, posing a huge security risk.
5. Apps and Services Given Default Access
This is common. Apps and service accounts are often given default access in order to perform as they should. And, in many instances, these defaults are more than are necessary for those apps and services to operate. Again, this often occurs because it is more convenient than taking the time to divide out which accesses each of these actually need and configuring access accordingly.
6. IoT and Cloud Computing via Multiple Devices
Given the nature of work today, users with privileged access may be logging in on multiple devices in order to manage their workflow. While keycodes and dual authentication will help, there are still human errors – failure to log out securely or keeping apps, etc. open beyond necessary use leave these devices open to hacking. And once this occurs on any of these external devices, entire in-house systems can be compromised.
There are other threats, of course, but appear to be the most common. Whether the threat vectors are external or internal, they must be identified and a PAM strategy developed that will address them as well as possible.
Toward an Effective PAM Strategy – Best Practices
As IT administrators develop PAM strategies, here are the most important best practices:
1. Establish a Privilege Management Policy
Identify how access will be provided/deleted. One of the worst things an organization can do is allow dormant or orphaned accounts to sit out there, especially is access is not deleted when employees leave.
2. Identify Who Currently Has What
Begin any strategy with a complete audit of who has what. Commit all of this into a database. And, deletion of access can actually be automated should an employee leave the organization. Any audit should also include outside contractors (don’t forget Target’s mistake), apps and services, cloud accounts, etc. This can point out access that users no longer need, and this is important. Passwords must also be audited – those with no expiration date are obviously not acceptable; using the same passwords or SSH keys for several accounts/servers is also not good.
3. Establish a least privilege policy
And enforce it strictly. Elevate privileges as necessary but delete those no longer in need. Dormant accounts are dangerous. If access has not been audited in a long time, it is best to begin by reducing all users to standard access and then adding in privileges individually. From that point, it will be easier to track who has what access and when those should be elevated or reduced.
Even Microsoft was remiss in this area. It’s a system vulnerability that occurred in 2016 could have been prevented if administrator privileges no longer needed had been removed. Even the big boys can make these kinds of mistakes.
4. Temporary Access Policy
There will be times when users will need elevated access for a specific period of time. These should have an expiration date so that they are automatically eliminated.
5. Separate Out Privileges Within Account Functions
Everyone is familiar with permissions such as “read, write, edit,” etc. These should be separated out according to specific user needs. No one should have more access than absolutely necessary. If they should need additional access, then there must be a formal request and review prior to approval.
6. Develop Password Policies and Enforce Them Strictly
Establish rules for password creation, to reduce chances of attack – they should be unique and complex. Establish a schedule for mandatory password changes. In cases of highly sensitive data, allow only single-use passwords which are deleted after that use.
7. Monitor All Privileged Activity
This will help to identify potentially suspicious activity. Capturing keylogging and screenshots should be a part of this, especially when the most sensitive accounts are accessed.
8. Promulgating a Policy that Everyone Can Understand
No insult intended, but techies tend to be immersed in their knowledge and jargon. Someone in HR may not understand all of the policy details unless that policy is crafted in “lay” terms that anyone can understand. Presenting the basics of permission and access and then the details of the constructed policy may need to be reviewed. It might be wise to find an individual freelance writer or use a professional writing service, such as WowGrade, to provide a “lay” opinion and potential edits. The goal, of course, is that everyone in an organization, down to a warehouse manager or clerk, will clearly understand.
In the End
Privileged access cannot (and should not) be avoided. But managing all of the aspects of that access is critical to prevent, mitigate, and reduce security risks and threats. An organization that does not have a PAM strategy that is codified in writing and enforced, is asking for trouble.