Privileged accounts are gold mines for malicious actors. They offer persistent access to valuable corporate resources and pose massive risk to organisations. Once authentication has been breached and credentials are obtained by an adversary, moving laterally and accessing multiple resources, is too easy.
The most privileged access is not always granted to the most senior employees. Administrative and personal assistants often have the greatest access to corporate resources. They are low hanging fruit for attackers — usually among the least well prepared to deal with breaches or attacks like phishing emails. Privilege promiscuity like this creates challenges around not only Privileged Access Management (PAM), but also other digital risk controls.
Scaling PAM is Complex
Think of PAM as a way of stopping people from abusing privilege. Imagine that you need a plumber to repair your kitchen sink. The plumber is granted access to your house through the front door and is guided to the kitchen. The plumber is monitored and exits the kitchen as soon as the job is completed. The plumber then leaves the house. The worst outcome is a shoddy job or perhaps the theft of small pieces of cutlery or a few fridge magnets. In other words, the plumber’s access has been managed and privilege was only granted as needed. This is good PAM.
Bad PAM is a scenario where the plumber is granted access to your home and nobody is in to monitor the plumber’s activities. The plumber could be honest do the job and then depart. But, there is a significant risk that the plumber takes advantage of the privileged access granted. The plumber has access to all the rooms in the house and all the items in the house. The plumber can invite other people into the house, including a friend who can remove and copy data from all resident hard drives in the house. This access enables the plumber to steal credit cards, jewellery, PII, credentials and more.
Now, imagine that there are hundreds of plumbers and other workers entering and exiting a house at varying times and for different purposes — each with distinct tasks and a need for access to different rooms and items, 24/7. This is the challenge faced by security operations — there are often hundreds or thousands of users with differing privileges to manage. Organisations are struggling to keep up with the sheer scale of the PAM challenge with all its moving parts. PAM also needs to consider the ongoing change in roles and responsibilities of staff, which directly impacts requirements for privileged access.
Privilege Sprawl and Privilege Overkill is Rife In Asia
Once an adversary breaches a privileged account, and is able to move laterally, they can access email accounts, intellectual property, employee data, customer data, sales data, invoicing approvals, expense approvals, and many other systems and processes. In addition to being exposed to short term financial risk, an organisation also faces operational, legal, and reputational risk from such a breach. The attacker can unload ransomware or other malware to sabotage operations. They can steal PII and credentials, to sell them or use them to cause reputational and legal damage to the victim.
Privilege sprawl is common in Asian organisations. IT departments often struggle to keep track of who has access to what. Worse, IT departments typically over provision their stakeholders with access. They are usually more concerned with getting positive feedback from the business for the IT resources they provide than in aggressive risk management.
Specialised PAM solutions have emerged to mitigate the risk associated with unauthorised account access. The term privileged access management is a bit of misnomer. Today’s organisations need to ensure that all access is managed correctly. With an expanding number of devices, bots and people accessing corporate resources, the scope of PAM solutions is much broader than managing privileged accounts alone.
A Zero Trust Approach to PAM is necessary
Organisations need to take a zero trust approach to PAM. Just in time access (JITA) needs to become the norm, ending persistent privileged access. Access needs to be granted for the minimum amount of time with the minimum rights required, ending privilege promiscuity. Zero standing privilege needs to be the default state of systems and networks. Access must be denied as soon as necessary work is complete and only provisioned when needed again. This approach is needed for risk management but few organisations in Asia have achieved this goal. The sheer number of moving parts involved in such an exercise makes it particularly onerous — this is where PAM solutions play a role.