From a cybersecurity standpoint, 2018 was a disaster. We saw three of the ten biggest data breaches of all time, according to USA Today: Marriott (500 million accounts), Under Armour (150 million) and Quora (100 million).
High-profile data breaches seemed to make headlines every day, as attackers continued their assault on companies that are not doing enough to protect themselves.
The onslaught continues in 2019, and we’ve already seen the exposure of 3.5 billion user profiles in the “Collection 1” leak, and subsequent “Collection 2-5” dump.
When attackers breach a network, that’s the easy part. They then immediately go about trying to secure as much privilege as possible so they can access the most critical infrastructure and sensitive data within the organization. A recent Centrify survey of 1,000 IT decision makers found that 74 percent of data breaches involved privileged credentials.
So attackers get inside, settle in and fan out, moving laterally around the network searching for specific target data. To successfully move and scan they are constantly on the hunt for privileged credentials and privileged access. Having figured out where the valuable data resides, it’s time to elevate privilege to exfiltrate the data and then cover their tracks to avoid detection…and possibly leave the door open to exfiltrate again.
Gartner has identified PAM on its Top 10 list of new projects for security teams to explore in 2019 (the second straight year PAM landed on this list), and the second-fastest growing area for estimated information security spending growth in 2019.
Why does Privileged Access Management continue to be a struggle for organizations to reduce risk and secure the leading attack vector? Part of it may have to do with inaccurate myths about PAM.
Myth 1: Privileged Access Management means password vaulting and rotating passwords
This is the one that we hear most commonly, and it’s a dangerously-outdated mindset when you consider Forrester’s estimate that 80 percent of data breaches involved privileged credential abuse.
As traditional network perimeters dissolve, organizations must discard the old model of “trust but verify” which relied on well-defined boundaries. Instead, it’s time to adopt a Zero Trust mindset that mandates a “never trust, always verify, enforce least privilege” approach to privileged access.
Modern approaches to Privileged Access Management will invoke Zero Trust to help organizations grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing just-in-time privilege and just enough privilege, Zero Trust Privilege minimizes the attack surface, improves audit and compliance visibility, and reduces risk, complexity and costs for the modern, hybrid enterprise.
Organizations may consider approaching Privileged Access Management by solely implementing password vaults, leaving gaps that can easily be exploited. Zero Trust Privilege combines password vaulting with brokering of identities, multi-factor authentication enforcement and “just enough” privilege, all while securing remote access and monitoring all privileged sessions.
Myth 2: “PAM? We took care of that 5 years ago…”
What’s interesting about this myth is that the Centrify survey also found that 52 percent of respondents don’t even have a password vault. So clearly something is amiss.
But even if your organization did a PAM project 5 years ago – or even just 2 years ago – that doesn’t mean your organization is protected in the modern threatscape.
We now have attack surfaces that include infrastructure, DevOps, cloud, containers, Big Data and more. Legacy PAM solutions, that just vault away shared accounts simply leave too many exposures to cover the expanding exposure points.
The Zero Trust Privilege maturity model starts with the very basics – discover and vault shared accounts, but continues beyond the vault to include identity consolidation with least access and privilege and gets to the mature stage by hardening your environment with high assurance.
Myth 3: PAM is separate from Identity & Access Management
Here’s the thing that most people still don’t realize about data breaches: attackers are no longer hacking in, they’re logging in using our own weak, stolen or otherwise compromised credentials against us (think phishing and social engineering). And we’re making it easy on them by continuing to use unnecessarily-weak passwords and not using Multi-Factor Authentication, which can make things a lot harder for attackers.
Instead, we’re now at a point where we have to assume that the bad actors are already in our networks. That’s why you see the groundswell around Zero Trust, which takes on even more importance when it comes to privileged access credentials.
We also have to assume that attackers are already in the network, which makes a stronger case for Zero Trust approaches to Identity & Access Management across the board.
Myth 4: PAM is only about compliance
Forrester analyst Chase Cunningham has some interesting ways of describing the difference between having a security strategy, and being compliant.
“Compliance is a seat belt on a 747. You’ve got to have it to back away from the gate, it’ll probably help you if you hit some turbulence on the way. However, if things go really bad, does anyone really think a three-inch strip of nylon is going to make you walk away from a plane crash? Absolutely not. Compliance is not a strategy.”
Yes, compliance is an important part of any PAM initiative. Being compliant is important across any department in any organization.
But compliance is not a strategy, and any modern enterprise facing an endless onslaught of attacks seeking to leverage compromised privileged credentials must have a sound strategy. A recent Centrify survey found that 51% of respondents implement PAM because of a stronger desire to adhere to best practices which is only 2% higher than 49% whose objective was to meet compliance mandates.
Myth 5: Zero Trust is just a fad
Okay, so this one is not really a PAM myth, but if you’ve read this far you know that a Zero Trust approach is the best way to protect privileged credentials from being exploited.
While the spotlight has started to shine on Zero Trust a lot more over the past year, the concept is not new. The roots of Zero Trust go back at least to 2010, when John Kindervag (then a Forrester analyst) created the concept and it was initially adopted by Google as part of its BeyondCorp initiative.
But over time, Zero Trust has emerged as a philosophy, approach, and framework that has been proven to help reduce risk of identity-based attacks. Yes, it seems like every cybersecurity company under the sun is now a “Zero Trust” company, and not all of them can validly make that claim. However, when it comes to Zero Trust and Privileged Access Management, the benefits are clear.
Privileged accounts are the “keys to the kingdom” for any organization, and the goal of any hacker looking to profit from cyber-attacks. That is not going to change any time soon. What should change, however, are attitudes and postures to secure privileged credentials with Zero Trust, and stop data breaches.