It’s no secret that privileged access management (PAM) is pivotal to every organization’s cybersecurity posture. According to a 2018 report from Forrester, “80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates.”
While it’s widely understood that PAM is mission-critical, there are a number of challenges that organizations face in implementing more secure solutions.
Challenges To Improving PAM
Like any aspect of enterprise cybersecurity, there are major challenges with privileged access management. Here are 5 of the most significant barriers to improving PAM.
Indexing Privileged Accounts
Many enterprises simply do not have visibility on all privileged user accounts. End-users sometimes share credentials and/or leave them unprotected on end-point devices.
Without an exhaustive inventory of privileged user accounts, it’s not possible to monitor all privileged access. Accounts that are unaccounted for may be accessing privileged resources.
When credentials are not centrally managed, it’s difficult to ensure that only authorized personnel are using those credentials to access privileged resources.
Strengthening Security Controls
Enforcing stronger security controls, such as multi-factor authentication and device authentication, is often a complex and time-consuming task.
Supporting All Access Methods
Many enterprises employ some elements of PAM for one or two use cases (e.g., SSH) but overlook the other methods used to access privileged resources in their environment.
With all of these challenges covered, let’s change gears: what would the perfect PAM solution look like? What are the goals that all PAM leaders are (or should be!) trying to achieve?
An Outline Of The Ideal PAM Solution
Let’s take a moment to sketch an outline of the perfect PAM solution. What benefits and capabilities would the paragon of PAM solutions provide?
The ideal PAM solution would ensure that access to every type of resource is centrally managed and integrated with the enterprise identity provider. Access to applications, email, servers, and even locally-stored files would be controlled via group membership, which could be monitored and adjusted as needed, all from a single pane of glass. This would all take place transparently, without the end-user knowing (or needing to know) what is happening in the background.
In addition, security leaders would have the ability to seamlessly enforce advanced security controls such as multi-factor authentication, device authentication, and approval workflows, for whichever privileged resources they deem it necessary. Security leadership would also be able to revoke permissions for employees who switch jobs or leave the company, with just a few clicks.
This scenario may seem a bit far-fetched, but achieving this outcome is probably much easier than you think. With the right infrastructure in place, this is all possible, and it doesn’t even require custom coding or modifications to the tools your end-users rely on.
The Path To Improving PAM
It isn’t always apparent, but public key cryptography (PKC) underpins nearly every modern protocol. For instance, TLS and SSH both rely on public-private key pairs for both digital signatures (for authentication) and encryption (to protect data in transit).
With this in mind, here are the steps you can take to both improve the security of privileged resources and simplify management of access to those resources.
Make The Connection Between Identity And Cryptography
The first step to shoring up PAM is to translate identity, for both humans and machines, to a common medium that all client-server protocols understand: cryptographic keys and certificates.
Ensure That All Cryptographic Keys & Certificates Are Centrally Managed
While it’s necessary to create a key pair and certificate for every user in your environment, these credentials should never be exported to and stored on end-point devices. A better approach is to centrally store the identity keys in a non-exportable manner in a hardware security module.
Enforce Granular Access Controls
With all cryptographic keys centrally stored in an HSM, and the right tools standing between the signing clients and that HSM, it becomes much easier to enforce any granular access controls, such as multi-factor authentication, device authentication, approval workflows, and IP address whitelisting, to protect privileged resources.
Maintain Full Visibility & Auditing Capabilities
With all cryptographic keys centrally managed and secured, monitoring and auditing usage of these keys is relatively straightforward. Audits can easily be performed whenever needed, providing immediate insight into how and when each key was used while also enabling easy compliance.
To learn more about implementing this novel approach to PAM, download the e-book from Garantir.