Managing Privileged Access is Crucial to Preventing Data Breaches

Organizations across America are facing unprecedented challenges in building effective, manageable security programs in order to protect the wide array of sensitive data they are responsible for keeping safe. Corporations, educational institutions and government agencies are often beholden to many different regulations and legal compliance requirements because of the various datasets they maintain. For example, a university will have a student health center that stores Personally Identifiable Information (PII) and other health information covered under the Health Insurance Portability and Accountability Act (HIPAA). Additionally, that same university’s bookstore, food services and other student services will store credit card transaction data, which are mandated by the Payment Card Industry (PCI) to be protected. Government agencies, such as the recently breached Office of Personnel Management, store employee records and related PII that may be further regulated, depending on the state or federal district in which the agency is based.

These various needs can be difficult for organizations to balance and maintain, but regardless of the type of organization, critical and sensitive data must be protected and kept safe from hackers, malicious insiders, malware and other forms of cyber-attack. Add in the normal budgetary and human resource challenges that all organizations face, and you’ve got what can seem like an insurmountable security problem.

Fortunately, as defense-in-depth strategies are shifting to a more data-centric model, it is becoming easier for information security teams to get their arms around these problems by simply focusing on fundamental and common points of access in order to build security controls. In this regard, credentials are truly the key to everything. How does a user gain access to data? They input their user name and password. Need to back up an entire database? Use a database administrator’s credentials. Nearly every data breach and cyber-attack seen today is ultimately targeting credentials.

Credentials have the permissions and rights to access as much data as possible. For this very reason privileged accounts, such as local administrator accounts, domain administrators, root accounts and more, are often referred to as the “keys to the kingdom.” Not only do they have access to data, systems and applications, but security tools are often built to permit these privileged accounts to move freely about any system on the network. If organizations can control and manage these privileged accounts, then a fundamental layer of protection is put into place to address all of the challenges presented by regulatory and legal requirements, even intellectual property theft from cybercriminals and malicious insiders.

This is where Privileged Account Management (PAM) comes in. PAM has been a standard security tool for many years, but only recently it has moved into the spotlight as a fundamental part of a defense-in-depth program within private corporations, government agencies, and all other types of organizations. As more attacks and data breaches are found to be caused by abuse of privileged credentials, organizations have come to realize that protecting those credentials needs to be a first priority, and not an afterthought to other security layers.

Best of all, modern enterprise-grade Privileged Account Management tools are designed to be easy-to-use, simple to deploy and very cost effective. They can be scaled out to address the many different teams that may be involved across business units, and easily customized to protect different credentials and datasets in whatever ways are required. Many organizations that have implemented these sorts of tools have done so specifically for these reasons, underscoring that creating huge security benefits and building a stronger overall security posture doesn’t have to be expensive, difficult to deploy and implement, or painful for IT administrators to use on a day-to-day basis.

One case in point: the University of Central Florida (UCF) has deployed a PAM tool to securely manage privileged account passwords, restricting access to the sensitive data of its 60,000 students, as well as faculty, alumni and donors. "Privileged account management is one of our top priorities because of the types of data these accounts can access," says Matthew Fitzgerald, senior security analyst at UCF. "We knew we needed to invest in an enterprise-class solution that we could quickly deploy in order to protect these sensitive data sets.”

Nathan Wenzler is Executive Director of Security at Thycotic, a provider of IT security and password management solutions. Wenzler has almost two decades of experience designing, implementing and managing both technical and non-technical solutions for IT and Information Security organizations. Wenzler has helped government agencies and Fortune 1000 companies build new information security programs from scratch, as well as improve and broaden existing programs with a focus on process, workflow, risk management, and the personnel side of a successful security effort. As the Executive Director of Security for Thycotic, Wenzler brings his expertise on security program development and implementation in both the public and private sector to admins, auditors, managers, and security professionals at a variety of conferences, trade shows, and educational events.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.