Organizations across America are facing unprecedented challenges in building effective, manageable security programs in order to protect the wide array of sensitive data they are responsible for keeping safe. Corporations, educational institutions and government agencies are often beholden to many different regulations and legal compliance requirements because of the various datasets they maintain. For example, a university will have a student health center that stores Personally Identifiable Information (PII) and other health information covered under the Health Insurance Portability and Accountability Act (HIPAA). Additionally, that same university’s bookstore, food services and other student services will store credit card transaction data, which are mandated by the Payment Card Industry (PCI) to be protected. Government agencies, such as the recently breached Office of Personnel Management, store employee records and related PII that may be further regulated, depending on the state or federal district in which the agency is based.
These various needs can be difficult for organizations to balance and maintain, but regardless of the type of organization, critical and sensitive data must be protected and kept safe from hackers, malicious insiders, malware and other forms of cyber-attack. Add in the normal budgetary and human resource challenges that all organizations face, and you’ve got what can seem like an insurmountable security problem.
Fortunately, as defense-in-depth strategies are shifting to a more data-centric model, it is becoming easier for information security teams to get their arms around these problems by simply focusing on fundamental and common points of access in order to build security controls. In this regard, credentials are truly the key to everything. How does a user gain access to data? They input their user name and password. Need to back up an entire database? Use a database administrator’s credentials. Nearly every data breach and cyber-attack seen today is ultimately targeting credentials.
Credentials have the permissions and rights to access as much data as possible. For this very reason privileged accounts, such as local administrator accounts, domain administrators, root accounts and more, are often referred to as the “keys to the kingdom.” Not only do they have access to data, systems and applications, but security tools are often built to permit these privileged accounts to move freely about any system on the network. If organizations can control and manage these privileged accounts, then a fundamental layer of protection is put into place to address all of the challenges presented by regulatory and legal requirements, even intellectual property theft from cybercriminals and malicious insiders.
This is where Privileged Account Management (PAM) comes in. PAM has been a standard security tool for many years, but only recently it has moved into the spotlight as a fundamental part of a defense-in-depth program within private corporations, government agencies, and all other types of organizations. As more attacks and data breaches are found to be caused by abuse of privileged credentials, organizations have come to realize that protecting those credentials needs to be a first priority, and not an afterthought to other security layers.
Best of all, modern enterprise-grade Privileged Account Management tools are designed to be easy-to-use, simple to deploy and very cost effective. They can be scaled out to address the many different teams that may be involved across business units, and easily customized to protect different credentials and datasets in whatever ways are required. Many organizations that have implemented these sorts of tools have done so specifically for these reasons, underscoring that creating huge security benefits and building a stronger overall security posture doesn’t have to be expensive, difficult to deploy and implement, or painful for IT administrators to use on a day-to-day basis.
One case in point: the University of Central Florida (UCF) has deployed a PAM tool to securely manage privileged account passwords, restricting access to the sensitive data of its 60,000 students, as well as faculty, alumni and donors. "Privileged account management is one of our top priorities because of the types of data these accounts can access," says Matthew Fitzgerald, senior security analyst at UCF. "We knew we needed to invest in an enterprise-class solution that we could quickly deploy in order to protect these sensitive data sets.”