No one wants a security breach to happen, but the media will be sure to pick it up when it does. By then, it is too late. Millions of dollars in fines or ransom notes later, and with a tarnished marketplace reputation, the company or government agency wishes they had paid more attention to their security protocols.

One way to achieve higher security is to instill a proper Privileged Access Management (PAM) initiative into the cybersecurity workflow. PAM is the process of determining who has access to what types of information as it creates an integrated view of risk, threats, and controls. PAM incorporates all-encompassing methodologies for how to use identities securely, how to enable logging and auditing for privileged identities for the quickest cyberattack response, and how to define what is privilege and what is not for an organization. In other words, PAM refers to a multi-dimensional cybersecurity strategy involving processes, technology, and people that aims to secure and monitor both human and non-human (machine)-privileged activities and identities throughout an organization’s IT landscape. For it to be successful, any such system has to be a part of the entity’s culture.

The five key benefits of PAM

There are many benefits of a robust PAM system. Its effectiveness is enhanced with the knowledge of how to determine risk tiers, how guidelines are established, and best practices for implementing procedures, including how to overcome team-level resistance. Not having a protective system is imprudent. PAM providers offer various methods that achieve comparable results and benefits.

Consider these five benefits:

  1. It sets up the equivalent of a barrier wall to guard against attacks.
  2. It helps mitigate risk by ensuring compliance and confirmation with integrity.
  3. It improves IT efficiency for application teams by increasing efficiency and enabling seamless user workflows.
  4. It integrates with other tools to further enhance the organization’s cyber maturity as it creates more layers of security.
  5. It acts as a centralized system with clean dashboards, reports on systems in place, and an AI-assisted subsystem to provide safety based on user profile and risk factors.

Tools and philosophies will differ across PAM purveyors of different sizes

and specializing in one or another industry, yet the basic features will be very similar.

PAM tools

Key features include a layering of sound, proven security protocols atop hardware, software, technology assists, and culture shifts.

  • One key protocol is granting the least privilege possible while still getting the job done. This lowers risk across the enterprise. Sticky-note passwords on workstation monitors or near coffee machines and centrally located copiers invite both internal marauders and leave the front door wide open for external cyber attackers who don’t even have to bother slipping in through a backdoor.
  • Storing multiple-use passwords is dangerous. Random password generators set for one-time-only usage is safest, which can be achieved by many PAM tools in the market.
  • Leveraging AI decreases team member “slips” through automated monitoring, reporting to dashboards and real time alerts that are also used in many industries’ audits.
  • Training must include accountability and responsibility, even using screen-recording capabilities to train entry-level resources and monitor third party vendor access to protect the organization. These resources are often the weakest link.

Feature-rich PAM programs mitigate risk, but setting the guidelines poses challenges even for the most dedicated teams.

How to establish PAM guidelines

Here is the challenge: Sometimes losing a customer or a breach itself will be the catalyst for establishing new and better guidelines. Ideally, a report showing minor violations ahead of a problem would trigger a new guideline. Sometimes the Chief Information Security Officer (CISO) needs an inventory in the form of a “gap” analysis of where the company is versus where it would like to be protection-wise. From there, guidelines and levels of access can be created, tightened and enforced. 

Determining appropriate levels of access across the enterprise might seem numbingly painful and time consuming. However, access identifiers must travel the full length and breadth of the organization and are a critical preemptive measure against cyberattacks. Sometimes the step is rushed in the attempt to do something — anything, to stop attackers. Industry PAM suppliers such as CyberArk, Centrify, and Thycotic offer company-specific combinations of determining appropriate privileged access levels that start at the tippy top of the IT system (the CISO or CIO for example) and rain down across and through workstations within or among network domains. The contradiction of job title against access point challenges all systems.  The exact level of access comes down to adhering to a few generally accepted best practices.

Best practices

Start by answering the questions below to build a tight, impenetrable system:

  1. Who has access to critical infrastructure, systems, and data? Build access levels from the ground up and top down. Study automatically updated reports daily. A reputable PAM cloud or on-premise solution can inform this step.
  2. Does the company use the tools/solutions they have efficiently? Are they making time to have meetings, train the troops, and enforce the protocols in place? How mature are users’ knowledge base and how recent are the tools? Is everyone on board to secure the company’s digital assets?  
  3. Is there an adequate budget for purchasing recognized Privileged Access Management software and the support that comes with it?   
  4. How do external audit findings reflect compliance? Examples are General Data Protection Regulation (GDPR) for the EU and Network Information Service (NIS) in the U.S. Are failures quickly fixed?
  5. Is management at all levels supporting or thwarting safety measures? Getting the job done is not as important as getting the job done safely.  

Challenges

            There are many challenges to maintaining a safe yet productive and efficient IT environment. Surprisingly, one of the most challenging roadblocks with Privileged Access Management systems is not making the financial investment to purchase them. The greater challenge is often overcoming employees’ general resistance to change and “adding one more thing” to complete their day-to-day activities. Whether for budgetary, personnel, or other reasons, this resistance puts the company at risk. Meanwhile, as user-friendly and feature-rich as the best PAM systems are, the ultimate test is micro-managing all the way down to the customer-facing employees. These are the bastions of protection against internal (unfortunately) and external marauder/cyber attackers chipping against the walls of the IT fortress. Stretched team managers do their best to hold their team members accountable, but they cannot afford to fire their noncompliant employees. The work must be done, so the task often becomes one of negotiating with an employee. “Here are ten things we need you to do. Do two now, and we’ll work on the next ones in coming weeks.”

            But coming weeks may bring newer protocols. The task is ongoing, because next week may require more and different responses and procedures depending on the attackers’ targets, be it Big Data, the Cloud, DevOps, Databases, the Infrastructure, or Network Devices. Last month’s Multi-Factor Authentication (MFA) might need strengthening. As quickly as the Bad Guys change their strategies, the technologies to keep them out must change apace.

Reduce exposure to hackers

Data leaks cause havoc, but they can be prevented. Companies who do not use a Privileged Access Management system risk unnecessary exposure to hackers. As publicized break-ins show, cyberattacks are real. For that reason, it is not good enough to install one of the industry’s many excellent systems, perform a once-and-done privilege allocation, and skip to the next agenda item on the list.

Monthly cybersecurity meetings are not often enough. Daily gatherings don’t even work. Single use encrypted passwords through automated generators are the only safe way to go because management’s insistence at all levels from the top through to the app teams has to encourage (require) teams to use the tool.

Budgeting for these systems would be part of the C-Suite’s keeping its promise to customers, vendors, employees, and shareholders. The CSO, CISO, CIO, CTO, CFO, and CEO agree to agree on necessary expenditures in the same way they budget for liability or fire insurance. Breaches cost millions of dollars in reparations. That is only money. More critical: Organizations cannot afford the loss of their stakeholders’ trust.

Clearly, the system password on a sticky note near the coffee machine represents the best example of risky behavior. The criminals are way beyond that. Companies cannot afford to simply react to cyberattacks. To obtain and hold stakeholders’ trust, an organization’s best defense is to stay on offense—that is, to be always one step ahead of cyber attackers and to use a Privileged Access Management solution consistently.