Why PAM Should Be a CISO’s Top Priority

Privileged access management (PAM) consists of strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes and systems across an IT environment. By implementing an appropriate level of privileged access controls, PAM helps organizations condense their organization’s attack surface and prevent, or at least mitigate, the damage arising from external attacks as well as from insider wrongdoing or negligence. While privilege management encompasses many strategies, the central goal is the enforcement of least privilege, which is defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices (such as IoT) and computing processes to the absolute minimum necessary to perform routine, authorized activities. PAM has drastically changed the way enterprises protect access to critical systems. Using credential vaults and other session control tools, PAM has allowed managers to maintain privileged identities while significantly decreasing the risk of their compromise. By centralizing privileged credentials in one place, PAM systems can ensure a high level of security for them, control who is accessing them, log all accesses and monitor for any suspicious activity. Both industry leaders Forrester and Gartner have placed privileged management as a top priority for CISOs. And it’s no wonder why. PAM protects a company’s unique digital identities that, if stolen, could bring the entire organization to a complete halt.

Privileged Credentials are Attractive Targets

The very existence of privileged accounts creates a huge liability. If a single digital identity can grant such unrestricted access, the consequences of that identity being exposed could be catastrophic. Hackers are aware of that fact, which is why powerful users are privileged targets. Privileged user accounts are significant targets for attack as they have elevated permissions, access to confidential information and the ability to change settings. If compromised, organizational operations will be hampered. Types of accounts that implement PAM can include emergency cybersecurity procedure, local administrative, Microsoft Active Directory, application or service and domain administrative accounts. Over the past few years, it’s become evident that attackers are no longer “hacking” in for data breaches; they are taking advantage of weak, stolen or otherwise compromised credentials. Once they are in, they then spread out and move laterally across the network, hunting for privileged accounts and credentials that help them gain privileged access to an organization’s most critical infrastructure and sensitive data.

Privileged Credential Abuse is Involved in 74% of Data Breaches

Forrester Research has estimated that, despite continually increasing cybersecurity budgets, 80% of security breaches involve privileged access abuse, and 66% of companies have been breached an average of five or more times. A new survey supports this estimate, finding that 74% of respondents whose organizations have been breached acknowledge it involved access to a privileged account. More concerning is the survey finding that most organizations continue to grant too much trust and privilege, are not prioritizing PAM and are not implementing it effectively. Practitioners should consider that critical and fundamental security controls such as PAM are enablers for digital transformation. However, organizations are simply not taking some of the most basic steps to secure privileged credentials.

• Over half of respondents (52%) do not have a password vault.
• 65% are still sharing root or privileged access to systems and data at least somewhat often.
• More than 1 out of every 5 (21%) still have not implemented multi-factor authentication for privileged administrative access.

In addition to not implementing basic PAM solutions, many organizations are not implementing basic policies and processes to reduce risk. For example, 63% of all respondents indicate their companies usually take more than a day to turn off privileged access for an employee who leaves the company, exposing themselves to revenge exploitation including the sale of privileged access credentials on the dark web. Digital transformation has transformed the way corporations do business. It has created a perimeter-less environment; privileged access is no longer applicable to systems and resources inside the network. Privileged access should cover infrastructure, databases and network devices, cloud environments, big data projects, DevOps and containers or microservices. In addition, Advanced Persistent Threats (APTs) create a growing and changing risk to organizations’ financial assets, intellectual property and reputations. The survey found that respondents are not prioritizing this new threat landscape as much as they should be, only controlling privileged access to a limited amount of modern use cases.

• 45 percent are not securing public and private cloud workloads with privileged access controls.
• 58 percent are not securing big data projects with privileged access controls.
• 68 percent are not securing network devices like hubs, switches and routers with privileged access controls.
• 72 percent are not securing containers with privileged access controls..

An additional issue with privileged access is that many applications are not designed to integrate with PAM solutions, even though according to Gartner’s 2018 Magic Quadrant report for PAM, 40% of organizations using formal change management process will have embedded or integrated PAM tools within them by 2020 in order to reduce their risk surface.

How Tripwire Helps

Tripwire’s newest integration app, Tripwire Password Manager (TPM), fills this gap. It acts as a broker between your PAM solution and Tripwire applications. TPM finds the assets needing to be updated, asks your PAM solution for those credentials and updates the assets in your Tripwire applications. It can even start scans in IP360 and Tripwire Enterprise if you configure it to do so. Tripwire Password Manager is already in use around the world in banking, government, utility and commercial settings. It is speeding up a manual process that would take days or weeks, accomplishing the same tasks in just a matter of hours. Tripwire Password Manager supports both password and SSH key credentials, giving you the flexibility to configure your credentials to best fit your company’s needs. Tripwire Password Manager is designed as a modular system, so new PAM solutions can be added quickly as they come on the market. TPM currently supports CyberArk’s Privileged Access Security (PAS) and One Identity’s TPAM suite PAM solution, with others being added quarterly. Tripwire Password Manager can be downloaded for free from the Tripwire Customer Portal and easily set up by yourself, or you can get installation help from our professional services team.