How Fortune 1000s can get privileged access management right
Privileged access management is not a new concept to most IT and security leaders, but we’ve seen a surge in cyber incidents focused on exploiting privileged access that have renewed its importance. From the Windows Print Spooler vulnerability of 2021 to the Okta breach that impacted hundreds of companies earlier this year, attackers continue to gain access through vulnerable credentials and use that access to move laterally and cause trouble at rapid speeds for Fortune 1000 organizations. While breaches happen, it’s unfortunate when something as simple as privileged access management could have thwarted the attackers.
As geopolitical tensions continue to rise on the cybersecurity front, it’s clear no one is spared from cyberattacks. With that, it’s more critical than ever before for organizations to closely review current privileged access management policies and solutions. Here are some best practices to think about when deciding how to approach PAM properly and securely.
Zero Trust principles can minimize damage
Zero Trust is more than just a trend -- and the name says it all. Thanks to its popularity as a conversation topic, as well as marketing and headline fodder, it's unfortunately taken on multiple meanings as security providers jump to take advantage of the high interest level. The best way of thinking about it is moving defenses from static, network-based perimeters to instead focus on users, assets, and resources.
Taking this a step further is Zero Standing Privilege (ZSP), an element of the entire Zero Trust strategy that removes admin accounts and reduces your attack surface. ZSP softens the impact of compromised privileged credentials by making a user authorize every step of the way. That makes it more difficult for attackers to elevate to the privilege necessary to install malware across the network and minimizes potential damage.
Admins don’t need 24x7 access
Before organizations implement ZSP, it’s important to first understand how privilege sprawl happens. Unlike most cyber events, sprawl usually starts with good intentions. It’s convenient to grant access to users who need it and even easier to forget who has access to what. This is especially true when it comes to contractors, who only need temporary access to systems but sometimes end up getting permanent access, becoming an easy target for attackers.
It’s common in managing admin accounts for admin credentials to be vaulted, ensuring they have automatically rotated, strong passwords and recording admin sessions. But these admins still have access to endpoints at all times.
Even Single Sign-On (SSO) solutions unfortunately cannot make environments bulletproof. More than authentication, there’s a need to solve for authorization, which is what Zero Trust is about. Just because an admin can authenticate and has the right to privileged access, doesn’t necessarily mean the admin should be authorized, or allowed to do so 24×7, which is what the attackers are exploiting. Introducing complexity through password policies and vaulting is proven not to work. As we’ve seen in attacks like Colonial Pipeline, it may in fact work contrary to the best intent, as admins will come up with a predictable system of passwords or worse yet, create secondary accounts for convenience.
While admins need access to do their jobs, they don’t need access all the time if they’re only sometimes managing critical systems. Grant access as needed, but make sure it expires when the job is done.
It’s time for just-in-time solutions
For obvious reasons, hackers tend to target credentials that have 24/7 access, especially those lesser used credentials that maybe should’ve already been wiped off the system. Entering this way allows the attacker to find their footing in the system and look for ways to move laterally.
Once they’re in, they’re pretty good at finding their way in and around the system to do what they came to do while bypassing the other security measures you may have in place.
Standing privilege access (24x7) is a "just in case" way of thinking, and we need to focus more on just-in-time solutions. Just in time sets a time limit for privileged access and frees you from worrying about any later movement.
There will always be weak spots in an organization
The cliché, 'it's not a question of if, but when,' is being played out across Fortune 1000 organizations today. It’s important to understand there will never be any way to truly prevent an attack on your organization, and there will always be weak spots on systems. However, by adopting ZSP as part of an entire Zero Trust strategy, organizations can reduce the blast radius and prevent hackers from finding the crown jewels of the organization by moving laterally.
Photo Credit: Mark LaMoyne/Shutterstock
Raj Dodhiawala has over 30 years of experience in enterprise software and cybersecurity, primarily focused on bringing disruptive enterprise products to new markets. Currently serving as President of Remediant, he is bringing focus, agility and collaboration across sales, marketing, finance and operations and leading the company through its next phase of growth.