Thycotic debunks top Privileged Access Management myths
.jpg)
Article by Thycotic chief security scientist and CISO Joseph Carson
Cybercriminals have an arsenal of tools at their disposal and an almost endless variety of system vulnerabilities they can exploit to breach their targets.
In most cases, however, security incidents can be traced back to the use of compromised user accounts.
The Verizon 2018 Data Breach Investigations Report, for example, found that 81% of data breaches involved the use of stolen or weak passwords.
Another report from Gartner revealing its Top IT Security Projects for 2019 listed Privileged Access Management (PAM) – which locks down and monitors access to user accounts, among other things – as the number one project.
Organisations have traditionally protected their networks with firewalls, VPNs, access controls, IDS, IPS, SIEMs, email gateways and so forth, building multiple levels of security on the perimeter.
Technologies like cloud, mobile and virtualisation, however, now make the security boundaries of an organisation blurry and the traditional security perimeter is no longer such an effective cybersecurity control.
With a limited budget, IT security staff are continuously searching for ways to protect the data they have been entrusted with while looking to add value to the business.
Privileged Access Management is proving to be the new cybersecurity perimeter and an effective solution to reduce organisations’ business risks from cyber-attacks.
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets that upper management, IT administrators and service account users have.
This access allows more rights and permissions than those given to standard business users.
‘Standard’ business users often have more rights than they really need – something PAM also addresses.
Privileged access is the access most often targeted by cybersecurity threats because this access leads to the most valuable and confidential information, such as customer identities, financial information and personal data.
So why does Gartner also estimate that only 40% of organisations have implemented Privileged Access Management practices for all enterprise use cases?
The reason is PAM’s complex past and a number of misconceptions that have sprung up as a result.
Misconception #1: Implementing PAM is too complex
A complex reputation for PAM solutions dates back to an earlier time.
Legacy PAM software was often overly complicated, leading to needlessly difficult implementations.
Installations could take several months to finish, with some cases taking years or simply remaining incomplete.
These older iterations could also be extremely resource-heavy, requiring the efforts of multiple expensive specialists.
Many IT teams decided that PAM was not worth it, while those that persevered are still bitter about all the grief the process caused them.
Of course, most of these experiences stem from a different era of security, where organisations could more comfortably rely on their firewall to keep attackers away from their networks and privileged accounts.
While many IT veterans may still bear well-earned grudges against early PAM tools, they can no longer afford to shun the approach in the current security climate.
The good news is that PAM solutions have evolved to become much easier to implement and use.
Many are now designed for out-of-the-box deployment, enabling IT teams to get them up and running quickly without the need for expensive specialists.
The best tools are also built to be flexible and scale with the organisation as it grows and its security needs change.
Misconception #2: PAM makes things harder for users
This misconception also dates back to the days before the advent of easy-to-use PAM solutions with features like password management aimed at improving user experience.
Cybersecurity has never been a positive security experience for most employees.
In many organisations there is tension between employees and the cybersecurity team due to the negative impact that many solutions have on productivity, resulting in employees looking for ways around them and increasing risk.
Many employees suffer from cyber fatigue – the frustration experienced in juggling scores of online accounts with multiple (and supposedly strong) passwords.
In many cases, individuals feel so frustrated that they give up trying to manage things safely and default to using the same passwords for multiple accounts, sharing passwords with family members, and logging on to the Internet using their social media accounts.
IT security staff should be looking for ways for employees to have a better experience with security, and the best way to do this is to implement PAM solution.
This will help remove one of the biggest causes of cyber fatigue and will generate new passwords and rotate them when they are stolen or compromised, which these days could be as often as every week.
Misconception #3: PAM is just another cost to the business
Because they only reduce risk, most organisations spend valuable budget on cybersecurity solutions that typically add no additional business value.
However, the right PAM solution actually makes employees more productive by giving them access to systems and applications faster and more securely.
Implementing a PAM solution secures access to sensitive systems and reduces the risk of getting compromised by disclosed passwords on the dark web. PAM also reduces cyber fatigue and simplifies the process of rotating and generating new complex passwords.
All of these save valuable employee time which translates directly into cost savings for the business.
One of the major reasons that Privileged Access Management has been listed as the number one security project for organisations is that it saves them time and money – both of which can go back into their cybersecurity efforts – enabling cybersecurity teams to get more done with the same budget.
Although some IT veterans may still feel compelled to delay PAM, choosing the right solution will enable them to gain full control over their privileged accounts without reliving the pain they may have experienced in the past.
source securitybriefeu
Industry: Cyber Security News
Latest Jobs
-
- Public Sector Cyber Security Sales | UK
- England
- N/A
-
Public Sector Cyber Security Sales | UK UK | Remote / Hybrid A cyber security provider is seeking a Public Sector Sales professional to drive growth across UK government and public sector organisations. Must have current Cyber Security sales experience. Responsibilities Generate new business selling cyber security solutions into UK public sector Build relationships with CIO, CISO and senior technology stakeholders Manage the full sales cycle from opportunity to contract close Develop pipeline across central government, local government and public sector bodies Support bids, tenders and framework opportunities Experience Proven cyber security sales experience in the UK Track record selling into public sector organisations Familiarity with CCS, G Cloud or other government frameworks Strong stakeholder engagement and deal management skills Location UK based Security Requirements Eligible to obtain UK Security Clearance
-
- Security Architect | MoD - Security Cleared. OUTSIDE IR35 | Hampshire
- N/A
- Outside IR35
-
Security Architect | MOD | Security Cleared | Outside IR35 | Hampshire Commutable The successful candidate must be willing to undergo DV Clearance, ideally already holding active clearance. You will produce high and low level security architecture documentation, guiding and validating designs for systems deployed within sensitive environments. The role requires providing specialist security input into solution design, service transition and change initiatives, working closely with engineering, operations, client and third party stakeholders. You must have current hands on architectural experience, including VMware secure platform design and virtualisation architecture, alongside AWS expertise. This is an outside IR35 contract- 6 month rolling. Part of a longer term MoD project
-
- Active Directory | RBA engineer | UK Remote | SC Clearable
- United Kingdom
- N/A
-
Technical Active Directory (AD) and RBA specialist needed to play a key part in complex, enterprise scale Active Directory and access transformation programmes. You will work alongside senior team, helping reshape access models, modernise legacy directory structures and strengthen security posture across secure environments. This is hands on delivery within high impact projects where your work directly improves access control, compliance and operational resilience. Active UK Security Clearance required. This is a remote role with client travel. Implementation of Role Based Access Control across large AD estates Restructuring complex permission models, security groups and delegated access Supporting domain controller upgrades and core directory improvements Applying security hardening standards and remediating audit findings Enhancing authentication, policy and access governance frameworks Troubleshooting and resolving technical AD challenges within live environments Producing robust technical documentation and identifying project risks You must have the following technical experience Enterprise Active Directory administration Role Based Access and permission remediation OU design and governance Group Policy management Security group delegation models DNS and DHCP services Kerberos authentication / NTLM PowerShell scripting and automation Azure AD | Entra ID Hybrid identity environments Identity Governance PAM
-
- Identity and Access Management Consultant (Saviynt & Microsoft Entra) | UK
- United Kingdom
- N/A
-
Role summary Technical IAM consultant delivering identity governance and cloud identity solutions to enterprise clients. What you will do Implement / Configure / Deploy Saviynt IGA / Microsoft Entra solutions: Lead technical workshops, gather requirements and translate into solution designs. Troubleshoot complex issues, support testing and deployments. Produce technical artefacts and configuration guides. Key skills Hands-on Saviynt IGA experience (workflow, connectors, access governance). Strong practical knowledge of Microsoft Entra ID / Azure AD identity and access controls. Understanding of identity protocols (SAML, OAuth, OpenID Connect) and hybrid identity. Experience with APIs / REST for integrations and automation. What we are looking for Proven delivery experience in IAM / IGA projects, preferably in consulting. Confident communicator with client-facing delivery exposure.