Thycotic debunks top Privileged Access Management myths
Article by Thycotic chief security scientist and CISO Joseph Carson
Cybercriminals have an arsenal of tools at their disposal and an almost endless variety of system vulnerabilities they can exploit to breach their targets.
In most cases, however, security incidents can be traced back to the use of compromised user accounts.
The Verizon 2018 Data Breach Investigations Report, for example, found that 81% of data breaches involved the use of stolen or weak passwords.
Another report from Gartner revealing its Top IT Security Projects for 2019 listed Privileged Access Management (PAM) – which locks down and monitors access to user accounts, among other things – as the number one project.
Organisations have traditionally protected their networks with firewalls, VPNs, access controls, IDS, IPS, SIEMs, email gateways and so forth, building multiple levels of security on the perimeter.
Technologies like cloud, mobile and virtualisation, however, now make the security boundaries of an organisation blurry and the traditional security perimeter is no longer such an effective cybersecurity control.
With a limited budget, IT security staff are continuously searching for ways to protect the data they have been entrusted with while looking to add value to the business.
Privileged Access Management is proving to be the new cybersecurity perimeter and an effective solution to reduce organisations’ business risks from cyber-attacks.
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets that upper management, IT administrators and service account users have.
This access allows more rights and permissions than those given to standard business users.
‘Standard’ business users often have more rights than they really need – something PAM also addresses.
Privileged access is the access most often targeted by cybersecurity threats because this access leads to the most valuable and confidential information, such as customer identities, financial information and personal data.
So why does Gartner also estimate that only 40% of organisations have implemented Privileged Access Management practices for all enterprise use cases?
The reason is PAM’s complex past and a number of misconceptions that have sprung up as a result.
Misconception #1: Implementing PAM is too complex
A complex reputation for PAM solutions dates back to an earlier time.
Legacy PAM software was often overly complicated, leading to needlessly difficult implementations.
Installations could take several months to finish, with some cases taking years or simply remaining incomplete.
These older iterations could also be extremely resource-heavy, requiring the efforts of multiple expensive specialists.
Many IT teams decided that PAM was not worth it, while those that persevered are still bitter about all the grief the process caused them.
Of course, most of these experiences stem from a different era of security, where organisations could more comfortably rely on their firewall to keep attackers away from their networks and privileged accounts.
While many IT veterans may still bear well-earned grudges against early PAM tools, they can no longer afford to shun the approach in the current security climate.
The good news is that PAM solutions have evolved to become much easier to implement and use.
Many are now designed for out-of-the-box deployment, enabling IT teams to get them up and running quickly without the need for expensive specialists.
The best tools are also built to be flexible and scale with the organisation as it grows and its security needs change.
Misconception #2: PAM makes things harder for users
This misconception also dates back to the days before the advent of easy-to-use PAM solutions with features like password management aimed at improving user experience.
Cybersecurity has never been a positive security experience for most employees.
In many organisations there is tension between employees and the cybersecurity team due to the negative impact that many solutions have on productivity, resulting in employees looking for ways around them and increasing risk.
Many employees suffer from cyber fatigue – the frustration experienced in juggling scores of online accounts with multiple (and supposedly strong) passwords.
In many cases, individuals feel so frustrated that they give up trying to manage things safely and default to using the same passwords for multiple accounts, sharing passwords with family members, and logging on to the Internet using their social media accounts.
IT security staff should be looking for ways for employees to have a better experience with security, and the best way to do this is to implement PAM solution.
This will help remove one of the biggest causes of cyber fatigue and will generate new passwords and rotate them when they are stolen or compromised, which these days could be as often as every week.
Misconception #3: PAM is just another cost to the business
Because they only reduce risk, most organisations spend valuable budget on cybersecurity solutions that typically add no additional business value.
However, the right PAM solution actually makes employees more productive by giving them access to systems and applications faster and more securely.
Implementing a PAM solution secures access to sensitive systems and reduces the risk of getting compromised by disclosed passwords on the dark web. PAM also reduces cyber fatigue and simplifies the process of rotating and generating new complex passwords.
All of these save valuable employee time which translates directly into cost savings for the business.
One of the major reasons that Privileged Access Management has been listed as the number one security project for organisations is that it saves them time and money – both of which can go back into their cybersecurity efforts – enabling cybersecurity teams to get more done with the same budget.
Although some IT veterans may still feel compelled to delay PAM, choosing the right solution will enable them to gain full control over their privileged accounts without reliving the pain they may have experienced in the past.
source securitybriefeu
Industry: Cyber Security News
Latest Jobs
-
- Data Privacy Lead. Client Facing London. Permanent.
- London
- N/A
-
Data Privacy Lead. Client Facing London. Permanent. London based client facing. Must be eligible to undergo UK Security Clearance (SC) Key Responsibilities: Lead and support client facing data privacy projects. Assess compliance, define and deliver strategic projects / implement privacy solutions. Manage project teams and develop business opportunities. Required Experience: Experience in data protection and privacy standards. Background in consulting. Skills and Qualifications: Business consulting experience IAPPPrivacy Manager / Privacy Technologist Location Greater London UK based role. Not able to provide VISA sponsorship.
-
- VOIP / SIP App Developer. Contract. SIP | VOIP experience needed. SC Cleared Outside IR35 Contract. London
- London
- OUTSIDE IR35
-
SIP | VOIP Developer. SC Cleared Contract. London Looking for a SC Cleared SIP / VOIP Developer to develop an application that interacts with a set of voice and video signalling API’s You will also work on developing in-house applications, browser plugins and automated tooling to support secure communication systems. Responsibilities Develop an application that will manage number mapping and associated identities using commercial SBC API’s. Develop new user-facing features using React.js or other modern JavaScript frameworks. Build reusable components and front-end libraries for future use. Collaborate with the design team to translate UI/UX design wireframes into code. Work closely with backend developers to integrate front-end code with server-side logic. Conduct code reviews and provide constructive feedback to team members. Stay up-to-date on emerging technologies and industry trends to continuously improve our front-end development practices. Troubleshoot and debug issues that arise during development and in production environments. Maintain high coding standards and practices and ensure code is well-documented. Requirement Experience of developing specialist applications using REST API’s. Good knowledge of Go, Java and Python (open to alternative combinations of languages). Proficiency in front-end languages and frameworks such as HTML, CSS, JavaScript, React.js, etc. Strong understanding of web standards, responsive design, and cross-browser compatibility. Experience with version control systems such as Git. Knowledge of RESTful APIs and asynchronous request handling. Familiarity with UI/UX design principles and tools.
-
- Senior Data Privacy Consultant. Client Facing | London
- London
- N/A
-
Senior Data Privacy Consultant. Client Facing | London Senior Data Privacy Consultant needed for a key client facing opportunity. Must be willing to undergo SC Security Clearance. Hybrid role- onsite with customer / office 2-3 days a week. London Key Responsibilities: Lead and support client facing data privacy projects. Assess compliance, define and deliver strategic projects / implement privacy solutions. Manage project teams and develop business opportunities. Required Experience: Experience in data protection and privacy standards. Background in consulting. Skills and Qualifications: Business consulting experience IAPP Privacy Manager / Privacy Technologist Location Greater London UK based role. Not able to provide VISA sponsorship.
-
- Security Analyst - Internal role. London commutable. Permanent
- London
- N/A
-
Security Analyst - Internal role. London commutable opportunity. Operational Security - Investigate, escalate and proactively work to ensure household name remains protected. Project Security - Coordinate, log change requests with project delivery teams to meet security requirements Policy / compliance - work with team to aid in uplifting these as and where needed This role is role to investigate, escalate and proactively work to protect a globally recognised brand. You must have current hands on operational analytical security experience with Microsoft technology stack Someone with a SOC Analyst / security engineering background would be well suited. This position will join a small team and would suit someone that has broad experience across the security threat landscape. Experience / knowledge across industry GRC standards such NIST, ISO27001 etc very advantageous and a priority. You will work across multiple teams proactively working to secure the business. Must be able to commute to Central London 3 days a week. Visa sponsorship not available Apply today to find out more.