The ongoing Covid-19 pandemic shares a great deal in common with the tragic Spanish Flu event of the early 20th century, including significant economic damage, increased mortality among the general population, and ubiquitous face masks.
But one thing the Spanish Flu didn’t do, for obvious reasons, was drive a massive spike in cybersecurity threats – as has unfortunately been the case during Covid-19. The number of such risks ballooned in the first two quarters of 2020, with the UN’s counterterrorism head saying phishing website attacks were up 350 per cent in Q1. A July 2020 survey showed that 91 percent of organizations experienced an increase in attacks this year. Spear-phishing attacks, involving malicious emails sent from seemingly trusted accounts, jumped nearly 700 percent from February to March. And just this week, five members of an alleged Chinese hacking group were indicted for their role in hacking into 100 U.S. companies, according to the Department of Justice.
Indeed, cybersecurity watchers have documented an unprecedented number of threats since the start of 2020, as employees were sent to work from home en masse with little planning – and, in many cases, on unsecured networks and desktops.
But it’s also fair to say the current situation exacerbated existing and longstanding cybersecurity trends. According to a 2019 survey, for example, 90 percent of companies indicated they were vulnerable to insider threats. And a big part of that vulnerability was – and still is – due to a lack of privileged access management (PAM).
What is privileged access management (PAM)?
PAM is part of the broader practice of Identity Access Management (IAM), which, in turn, is part of a Zero Trust security model. Gartner defines PAM as the process of managing privileged accounts. According to TechTarget, PAM is the “combination of tools and technology used to secure, control and monitor access to an organization's critical information and resources” – particularly, the access of privileged users. That’s significant, because “privileged user accounts are significant targets for attack as they have elevated permissions, access to confidential information and the ability to change settings.”
Privileged users are usually (but not always) IT team members, including:
- Database & system administrators
- Network engineers
- IT security and auditing specialists
- Application developers
These and other privileged users have far greater network access than typical business users because they need it to do their jobs. They usually have direct access to intellectual property and other sensitive data. They’re also not subject to the same controls as other employees, and can often even change security controls or permissions unilaterally.
Needless to say, the potential for high-stakes abuse in such a situation is high. Privileged access abuse typically occurs in one of two ways:
- Externally: Theft of a privileged user’s credentials, giving bad external actors what amounts to free reign within company systems, allowing them to steal sensitive information with relative ease; or
- Internally: Abuse of privileged credentials by employees or third-party contractors. This can include malicious abuse, but can also be as innocuous-seeming as forgetting to update user access after a recent role change or providing a user with a higher level of privilege than required.
What’s the difference between Privileged Identity Management (PIM) and Privileged Access Management (PAM)?
Even among cybersecurity experts, there can sometimes be confusion over these two terms, partly because they’re so similar. They have essentially the same goal – to help secure sensitive data and IT assets. The best way to differentiate them is to remember that PIM is the management and updating of privileged user identities, of which under IAM there should be strictly one per user, while PAM manages all privileged accounts, including shared administrative or superuser accounts or those used by applications.
What are the risks of not implementing PAM?
Privileged access abuse, purposeful or not, is responsible for nearly three-quarters of all data breaches. As mentioned earlier, privileged accounts typically offer unfettered access to all your most sensitive assets. Yet research from PWC shows that, even as the number of privileged accounts are rising quickly, nearly half of businesses have not yet implemented PAM.
That’s a particularly big problem for large enterprises, where not implementing PAM is fraught with risk:
- Not implementing PAM often leads to a Wild West scenario of hundreds, if not thousands, of unknown or unmanaged privileged user accounts
- Many of those unmanaged privileged accounts can be attributed to non-human entities, such as applications, providing an even larger attack surface for bad actors
- Mistakes happen, and all it takes is one click from even the most vigilant employee to compromise a network (additionally, most employees will take the path of least resistance if they’re aware of workarounds to security procedures)
People are typically the “weakest link in a security strategy” thanks to such mistakes or negligence. That’s where the principle of least privilege (POLP) comes in: A cornerstone of the Zero Trust model, POLP ensures user accounts – privileged or otherwise – only have the rights required for that user to do their job, and nothing more.
A strong PAM strategy becomes even more essential when you’re considering virtualizing your company’s end-user computing experience. In some cases, a company may use traditional Virtual Desktop Infrastructure that integrates with a seperate PAM solution, as well as additional vendors to add other layers of security. But these types of cobbled together environments rarely lead to the desired business value a company is looking for. A comprehensive, out-of-the-box, virtual office-as-a-service (OaaS) reduces the complexity of managing multiple vendors, and speeds time-to-value, while keeping all data secure and protected.
A blueprint for successful privileged access management
There are several steps organizations can take to ensure a robust, effective PAM strategy:
- Conduct a security assessment (either on your own or outsourced) to determine which of your privileged accounts are most at risk, along with the type of risk (such as the use of default credentials or reuse of passwords)
- Implement POLP across all your organization’s accounts
- Continually monitor and audit accounts with privileged access, removing or adding access as required
- Work with a cloud-based virtual environment that comes with out-of-the-box privileged access management tools
- Implement a secrets vault, which is a big part of Step 4. A secrets vault provides secure storage for access credentials, company secrets, or firewall rules to access assets such as resources or services
Tehama’s Virtual Rooms come with a Secrets Vault that eliminates the need to distribute credentials through potentially insecure channels, such as email. Secrets Vaults provide admins and managers with full control of privileged credentials, allowing organizations to grant, revoke, and track access to sensitive company assets, such as databases, in real-time.
A cloud-based virtual desktop solution such as Tehama comes with built-in PAM tools, allowing organizations to identify and eliminate unprotected privileged accounts while tracking user access for unparalleled situational awareness. After all, the average cost of a data breach in 2019 was around $4 million. That means all organizations must have a proactive PAM strategy in place – or risk the consequences.