Commissioned by WALLIX
1 Introduction
Digital transformation is no longer optional for businesses and organizations if they wish to stay competitive and deliver greater value to customers. But as they seek to embrace the advantages of Cloud, IoT, AI and Big Data across extended infrastructures, organizations need to be aware of the cyber security, compliance and identity risks that digital transformation also creates. While these risks are serious, they can be significantly reduced through intelligent, fit for purpose and structured deployment of security solutions. As agile access and identity requests are a prime characteristic of a successful digital environment it follows that one of the most important tools to manage this securely is Privileged Access Management (PAM).
At KuppingerCole we define PAM as a set of critical cybersecurity controls that address and mitigate the security risks associated with privileged access in an organization. There are primarily two types of privileged users:
- Privileged Business Users - those who have access to sensitive data and information assets such as HR records, payroll details, financial information or company’s intellectual property (IP).
- Privileged IT Users – those who have access to IT infrastructure supporting the business. Such access is generally granted to IT administrators or senior IT security administrators.
While these definitions remain at the heart of a PAM solution, the elastic nature of the digital organization has stretched the definition of who and what is a privileged user, and what their requirements and needs are. Until recently those with privileged access were relatively easy to manage as roles and access requests did not change significantly over time; they did not change rapidly.
As companies and organizations speed up operations and processes to become digital the number and types of users needing privileged access is changing, sometimes on a daily or even hourly basis. A PAM solution for the digital age needs to accommodate and process privileged access requests rapidly, securely and at a cost-effective price.
The elastic nature of the digital organization has stretched the definition of who and what is a privileged user in that organization, and what their requirements and needs are.
The ubiquity of data makes it essential that the right people get access to the right data as soon as possible. One result of the increase in data is to make much more of it classified as business critical and to which access must be controlled while, at the same time, the number of users needing access is also increasing.
1.1 The increased threat from cyber criminals
As digital has increased the threat landscape through greater levels of data available and the number of access points so have the number and type of threats levelled against companies and organizations. These include malware such as spyware, rootkits and ransomware, as well as insider threats whereby an employee may turn rogue to steal information or damage systems. In recent years ransomware has proved to be a popular choice of attack where computers and systems are hijacked and encrypted, with users locked out. They can only get access back after paying a fee, usually in cryptocurrency, to the criminals.
Often such attacks are facilitated by cyber criminals using stolen privileged credentials from unprotected accounts within the targeted organization. The attackers will use phishing attacks against individuals in an organization who they believe may have privileged access. A fake email will be sent to an employee carrying a payload that, when executed, looks for admin and other privileged credentials held on a PC or on the wider network. Once found these will be used to take control and either lock up the user’s PC, critical data on servers or other connected devices.
Traditionally, the best way to “defeat” such attacks was to ensure that a rigorous backup and recovery operation was available. But this is a reactive approach to data security and works best when organizations’ data posture is relatively static. In fast moving digital environments this works less well (although should not be abandoned, yesterday’s data is better than none). In any case data recovery is a long and expensive task resulting in production downtime and damage to the business.
Many of these attacks succeed because the organization has no protection applied to privileged accounts or access controls, and users are left to manage their own accounts with all the dangers that entails. Worse, user passwords for privileged accounts are sometimes stored in unprotected Excel files, easily discovered by attackers inside the organization.
Even if the attackers are not interested in instant financial gain, the same methods will be used to install spyware, exfiltrate intellectual property or to insert other forms of malware on web servers that steal customer information.
PAM is one of the solutions against these threats and should be given priority as organizations strive to meet the demands of digital transformation. Companies are under pressure to meet business priorities. But PAM is a solution that when chosen well can provide best level protection for privileged accounts at an affordable cost as well as being easy to install, use and manage. As more attackers seek to exploit unprotected privilege accounts, we would urge any organization to think seriously about adding a PAM solution to their existing cyber security controls.