It’s summer time, which means privileged users are away on vacations and contractors or co-workers are taking up the slack. Managing the temporary access that this requires is not something you want to leave to chance.
Abuse of privileged access can be costly. On June 17th, Tesla reported a malicious insider attack on the Tesla Manufacturing Operating System that resulted in the loss of several gigabytes of data and a stock decline of six percent. That same week, we learned that a CIA employee was charged with providing hacking tools to WikiLeaks, stolen as part of the Vault 7 leak.
Privileged Access Management (PAM) isn’t enough
According to Gartner, “PAM technologies help organizations to provide secured privileged access to critical assets and meet compliance requirements by securing, managing and monitoring privileged accounts and access.”
In practice, PAM reduces the risk of privileged user abuse by limiting what privileged users (such as system administrators) can do on specified systems, during specified times or with specified commands. It can monitor and record their activity to offer misuse deterrence by collecting evidence for prosecution, and can provide more detailed compliance reporting than system logs.
These capabilities are entirely necessary to protect against sensitive data loss from those who have the “keys to the kingdom.” But it isn’t enough.
The limitations of PAM
PAM is effective for those who work within it. But if an administrator acquires root access and works around the technology, then it isn’t much use. And there are scenarios where privileged users are given temporary access, such as when covering for other privileged users on vacation or contractors who only need access during a certain period of time, which isn’t revoked at the end of the temporary period.
Add to those scenarios the regular employee turnover, which typically doesn’t have a 100% accurate access deprovisioning process, and there can be an excess of privileged user accounts that could be abused by malicious insiders or outsiders who obtain their credentials. Access that doesn’t conform to the least privilege principle carries added risk.
Identity governance is a necessary companion to PAM
Identity governance technologies discover access entitlements, and on a regular cadence such as every six months, manages a certification process whereby a manager or other authority must certify that the specified user holds the correct entitlements. More sophisticated identity governance tools will prioritize certifications based on users that hold privileged access and have unusual or elevated rights compared to peers, even providing for ad-hoc certifications out of band when the risk level is significant enough.
Integration with PAM can provide identity governance a means of calculating this risk score. Additional risk scoring for privileged users should include usage of access that exhibits unusual patterns, such as during non-working hours or from an unusual location. Double-checking with managers or employees on the activity can identify malicious use, especially advanced persistent threats that often use stolen administrator credentials as an attack vector. The faster this is found, the more limited the damage that can be done.
Identity governance is an additional control that can find privileged users working outside of the PAM system, and help enforce the least privilege principle. If you want to reduce the risk that privileged users present, explore how your organization can make these technologies work more closely together.