Page 163 - Cyber Defense eMagazine September 2025
P. 163
This shift parallels transformations we’ve already seen in other areas of cybersecurity:
• Cloud security has gone agentless, replacing intrusive deployments with lightweight, API-based
visibility.
• Multi-Factor Authentication (MFA) does not require code changes or proxies as in the past.
Today it is enforced by the identity provider or an extension to the identity provider.
• Identity protection platforms now enforce policies in real time without injecting keys or
passwords, reducing the attack surface.
• Network security moved away from physical firewalls and VPNs to Zero Trust Network Access
(ZTNA), which grants access dynamically based on identity, context, and posture.
In each of these cases, the core idea was the same: move away from securing secrets or infrastructure,
and instead focus on securing the access itself. PAM is now undergoing a similar evolution.
The Problem with Vault-Based PAM
Vaults were introduced as a way to protect the credentials used by privileged accounts—admin
usernames and passwords for servers, databases, switches, and more. The premise was sound: don’t
let users know or reuse powerful passwords. Instead, let them retrieve credentials from a secure vault
when needed, and rotate those passwords after use.
But in practice, vault-based PAM creates several problems:
1. It secures the credential, not the access. Once a user retrieves the credential, the vault’s
protections end. That password can be stolen from memory, logged by malware, misused by
insiders, or intercepted in a man-in-the-middle attack. The access itself isn’t protected—just the
storage of the password.
2. It’s operationally complex. Vault-based PAM introduces major friction into workflows. Changing
how users log into systems—redirecting them through a proxy, forcing them to check out
passwords, re-authenticate constantly—often requires training, workarounds, or exceptions. On
the NHI front, to rotate service account credentials multiple approvals are typically required and
careful work to avoid breaking changes. This change in behavior complicates adoption and makes
PAM deployments time-consuming and expensive. Many organizations take years to roll out
PAM at scale, especially in hybrid environments where legacy systems, service accounts, and
third-party access all require separate configurations.
3. It’s not breach-proof. Vaults themselves are high-value targets. Attackers know that
compromising a vault can yield credentials for the most sensitive systems in the organization.
We’ve seen real-world breaches that prove this. In a high profile 2022 breach, the attacker
reportedly gained access to the company’s privileged access vault by harvesting credentials and
tricking an employee into approving MFA requests. Once inside, the attacker had access to admin
tools, infrastructure, and sensitive data. In other incidents, attackers have exploited vault
misconfigurations, API tokens, or integration weaknesses to escalate their access. The idea that
vaults are unbreachable is no longer tenable.
Cyber Defense eMagazine – September 2025 Edition 163
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
