Page 164 - Cyber Defense eMagazine September 2025
P. 164

4.  It creates a false sense of security. Security teams often assume that rotating credentials and
                   limiting access to the vault is enough. But if the password is still being handed to the user—even
                   for a short time—it can still be exfiltrated or abused. The security controls (like MFA, session
                   recording, or approval workflows) are tied to the vault, not to the privileged access itself. Once
                   the login is done, there is no additional enforcement point to apply security controls.



            Vault-centric PAM worked well in the era of static infrastructure and long-lived accounts. But today’s IT
            environments are dynamic, distributed, and identity-driven. Simply protecting credentials in a vault is no
            longer enough.



            From privileged account management to privileged access security

            The  real  opportunity—and  what  defines  the  vault-free  future—is  to  shift  from  managing  privileged
            accounts to securing privileged access.

             In this model, organizations no longer rely on permanent accounts with vaulted passwords. Instead,
            privileges  are  granted  dynamically,  just-in-time,  and  removed  as  soon  as  they’re  no  longer  needed.
            Access is brokered and monitored in real time based on user identity, context (device, location, time),
            and policy.

            This eliminates many of the risks associated with vault-based PAM:

               •  There is no standing credential to steal or reuse.
               •  The change to user behavior is minimal - no login disruption, and no password checkout process.
               •  All access is tightly monitored and tied to a verified identity.
               •  Even if the attacker gains hold of the password, the access is still secured and the attack can be
                   stopped there.
            This model also extends seamlessly to non-human identities (NHIs)—like service accounts, scripts, AI
            agents  and  automation  tools—which  now  make  up  the  majority  of  privileged  access  in  most
            organizations. Rather than managing thousands of long-lived credentials for these entities, organizations
            can enforce policies that allow specific systems to initiate privileged access under strict controls, without
            static secrets. As NHIs become more manageable through identity providers, cloud-native tools, and
            runtime enforcement, the vault-free approach becomes both more feasible and more secure.



            Identity-Centric Access: A More Secure Approach

            This  shift  toward  privileged  access  security  is  made  possible  by  technological  advances  in  identity
            security. Organizations can now apply strong security controls at the identity layer—enforcing MFA, risk-
            based  policies,  session  monitoring,  and  just-in-time  elevation—without  injecting  credentials  or
            modifying infrastructure.






            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          164
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   159   160   161   162   163   164   165   166   167   168   169