By Mahesh Babu, Sr. Director and Head of Product Marketing at Remediant
When assessing an organization’s cybersecurity posture, privileged accounts are the most critical to safeguard because of their proverbial “keys to the kingdom.” Malicious digital insiders who are able to gain access to these privileged accounts are able to exploit them through lateral movement once inside the network. If attackers can get in through the interior of a network, the lateral movement can be crippling to a network’s defenses. Attackers can gain access to personal and sensitive data, putting millions of customers at risk, along with your brand’s reputation.
To solve this issue, privileged access management (PAM) vendors launched a variety of offerings to market about 20 years ago. Unfortunately, even with enterprises adopting PAM, we still hear of data breaches almost every day of the week. The value of PAM was never fully realized for five key reasons:
- Focused on authentication, not access: Legacy PAM solutions focused exclusively on authentication as the method for protecting privileged access. Over time, innovation in these legacy PAM solutions has involved longer passwords or more frequent credential rotation – but never quite addressed the real needs of practitioners who use these solutions every day. Outcome: High residual risk, high friction
- Undiscovered, always changing privileges: PAM solutions protect known privilege. They do not offer a way to discover and monitor privileged access across the enterprise. This results in an invisible sprawl of administrator privilege ready to be compromised and completely unknown to an organization. Outcome: Unknown attack surface
- Unnecessary standing access = Larger attack surface: Administrators have 24x7x365 access to company networks, so all it takes is one hack, one single credential stolen, and then the attacker has the “keys to the kingdom.” From there, an attacker can move laterally to steal IP and other sensitive data from HR, finance, R&D and other critical systems. Outcome: High residual risk
- High friction user experience for privileged users: Accounts managed through legacy PAM have to check out a generic or shared ID and get approval every time there is a need for privileged access. Outcome: This approach slows down their ability to respond quickly, thereby increasing Mean Time To Respond
- Consistently incomplete deployments: An agent-based approach that requires touching each endpoint in a network does not scale. This, coupled with high administrator friction results in incomplete PAM deployments. The problem is further exacerbated as workloads are dynamically provisioned and are ephemeral.
This is why, according to Forrester Research, up to 80 percent of breaches involve compromised credentials.
The Verizon Data Breach Investigations Report (DBIR) found that out of all attacks – 29% of total breaches involved the use of stolen credentials – second only to phishing. Current approaches to password security and PAM are obviously not enough. Simply put, PAM needs to evolve and the answer is Just-in-Time Administration (JITA).
For the past two years, Gartner has ranked PAM as the number one security project and that’s not surprising since most data breaches today are due to compromised, weak and reused passwords. Gartner also issued a September 2019 report, “Remove Standing Privileges Through a Just-In-Time PAM Approach,” that states, “To properly mitigate the risk of standing privileged access, security and risk management (SRM) leaders responsible for IAM should closely follow the vision of the principle of least privilege and drastically reduce, with a goal toward eliminating, standing (i.e., “always-on”) privileged access by using just-in-time (JIT) approaches. This will ensure that privileges are only granted when a valid reason for them exists, with zero standing privileges (ZSP) as the goal.”
When user and machine accounts have standing or persistent privileged access, it creates the opportunity for threat actors to move laterally inside a network, even with a password vaulting solution in place. Zero Standing Privileges (ZSP) render privileged accounts useless to unauthorized users, even if they possess the credentials. ZSP leverages a Just-in-Time Administration (JITA) approach to reduce the attack surface and stop privileged account abuse.
PAM security firm Remediant pioneered the JITA approach years ago to effectively secure enterprises against administrator credential theft attacks that have caused some of the most devastating breaches to date. Remediant offers a patent-pending, JITA approach to solving credential theft attacks through the removal of standing privileges, which fundamentally reduces the attack surface for enterprises. As a result, Gartner also named Remediant a Cool Vendor in Identity and Access Management last year.
The Benefits of JITA Explained
JITA allows system administrators to grant users privileges to resources for a limited period of time, in order for them to log in and address an issue, and then rescind that permission. Making admin access more dynamic — granting it only when and where it’s needed — prevents persistent access that can open the door for data breaches. To add another layer of protection, this Just-in-Time approach can and should ideally be paired with two-factor authentication. This strategic approach gives the administrator the credentials they need, at the moment they need them, and configures permissions to expire after a specified time period to enable optimal security.
Incumbent JITA Approaches Do Not Solve the Problem
Recently announced just-in-time access approaches by legacy PAM vendors do not solve the problem if access is granted universally. “Just-in-time access to everything” does not mitigate the risk of compromised admin credentials.
Introducing Zero Standing Privilege
Remediant’s SecureONE PAM takes a precision approach to JITA and administers access to the right system at the right time. We do this by establishing enterprise-wide Zero Standing Privilege as follows:
- Establishing continuous inventory and compliance: SecureONE constantly scans for privilege access across the ecosystem, acting as a single source of truth for reporting the distribution of privileged access (150,000 endpoints in sub 2-3 hours).
- Locking down lateral movement and ransomware spread: SecureONE removes standing privilege with a single action at a few milliseconds per endpoint.
- Reporting on the State of Privileged Access: SecureONE continuously reports on how privileged access risk has evolved over time across the enterprise.
- Enforcing Just-in-time administration with MFA without adding any friction to current admins or current processes.
With credential-based breaches at an all-time high, we need a shift in security strategy. Legacy PAM (both vault and JITA) leaves us exposed to the risk at unacceptable levels.
It is time we rethink data breach control through the lens of privileged access. With Remediant’s Zero Standing Privilege approach to PAM, companies can gain the upper hand in cybersecurity defense once again by changing their perspective from not just who should have access to what, but when and for how long they should have access. For more information on Remediant, please visit: https://www.remediant.com/
About the Author
Mahesh Babu leads Product Marketing for Remediant. He takes every opportunity to tell everyone how Remediant has fundamentally changed Privileged Access Management (PAM). Prior to Remediant, he spent time at Contrast Security as the GM for their RASP business growing it from launch to 50+ customers and most recently built out their Global Product Marketing team.
Mahesh has seen the industry evolve as a researcher, consultant, practitioner within a large bank. He began his career as a security researcher at the CERIAS center at Purdue University. He then went on to build and scale large IAM programs at HSBC (which included a painful PAM project). He also spent time at Symantec, Deloitte, Booz & Company. Mahesh has a BS in Computer Science and MS in Information Security from Purdue University and an MBA from Duke University.