Employ PAM to champion zero-trust security

Businesses are facing new security threats, and privileged credentials are an often-overlooked source of breaches. Employing a zero-trust security strategy has become a business imperative.

Organizations today face a growing number of security threats. Ransomware attacks are on the rise and make more frequent appearances in the headlines. Cybercrime is continuously evolving as criminals invent new ways to threaten business security.

While outsider attacks make the news, insider threats are often overlooked. Insider security breaches are the threats that come from employees with privileged access, and such breaches can be accidental or malicious.

The growth and danger of privileged accounts

Privileged accounts are expanding in complexity and scope. Such accounts include human and nonhuman users with special access to an organization’s most critical assets: your network, systems and data.

Privileged human users include infrastructure and application administrators, developers, cloud administrators, third parties or contractors. Privileged nonhuman users included service and application accounts, hardcoded credentials, dormant accounts, Internet of Things (IoT) devices and robotic process automation (RPA) bots.

According to a study by the cybersecurity company Venafi, machine-identity-related cyberattacks grew by more than 400% between 2018 and 2019.² In hybrid cloud environments—which are fast becoming the norm—the definition of a privileged account has widened further to include containers, servers and applications that have privileged access. And a growing number of organizations now have a hybrid workforce, with users, data and resources dispersed across the world, opening the enterprise to further vulnerabilities. All these factors broaden the potential attack surface for bad actors looking for an entry point.

Insider-caused security incidents can be unintentional, but those caused by malicious insiders involve a higher degree of privileged access and carry an even heavier price tag.

Addressing insider security threats is essential given the enormous possible consequences of a breach for businesses—from lost revenue to lost productivity to lost trust and reputation.

This proliferation of human and nonhuman accounts with privileged access to sensitive company information has undeniably increased risk for the enterprise. Threat actors actively target privileged accounts as an entry point into IT environments, from which they can compromise systems and steal sensitive company and customer data. Stolen or compromised privileged credentials can lead to highly damaging and costly data breaches.

Zero trust: Creating context-based security

To prepare for and mitigate security threats stemming from compromised privileged credentials, organizations need a modern approach to security. The concept of zero trust can help them execute context-based security across the enterprise.

Zero trust isn’t a product; it’s a set of principles to guide an organization’s security strategy. Its foundation is: never trust, always verify and enforce the principle of least privilege. A zero-trust approach entails wrapping security around every user, every device and every connection, every time. When a breach does occur, following zero-trust principles can help you get to the root of the problem faster.

Zero trust asks:

• Should a person have access?
• How long should that access last?

Today, zero trust has become a business imperative. Organizations are no longer asking, “What is zero trust?” or “Why should I adopt zero trust?” Instead, the question is, “How do I do it?”

5 requirements for a zero-trust security strategy

• Implement the principle of least privilege.
• Protect high-power privileged accounts.
• Strengthen end-point security.
• Monitor privileged account activities.
• Apply multifactor authentication for business-critical assets.

Register for the zero-trust strategy paper from IBM and Forrester.

Privileged access management is critical for any organization that wants to build zero-trust security. Just-in-time PAM helps you give the right access to the right users at the right time.

For any organization looking to implement a zero-trust security strategy, privileged access management (PAM) should serve as a foundation—a business imperative that helps ensure the effective implementation of cybersecurity policies.

A zero-trust approach involves implementing a least-privilege security solution on employee workstations and personal devices—often the most vulnerable points in an organization’s IT system given that cyber criminals often target privileged users.

A privileged user can be any account—human or nonhuman—that has access to sensitive company data. For example, employees who work in HR, senior executives and people in finance or legal roles often have privileged access. Likewise, administrative users, such as server and IT administrators and help desk employees, can have privileged access.

PAM is about monitoring and protecting these privileged accounts by implementing the principle of least-privilege security. Often, organizations fail to practice good hygiene around privileged credentials. In fact, many companies are still using spreadsheets or paper-based tracking to manage privileged accounts.

The importance of PAM in the enterprise

The first step on the journey to zero trust is the implementation of a PAM program. PAM empowers businesses to grant access to the right enterprise assets to the right privileged users in the right context.

Gartner has identified PAM as a crucial element of security programs for the last several years, and especially now given the impacts of the COVID-19 pandemic. Identity and access management (IAM) leaders “must improve governance and strengthen privileged access management to prevent breaches, establish more robust and agile authentication and authorization, and enhance consumer IAM to prevent fraud and protect privacy.”²

Just-in-time PAM

Just-in-time (JIT) PAM is a way of enforcing true least privilege in the enterprise. JIT PAM gives users access just in time, that is, only when they need it, instead of allowing standing access. The goal is to allow zero standing privileges for your organizational account access.

JIT PAM limits the time users can spend in privileged systems or resources, and it limits the locations from which those systems and resources can be accessed.

Benefits of implementing PAM tools

Whether your organization adopts some PAM principles, a comprehensive PAM program, or JIT PAM, there are many benefits:

• PAM reduces the likelihood of privileged credentials being compromised and misused in both external breaches and insider attacks.
• PAM reduces the impact of an attack when it occurs by radically shortening the time during which the organization is unaware that it’s under attack or being subverted.
• PAM can address cloud security, anomaly detection, the software development lifecycle, regulatory compliance and operational efficiency.
• In this 2021 IBM Security X-Force Insider Threat Report the Ponemon Institute reveals that tools like PAM and programs like threat intelligence sharing have been estimated to save organizations an average of USD 3 million in terms of reducing or eliminating insider risks.⁴

Visit the website to learn more about privileged access management.

Hybrid cloud environments have added complexity to the management of privileged access in the enterprise. Enter the paradigm of the Identity Fabric—a modern approach to identity and access management.

As organizations migrate workloads to the cloud, it’s crucial to protect both on-premises and cloud assets. PAM tools and services can help you address privileged access use cases across hybrid multicloud environments.

The complexity of managing access in cloud environments

As companies expand their adoption of public cloud services, many are facing a labyrinth of complexity to properly manage and secure user access to the organization’s network, systems and applications. It can seem almost impossible to navigate—especially if you want to apply the principles of zero-trust security holistically across your environment.

A hybrid multicloud environment can include public clouds, private clouds, traditional on-premises data centers and edge computing. Multi refers to the presence of more than one cloud service from more than one cloud vendor, where each vendor may introduce more privileged identities that need to be clearly understood and managed.

Research from the IBM Institute for Business Value found that by 2023, organizations expect to be using at least 10 clouds. ¹

Authorized and unauthorized remote devices, as well as internal devices, might all be accessing the network—especially given the realities of the hybrid workforce today. The wide range of data types, code, clouds and devices in a hybrid multicloud architecture can introduce more vulnerabilities in your environment. Keeping track of all the different role-based permissions, policy changes and identity lifecycle guidelines is error prone and time-consuming.

In a hybrid cloud environment, developers and cloud operations teams need help to define a pathway to a zero-trust environment.

Access in the era of growing ransomware attacks

Protecting privileged credentials is critical for every business as ransomware attacks continue to increase and become more sophisticated. The SolarWinds hack and other recent high-profile cyberattacks highlight the importance of putting zero trust into action.

Ransomware attacks surged by 150% in 2020. ²

If your organization operates in a hybrid cloud environment, creating an enterprise access blueprint can help you better manage access approvals. PAM solutions are designed to help you connect users to the right level of access at the right time. Traditional enterprise IAM tools don’t always integrate well with cloud solutions, so it’s not a matter of simply plugging in your cloud to existing tools.

Mitigate risk in your cloud environment

While cloud environments have made privileged access management more complicated, they’ve also made it more critical than ever. IT leaders need a blueprint that clearly defines permissions rules as part of a modern zero-trust approach to enterprise security. They need an approach that’s comprehensive and doesn’t rely on a single technology, tool or service.

Leading analyst firm KuppingerCole refers to a paradigm called an Identity Fabric that’s the key to digital transformation and the future of identity access. Identity Fabrics help support various types of identities, for example, employees, partners and consumers, in an organization. They don’t rely on a single tool or service but rather create a strong core platform for delivering a solution that complements a hybrid environment.

To learn more about Identity Fabric, register for the KuppingerCole report.

Having a PAM tool is one thing, but to effectively employ the principle of least privilege, you need a comprehensive set of PAM services that help you plan and maintain your zero-trust security strategy.

Employing the principle of least privilege

One of the best methods for preventing access-level-related insider incidents is to adhere to the principle of least privilege. This principle helps ensure that users have the lowest level of access needed to carry out their duties for the organization.

The best way to enforce the least-privilege principle is to implement a PAM solution built around a zero-trust model. The goal is for everyone with a user account to be granted the least amount of privilege possible, helping to reduce the risk of an insider gaining access to company data or other critical assets. The concept of least privilege becomes even more critical in the cloud where more data resides for both human and nonhuman requestors.

So how do you know if your PAM tool includes all the essential attributes of a comprehensive PAM program?

– Strategic planning
– Rapid deployment
– Implementation services
– Continuous asset onboarding

Privileged access management is about giving the right access to the right users at the right time. Most PAM programs focus on the technology implementation and don’t prioritize determining who should have access to what or fully integrate into other systems and applications in your security portfolio. As a result, many PAM programs fail to effectively reduce the attack surface and adhere to a zero-trust strategy.

A fully managed, end-to-end PAM solution can help you secure the privileged user lifecycle, narrow the attack surface associated with your organization’s credentials and demonstrate compliance.

Be proactive with PAM: Essential PAM services

If you want to implement a zero-trust security strategy in your business, you need a PAM solution to manage privileged credentials. However, deploying PAM software on its own might not be sufficient, especially if it doesn’t come with a comprehensive set of essential PAM services.

Here are 4 questions to ask when evaluating your PAM services strategy:

Learn how Commercial International Bank S.A.E. closed the gap on security risks by working with IAM experts.

While having a PAM tool is a crucial element of your zero-trust security strategy, it’s not enough. PAM needs to be integrated into a broader security ecosystem to provide comprehensive protection.

Businesses today need a modern, open, unified approach to security, with PAM as an essential component of a broader security strategy. The challenges organizations are facing are real: cyber threats are becoming more advanced; security skills are in short supply; and cloud, mobile and IoT technologies have expanded the potential attack surface for cyber criminals to access.

If your organization is looking for a comprehensive PAM solution to support your zero-trust security strategy, IBM can help. IBM offers a holistic approach to managing privileged accounts that’s situated in the broader IBM Security™ ecosystem.

A PAM tool alone isn’t enough to meet the requirements for zero trust. For holistic protection against privileged account misuse, you need an integrated solution that combines a robust PAM tool with a suite of other security tools to help your organization defend against growing threats. Working with an integrated security ecosystem will help you respond more quickly and effectively to security incidents when they arise.

Privileged access management from IBM

IBM Security Verify Privilege is a suite of PAM offerings that can help organizations:

• Discover, manage, protect and audit privileged accounts.
• Enforce least-privilege security and control application rights on endpoints.
• Centrally manage passwords used to access applications and services.

IBM Security Verify Privilege integrates with IBM security information and event management (SIEM) and security orchestration, automation and response (SOAR) tools, hybrid cloud and Red Hat® solutions, data protection solutions and identity governance solutions. By adopting a PAM solution that’s part of a broader security ecosystem, you can safeguard privileged access across your IT environment.

The IBM Security ecosystem

Learn more about IBM PAM solutions.

A PAM solution that delivers comprehensive PAM services and integrates with the rest of your security environment bolsters your zero-trust security strategy.

As businesses face a growing number of security threats from both outside and inside the organization, a zero-trust security strategy has become an imperative. Zero trust is about giving users only the access they need, only when they need it. As privileged accounts for both human and nonhuman users increase, and hybrid cloud environments add complexity to access management, organizations have more vulnerabilities to cyberattacks. PAM solutions, which enforce the principle of least privilege, are thus a critical part of any zero-trust strategy.

As businesses move forward on their PAM journey, they’ll need a comprehensive set of PAM services that enforce the principle of least privilege. These services include PAM adoption strategy planning, PAM implementation and acceleration services, and services to expedite the onboarding of new users and target systems. When you choose a PAM solution, make sure it comes with the services that will help you get the most from that investment. Likewise, a PAM tool’s value is directly related to how well it communicates with your other security solutions. If your PAM solution doesn’t integrate with your SIEM and SOAR tools, your hybrid cloud solutions, your data protection software and your identity governance solutions, it won’t be as effective as it could be. Organizations will benefit from working with a vendor like IBM that offers a comprehensive suite of integrated security solutions.