Trending Oversight Topics
Governance Surveys
Center for Inclusive Governance
Privileged Access Management: A Vital Strategy in Combatting Escalating Identity-Centric Threats
04/09/2024
The concept of identity security is relatively simple: end users must be granted access to corporate systems and applications to do their jobs, and customers, partners, and third parties need access to web-facing applications to interact with an organization. The role of identity and access management (IAM) is to authenticate users, manage access and interactions, and prevent cybersecurity incidents through the abuse of credentials.
While the objective seems straightforward, building and executing on a roadmap to identity-centric cybersecurity is much more complex. There are a few reasons for this, including the never-ending struggle to balance business needs with risk mitigation, bloated security infrastructures composed of myriad identity point solutions, a lack of resources and skill sets available to manage these tools and user access, and cybercriminals’ increasing focus on compromising credentials through social engineering to breach networks and gain access to critical information.
IBM Corp.’s X-Force Threat Intelligence Index 2024, which identifies emerging cybersecurity threats, found that, for the first time, compromising valid accounts was one of cybercriminals’ two most common entry points into organizations’ environments. The report offers an explanation as to why this shift occurred: “Attackers have a historical inclination to choose the path of least resistance in pursuit of their objectives. In this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns.”
It isn’t hard to see how this comes to life in the real world. There have been several high-profile incidents over the last few months that have resulted from compromised credentials. Once an attacker uses credentials to gain network access, they can move to other levels of privileged access escalation until they reach their intended target: a company’s data, intellectual property, and other vital assets.
In this changing threat landscape, organizations must ensure that they have the identity basics covered and go a layer deeper by implementing a privileged access management (PAM) program.
Given the complexity and confusion associated with identity security, which can be challenging for even the most mature security teams, how can board members, who are one step removed from the day-to-day security trenches, understand if their organization is on the path to identity security success? Below are the essentials every board should know before working with the organization’s security team to ensure that they have the resources in place to combat evolving identity-focused threats with PAM.
PAM Takes Center Stage
“Identity basics” refers to having a granular understanding of how access should be granted, to whom, and when. The basics also encompass things such as understanding an organization’s data, knowing where it resides, and tracking who has access to it and at what level of privilege.
To help with these fundamentals, many organizations have implemented some form of identity and access management solution and have established access policies and processes. Before adding to this identity security ecosystem, the board should ask the company’s security leader to make sure these basics are in place. Once the board and management are confident that the underlying identity fabric is solid, they can shift their attention to bolstering cyber defenses with a PAM program.
PAM is more than a solution; it’s a subset of IAM made up of people, processes, and technologies that enable security teams to control, monitor, secure, and audit all human and non-human privileged identities and activities across their environments. Privileged users require high-level access to resources to do their work, and with a PAM program, security teams can protect these accounts from bad actors and ensure the approved users themselves are using their access privileges responsibly.
This is important because if privileged access is not protected properly, threat actors can exploit it to enter and move across the environment until they find the company’s crown jewels. It only takes one case of unauthorized access to a privileged account or one user abusing their privileges to cause catastrophic consequences.
From a technical perspective, below are a few capabilities boards can ask management to look for in a PAM solution:
- Passwords and secrets management provides credentials management within an organization’s privileged access infrastructure to help security teams easily identify and secure all service, application, administrator, and root accounts across the enterprise.
- End point least privilege management focuses on the device-level least privilege principle, which restricts users or processes from being granted access rights in excess of those specifically required for the performance of their defined tasks. Privileges are elevated in real-time, only when necessary. This helps with ransomware protection, threat detection and prevention, and just-in-time access, which allows access for specific times and tasks.
- Application to application integrations ensure least-privilege access focused on interactions between applications and their services or dependencies.
- Secure remote and vendor access provides external access to an organization’s environment without using a virtual private network to prevent internal credentials from being externally viewed.
- Identity solutions focus on IAM tools and account lifecycle management, looking at the entire life of a privilege credential and providing provisioning, attestation, and certification.
A strong PAM program can overcome many of the aforementioned identity security challenges. It provides a seamless way for security teams to protect privileged access with minimal friction to end users. It promotes a holistic perspective that streamlines identity ecosystems and processes. Moreover, for organizations that struggle with personnel and resource constraints, there are providers who offer managed PAM services, providing the visibility, end-to-end planning, implementation, and ongoing management organizations need to protect privileged accounts. Most importantly, PAM is a core component of identity security that insulates organizations from most data breaches.
Identity Security Enables the Business
At the end of the day, directors should ask management probing questions to help ensure that the organization is being honest with itself about its risk tolerance and response maturity levels when handling threats and vulnerabilities in order to protect shareholder value.
Corporate America is a prime target for a broad spectrum of threat sources, including advanced and ongoing attacks from nation states and terrorist organizations. These threats are real, ongoing, and evolving, and the cybersecurity community is especially concerned about certain credible threats to IAM.
Actionable recommendations of what organizations should do now include the following:
- Assess current IAM capabilities and risk posture.
- For areas that need improvement, select, layer, integrate, and properly configure secure solutions following best practices.
- Maintain the appropriate level of security to manage risk during continued operations.
- Maintain awareness of correct IAM usage and of risks.
Ultimately, every organization has the obligation to ensure that its IAM and single sign-on capabilities are secure to protect its own assets and that of its partners and consumers. PAM—and identity security in general—enables the business by securing digital operations, aiding in business outcomes, and reducing security risk. With IBM's Cost of a Data Breach Report 2023 finding that the average cost of a breach is nearly $4.5 million, it’s easy to see how PAM drives a quick and visible return on investment.
Optiv is a NACD partner, providing directors with critical and timely information, and perspectives. Optiv is a financial supporter of the NACD.
James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.