Five Reasons PAM Implementations Fail
by Mahesh Babu, on Mar 12, 2020
With rapid innovation comes the rapid scaling and adoption of infrastructure. To fuel this innovation, the number of privileged users (on-call developers, admins, SREs) is growing and evolving constantly. With this growth in new technologies and privileged users to support them, comes new threats.
It is, therefore, no surprise that 74% of breached organizations admitted the breach involved access to a privileged account (according to Centrify’s Threat Landscape Survey). In addition, The Verizon Data Breach Investigations Report (DBIR) found that out of all attacks, 29% of total breaches involved the use of stolen credentials, second only to phishing.
There is a product category, Privileged Access Management (PAM), that has existed for over 20 years, but has clearly failed to address this issue. Based on what Remediant sees in the market, the value of a PAM implementation does not get fully realized for five key reasons:
- Focus on authentication, not access: Legacy PAM solutions focus exclusively on authentication as the method for protecting privileged access. Over time, innovation in these legacy PAM solutions has involved longer passwords or more frequent credential rotation – but never quite addressed the real needs of practitioners who use these solutions every day. Outcome: High residual risk, high friction.
- Undiscovered, always changing privileges: PAM solutions protect known privilege. They do not offer a way to discover and monitor privileged access across the enterprise. This results in an invisible sprawl of administrator privilege, ready to be compromised and completely unknown to an organization. Outcome: Unknown, constantly changing attack surface.
For more on how admin privileges proliferate across a network, read the following article: Standing Privilege is an Advanced Persistent Threat (F)actor by Dr. Shane Shook of ForgePoint Capital.
- Standing developer and admin access to production servers and every workstation, violating the Principle of Least Privilege and keeping the doors open for lateral movement: Administrators have 24x7x365 access to company networks. So, all it takes is one hack, one single credential stolen for the attacker to have the “keys to the kingdom.” From there, an attacker may move laterally to steal IP and other sensitive data from HR, finance, R&D and other critical systems. Outcome: High residual risk.
To move laterally across a network, an attacker needs valid login credentials. For more on common techniques used by attackers to capturing credentials and escalating privilege, read the following article: Lateral Movement Explained by CrowdStrike.
- High friction user experience for privileged users: Accounts managed through legacy PAM must check out a generic or shared ID and get approval every time there is a need for privileged access. Outcome: This approach slows down their ability to respond quickly, thereby increasing Mean Time To Respond.
- Consistently incomplete deployments: An agent-based approach that requires touching each endpoint in a network does not scale. This issue, coupled with high administrator friction results in incomplete PAM deployments. The problem is further exacerbated as workloads are dynamically provisioned and are ephemeral. Outcome: Low return on investment despite high total cost of ownership.