Why Add Just-in-Time Access to Privileged Access Management?
by JD Sherry, on Feb 10, 2021
When I’m out in the field and Privileged Access Management (PAM) comes up, I usually see that people fall into one of three camps:
- People who now want a PAM solution because they’ve been breached
- People who already have a PAM solution that wonder how they can improve their program
- People with a PAM solution who have been breached and wonder why they weren’t protected
What unites these three groups? Concerns about standing administrative access.
Each of these groups cares about getting their arms around the spiraling problem of "always-on" admin rights. They find that addressing this problem just doesn’t rise to the top of their lists when they have so many other duties and deadlines … until it’s too late.
No matter which camp you find yourself in, you may confront the always-on access hidden in your network that’s lying in wait for attackers to find after they’ve breached your defenses. And, while legacy Privileged Access Management tools such as vaulting definitely form one part of the solution, they’re not the whole solution. There is more to the equation for success and risk reduction.
You can have the best Privileged Access Management and still get breached
Look at the CIS Controls list and you’ll see the controlled use of administrative privileges appearing at No. 4 in the list of 20 best practices pursued by organizations worldwide when they look to improve their cybersecurity controls.
But, by the time many organizations come to Remediant, they’ve already been breached because they had 24x7 Just-in-Case administrative access in their network that the attackers used to gain lateral movement across their ecosystem. At that point, we listen and learn more about what happened and usually find out that they had no Privileged Access Management solution, or they didn’t fully grasp where the protections offered by legacy Privileged Access Management tools end and where those offered by moving to a Just-In-Time (JIT) Administration model begin.
Investing in SecureONE doesn’t mean giving up on your PAM solution
No one wants to have that ‘sunk cost’ talk with their boss—the one where the boss’s face drops when they’re told that it’s time to course-correct, scuttle a past investment, and spend time, money, and people on something new.
When I tell people about SecureONE, this concern begins to wash over some faces, until I tell them that SecureONE isn’t an alternative to PAM, it’s an essential complement.
When organizations implement SecureONE, they tend to keep their Privileged Access Management solution because:
PAM + Remediant SecureONE is better than either on its own!
With Remediant SecureONE and Privileged Access Management, it’s not an either/or situation. It’s a value-add discussion about how one complements the other. This is because SecureONE brings:
- An end to 24x7 Just-in-Case admin access
- Effective blocking of lateral movement
- A quick and easy way to implement Just-in-Time (JIT) Access without agents
Many of our customers use PAM and SecureONE
Many of our Fortune 500 customers have leveraged Privileged Access Management platforms. That might mean that they have an enterprise password vault or that they’ve implemented session recording. Some have many tools for Privileged Access Management because they’ve found that one tool is not enough with today’s complex and ever-evolving IT ecosystems.
While this may be the current state of Privileged Access Management, many clients and prospects are looking to evolve and mitigate against today’s front-and-center threats such as ransomware and other destructive attacks. Our clients see this evolution consisting of a set of technologies they use to meet compliance and regulatory concerns around their privileged accounts AND secure their respective organizations. Coupled with EDR/XDR, SOAR, and IAM platforms, PAM needs to be an asset and not a liability in defending against today’s modern attacks.
But, Privileged Access Management is really just a first step. It’s a “congratulations on your investment toward better cybersecurity controls.” But, the journey doesn’t end there.
Privileged Access Management: Step One
Legacy PAM platforms have been great in getting companies to a point where they are vaulting passwords and maybe recording sessions, but legacy PAM doesn’t provide coverage everywhere. It can’t. That’s where SecureONE comes in.
Privileged Access Management isn’t specifically designed to protect organizations against ransomware or 24x7 access rights. It primarily focuses on authentication versus authorization. PAM makes sure that your employee that needs access gets it, but it doesn’t control how long they have it or even monitor if they still need it. That’s where JIT administration comes in.
Remediant SecureONE monitors your network and finds and culls that Just-in-Case, always-on access. We make Just-in-Time, Zero Trust access possible. That’s precisely what’s missing from today’s legacy PAM solutions.
How does SecureONE coexist with PAM?
Remediant SecureONE ‘plays well’ with PAM and solves some new problems that PAM can’t address timely or at scale. For example:
- SecureONE discovers shadow access. Many PAM tools don’t have the scale or ability to discover privileged accounts across on-premises and cloud-based workloads. Remediant takes an agentless approach to do continuous discovery and look at administrative accounts and access continuously so that you can understand your risk posture.
- SecureONE goes beyond protecting just the crown jewels. Traditional PAM gets rolled out on a limited scope—often only on the servers with the ‘crown jewels.’ The challenge emerges when companies think they’re protected by locking down the accounts that have access to those crown jewels in an enterprise password vault. But, what happens to all the other workstations left out of the PAM solution that have standing privilege? Attackers can gain access to those resources, and move laterally until they find another way to the crown jewels. Or, what about the accounts that are still on the servers containing the crown jewels, but are not in the password vault? All are major risk factors in this case and increase the probability that an attacker will get one or more of the credentials with 24x7 access.
- SecureONE is easy to deploy and use. Many existing PAM solutions are heavy touch and require investments to implement, maintain, and upgrade. That means professional services or in-house staff. As a result, companies need to secure the capacity to roll out these legacy tools to cover their risk. Then they need staff trained and ready to use those tools once they’re rolled out. Because SecureONE was designed to be intuitive and user-friendly, it doesn’t require an extensive background in tech to use, often requiring one FTE.
Expanding the risk lens with SecureONE
Remediant SecureONE expands the risk lens so you can find dangerous accounts where they’re hibernating. SecureONE brings you Just-in-Time Administration and enables Zero Trust access for administrators. With SecureONE, you no longer have to settle for 24x7, just-in-case access so people can get their jobs done.
SecureONE identifies high-risk accounts continuously, and dynamically grants and removes the access as needed, in the moment. With SecureONE, you know where these accounts are. The access gets provisioned when it’s needed, and only for as long as it’s needed, and not longer.
Remediant coexists with legacy PAM, and offers a major, quantifiable risk reduction in your access provisioning process. A faster ROI can be achieved, as well as an at-scale roll-out that covers your broader infrastructure. We help organizations bring an additional level of maturity to their administration with JIT and Zero Trust, while leveraging your investments in PAM methodologies like enterprise password vaulting and session recording.
Wouldn’t you like to be able to reduce the risk of compromised access with a JIT, Zero Trust and precision approach, while still leveraging your existing investment in Privileged Access Management?
With Remediant SecureONE, now you can.