Privileged users can change system configurations, install software, create or modify other user accounts and access secure data. They can also typically override security protocols, giving themselves unintended access or even covering their own tracks.The larger and more complex a system gets, the more privileged users there are likely to be. These include employees, contractors, remote, and even automated users. Manual systems also do not provide for an easy audit trail.
Privileged access management provides the solution with a centralized system to manage and audit all privileged users and usually includes the following two key features:
- Password Management—Precludes users from getting direct access to underlying systems. All users must access underlying systems via the PAM solution, which rotates, controls, and centralizes all password access.
- Session Management—Monitors and controls all privileged user sessions with a full audit trail.
PAM and the Big Security Breach
A large-scale breach of sensitive data information is a massively disruptive incident that can cost tens of millions of dollars to resolve. When it hits, it’s a catastrophic blow to an organization’s income statement, balance sheet and intangible assets.
These kinds of large-scale incidents are likely to involve unauthorized administrative or root access to critical systems. The attackers typically impersonate an administrative user to gain control of confidential IT assets. This is a huge problem; the vast majority of big security breaches involve the misuse or escalation of privileged credentials.
PAM and Operational Costs
In addition to combating massive breaches, a well executed privileged access management system saves money and effort in many smaller ways. And these small savings may not collectively be so small.
Employees make up organisations’ heaviest cost in many instances, regardless of actual productivity. It’s no news that unproductive work is a waste, but how much depends on salary and on how many people are wasting time being unproductive. In big IT organizations, both of these numbers are likely to be large due to:
- Credentials Cost – Without effective PAM, credentials have to be reset and disseminated manually. Admins scramble to figure out who should have access to which systems. Provisioning and un-provisioning new workers or contractors can take hours or days delaying work. Worse, due the time involved, many credentials will never be revoked in a timely manner and thus create unrecognized security risks.
- Audit costs – A review of privileged user actions is part of typical IT security audits done for regulatory frameworks such as SOX, PCI and HIPAA. If the PAM system is simple and ubiquitous, the audit process will be quick and inexpensive. However, if the auditor needs to investigate bare system logs or partial PAM solutions, it will significantly increase the cost of the audit and generate a lot of unproductive work for IT staffers who need to answer the auditor’s questions.
The Installation & Maintenance Costs of a PAM Solution
Against the savings and security benefits of a PAM solution, the costs must be weighed as well. Installing most PAM solutions requires significant internal team member time as well as billable time from professional services firms. Some complex systems require extensive on-going administrative time, and if they are agent-based, often require updates and maintenance to keep up with the changes of the underlying systems that they are protecting.
The hidden cost of a meaningless “checked box” for PAM
To be effective, privileged access management must be pervasive. Inadequate or spotty management of privileged accounts can result in theft and costly errors. This typically happens if the integration between the PAM solution and a given underlying system is too complex. Many PAM solutions require a dedicated software agent on each administered device or workstation. This creates additional friction by slowing down deployment, management and adoption.
The friction raises the temptation to bypass the privileged access management solution and give privileged users direct access to underlying systems. Although this is usually intended as a “temporary solution,” it opens up very dangerous possibilities. For example, a former employee who still can access a system that disburses funds has the means and opportunity to commit fraud.
The process of detecting and then remediating such a control deficiency is very costly. In some ways, the threats presented by a PAM solution that has been incompletely deployed are greater than those of no PAM solution at all because the remaining threats are often hidden from top management.
PAM as a Tool to Reduce Financial Losses
An effective privileged access management solution will provide a secure and streamlined way to authorize and monitor the activities of all privileged users. It reduces the risk of large security and financial events by enforcing policies that restrict privileged users from bypassing security systems. It cuts down on unproductive employee chatter by granting privileges to users only for systems on which they are authorized. Access is granted only when it’s needed and revoked as soon as that need expires. Then, by creating an unalterable audit trail for any privileged operation, the PAM solution speeds up the process of interpreting what might have gone wrong in any incident.
The Wallix AdminBastion
The Wallix AdminBastion (WAB) is a privileged access management solution that helps mitigate the risk of big security incidents while keeping installation and operating costs low. It’s a driver of cost savings all around.
The WAB creates a single gateway with single sign-on for access by system admins. This capability enables the IT department to define and enforce access policies for admins as well as for the employees who need system access. WAB’s agent-less architecture is lightweight, making the solution inexpensive and easy to deploy and adapt.
For more information about the Wallix AdminBastion, request a demo below: