Imagine a hacker is lurking inside your network. Indeed, it’s likely a few malicious actors are already inside your domain despite your best efforts to keep them away. Now, imagine the hacker stealing the credentials of a trusted system administrator. With the back-end access permitted to this privileged user, imagine the kind of damage the hacker can do.
The unfortunate truth is, it doesn’t take much imagination to envision what will happen. We see the results in the headlines. Many of the worst data breaches have occurred due to accidental or deliberate misuse of privileged account access. Given the potential impact of this type of threat, effective Privileged Access Management (PAM) is one of the most important of all security countermeasures. This article looks at the factors involved in choosing the right PAM solution.
Privileged Access Management (PAM) is one of the more important security countermeasures organizations should have in place to prevent data breaches
Understanding PAM in the Context of Cyber Security
Privileged users have the authority to administer critical systems. They can set up, modify, or delete system settings. They can alter user accounts and access data. In some cases, they can even override security settings and erase any evidence they were there. A privileged user can be an in-person or remote employee, a contractor, an external third party, or even a machine performing automated administration.
Privileged access can be a defense or a point of vulnerability depending on how well it’s handled. This is true for the direct risk exposure of unauthorized privileged access (e.g. data theft) as well as for indirect effects like faulty system configurations (e.g. deficient patching and hardening). Privileged Access Management is the countermeasure. The term refers to the collection of tools and processes which protect digital assets against the threat of unauthorized privileged user access.
PAM refers to the collection of tools and processes that protect your organization's most critical data and systems against the threat of unauthorized privileged user access
To PAM or Not to PAM?
All IT organizations need to exercise some control over privileged accounts. It would be the height of negligence to shirk this responsibility. What is the best way to approach the task, however? The answer depends on many factors. A small IT organization might be able to govern privileged account access through manual controls. As the IT organization, and the entity it serves, grow larger and more complex, it’s wise to implement some kind of PAM software.
PAM solutions vary in features and scope. Most provide the ability to assign privileged account access, manage passwords and track privileged account sessions. Picking a PAM solution is a process that should emanate from an organization’s unique security, IT, business, and organizational makeup. What’s right for one business may not be suitable for another.
What to Consider When Picking a PAM Solution:
Security and Compliance Factors
Picking a PAM solution should start with an assessment of how PAM relates to the broader security and compliance needs of the organization. The right PAM software will fit into the security and compliance framework. This is a preferred approach to imposing an arbitrarily chosen PAM solution onto the security and compliance teams.
The right PAM solution will fit into an organization’s established and projected security and compliance framework
One way to approach the issue to review the complexity of the privileged account landscape at your organization. If all privileged users are employees and the system architecture is relatively simple, then a PAM solution with a limited feature set might be the best fit. Alternatively, if privileged users are scattered across multiple entities and regions, administering highly complex, interdependent systems, you will want a PAM solution that enables you to confidently stay on top of who is doing what.
The major compliance regimens mandate privileged access management. If your organization is bound by GDPR, Sarbanes-Oxley, PCI-DSS or ISO27001, you will likely need a deeply-featured, highly-automated PAM solution. One issue to focus on here is the audit logging and reporting features of the PAM software. Compliance and the internal audit aspects of preparing to be compliant require in-depth, efficient reporting. The PAM solution should support these requirements.
The nature of your infrastructure should factor into selecting a PAM solution. Some are better suited to hybrid cloud/on-premises infrastructure than others, for example. If admins are able to go in and out of an on-premises data center, then it may be useful to have a PAM solution that isolates privileged users from device passwords. This reduces the risk of manual password overrides on physical devices that can result in improper privileged account access.
The architecture of the PAM solution itself deserves attention in the selection process. Some solutions utilize software agents that must be installed on each system where privileged access is to be managed. This approach may slow down the inevitable change and upgrade cycles, causing the PAM solution to be sidelined. An agentless architecture is generally preferred.
Business and Organizational Factors
PAM is intimately connected with the business side of an organization. Beyond basic issues like solution cost, PAM can affect the cost of ongoing IT operations as well as agility. If the PAM solution is cumbersome to adapt or difficult to train users on, it will disrupt smooth IT operations and limit business agility. PAM can have a financial impact far greater than its immediate cost.
A review of PAM options should consider serious issues like how well the organization manages change and follows rules. If an organization is highly decentralized, for instance, will a PAM solution be able to adapt and be thoroughly implemented in all areas? Or, will some departments skip on PAM, thus exposing the organization to risk? Similarly, experience shows that technologies that are overly difficult to use sometimes get ignored altogether. This results in financial waste and a worsening security posture.
If a PAM solution is too complicated or difficult to use, some users will choose not to use it and expose your company to serious risk
Organizational structure also impacts PAM solution choice. A business that functions through partnerships may be best served by a PAM solution designed to oversee privileged users from multiple entities. Some PAM solutions are also better at helping an organization operating in multiple countries, each with its own data privacy regulations.
The WALLIX Solution
The complete WALLIX PAM solution is well suited to large, complex organizations with challenging compliance requirements. It lets super administrators define access for privileged users to all systems. They can grant and revoke privileges centrally using rules—covering full access control to devices, servers, databases and applications using criteria like IP address, username, time frames, and protocol. Time delimited access grants are also possible.
WALLIX manages and secures all passwords in a certified vault. This way, users only access services via WALLIX. They do not know the actual passwords for the accounts they are administering. Nor do they know local or direct passwords for physical devices. WALLIX reduces the risk of password sharing through rotation.
The WALLIX PAM solution gives administrators the tools they need to control, monitor, and manage the actions of all privileged users within your organization
The WALLIX solution lets the super admin track and monitor all connections and actions taken by privileged users. WALLIX can record privileged account sessions in video format. The WALLIX Report Manager is able to generate custom statistical and alert reports according to business or audit requirements.
In contrast with PAM solutions that require the installation of dedicated software agents on each system under its control, WALLIX uses an agentless architecture. The ease of deployment and change management also drives a high level of adoption and adherence to PAM policies.
Pick the Right Solution for Your Organization
PAM is an essential element of a robust cybersecurity program, especially for larger organizations. Selecting the right PAM solution depends on a number of factors, including those related to security, compliance, the business, and its organizational nature. What works for one IT department may not be right for another.
A suitable PAM solution should align well with an organization’s security needs and compliance requirements. It should fit with the type infrastructure, e.g. hybrid cloud. Business managers should look at PAM in terms of its impact on agility. Making a sound decision on PAM also means taking a hard look at the organization’s culture. A good PAM solution will adapt to an organization’s structure, decision-making style and ability to change.
Want to learn more about the complete WALLIX PAM solution? Contact us.