Ransomware and other forms of devastating cyber-attacks against public and private sector organisations have become depressingly familiar headlines in recent years. While this might give the impression that organisations are most at risk from external threats, the fact is that the biggest security risk often comes from inside the business, specifically through users entrusted with privileged access. Indeed, 42 per cent of breaches originate through credential abuse, whether by accidental or deliberate misuse.
Of course, unrestricted privileged access is not necessary for undertaking the majority of administrative tasks. Nevertheless, administrators often issue wide-ranging access as standard, which increases the risk of both internal and external breaches occurring. Despite this, identity and access management (IAM) leaders often struggle to restrict the level of privileged access on offer because administrators and IT operations staff have become accustomed to using these accounts on-demand.
One of the most effective ways to reduce the associated risks is by implementing a privileged access management (PAM) solution, since it significantly reduces an organisation’s attack surface area. However, traditional PAM approaches are complex and costly to implement, and their vault-centric idea does nothing to remove or limit the attack surface area. On the contrary, a modern PAM strategy, known as zero standing privilege (ZSP), decreases the chances of a successful malicious infiltration without adversely affecting business efficiency. With ZSP, administrators are granted just enough privilege to complete a specific task, and only for as long as needed to complete it. This ‘just-in-time’ (JIT) approach significantly reduces the risk of ‘super-user’ accounts being exploited by internal or external threats.
This article will explain how organisations can effectively implement the principle of ‘least privilege’ and mitigate the risk of privileged access. It will outline why IAM-focused security and risk management leaders should prioritise reducing excessive privilege, and thereby bolster their overall security posture, in the following ways:
Restrict the scope of accounts available to users
Organisations have traditionally addressed the risk posed by privileged accounts by taking a vault-centric approach. While this provides better protection than nothing, significant risk remains given that most privileged accounts are always available for use, with more access than is strictly necessary. IT teams must therefore go further to reduce the spread of privileged access in their environment. As a first step, they should first assess the extent of privileged permissions that have been allocated and on what basis – in other words, when and for how long is each permission valid for.
A JIT approach can help organsiations to limit the amount of time in which privileged access is available to users. This will not remove privileged accounts from the environment entirely, but crucially, they will only be available at the moment they are needed (and for no longer), which limits the risk of legitimate credentials being abused
Taking a balanced approach to achieving ZSP
To achieve true ZSP without compromising business operations, most organisations will need to carefully select the most appropriate JIT PAM controls. For instance, IAM leaders may opt for a blended approach which incorporates JIT, session management and the more traditional vaulting approach. At this stage in the process, it is important to assess the legitimate uses of privilege and the current workflows associated with those uses. These are key questions a security team should answer before making IAM decisions:
- How will changes to privileged access impact present-day workloads?
- What resources are required to implement a given approach for the privileged access in question?
- Will additional tools be needed to enable this approach?
Once these considerations have been made, there are a number of different options for implementing JIT. To name a few, personal privileged accounts may be placed under the control of a PAM tool, or shared accounts under the control of a vaulting and session management tool. ZSP privilege escalation is another option, which grants temporary “one-time” privileged access for a defined set of tasks over a defined period of time. Whichever approach (or combination) the security team chooses, it is vital to have discussions with business and other IT leaders about which mechanisms will best suit the environment. Once everyone agrees on JIT approaches to implement that are suitable for the privilege workflows in the environment, then work can begin on implementation.
During this stage of JIT deployment, setting priorities and determining gaps in the organisation’s existing cybersecurity set-up is key. This will necessitate an assessment of current technical capabilities, along with updates to policy documents to reflect JIT/ZSP methods as the default for privileged access. It will also require standard operating procedures to reflect the methods selected for current workflows.
Ultimately, organisations that take a considered and iterative approach to their JIT/ZSP initiatives will stand to reap the benefits of reducing the risks associated with standing privilege, while minimising the impact on business operations and maximising return on investment
in PAM technologies.