The three Ms of Privileged Access Management
As a result of the rise in cloud adoption across organisations, the threat landscape has expanded, with cybercriminals taking advantage of any weaknesses in an increasingly growing attack surface. One of the most commonly used components in an attack today is the use of compromised credentials, in which bad actors exploit weak passwords, bugs and misconfigurations to gain access to sensitive and valuable information or system controls in what are known as ‘privilege escalation’ attacks. The Verizon 2021 Data Breach Investigations Report for example, found that 80% of breaches involve compromised credentials.
The issue is that Privileged Access Management (PAM) – in which IT and security teams control who has access to what on an organisation’s system, including giving users time-bound and temporary access privileges – is also sprawling as cloud adoption grows and IT systems become more complex to manage. Cyber attackers thrive on this complexity as they are able to gain initial access through a lower-level account then work their way – escalate – up the chain, taking control of more and more systems and administrative roles until they have compromised and have access to the entire IT environment. The results of privilege escalation can be highly detrimental, leading to a full-blown data breach with sensitive information at risk.
The good news, is that there are three areas – three Ms – organisations can make sure they are aware of in order to minimise the risks of privilege escalation attacks: Mistakes, Misuse, and Malice.
Mistakes
We all make mistakes – it’s a human trait. According to a recent report from Stanford University, around 88% of data breaches are caused by human errors. These mistakes could be anything from administrative account errors where excessive access has been granted, to user faults such as weak passwords or falling prey to a phishing scam. Technical mistakes like service or network configurations can also leave a system open for attack.
These mistakes can be the result of many factors. For example, public and private cloud providers can have differing complex configurations and settings (AWS is different in configuration to Azure for example), meaning people tend to skill up in one first and then another, leaving weaker areas vulnerable. Work overload, skills shortages, and too many manual tasks having to be completed under tight deadlines also add to the likelihood of mistakes occurring. Add to that business priorities competing with security needs as well as the increasing number and variety of attack surfaces in the cloud, and hackers have ample opportunity to sneak through a crack in the system.
The principle of “least privilege” controls is an essential tool in the box for limiting the scope of an attack in this scenario. Under these controls, users can only access what they actually need to complete a task. This limits the fallout of an attack as attackers are unable to move laterally through the system. In addition, following an identity-driven PAM solution, based in the cloud, can help weed out any errors or weak spots and users, and mitigate them before they escalate.
Misuse
We’ve all taken shortcuts. But when users intentionally compromise a system, or misuse their privileges, for expediency or their own personal gain, the consequences can be dire. Indeed, an estimated 74% of data breaches involve privilege access misuse or compromise.
Misuse can be intentionally active and malicious, like when a disgruntled employee, whose access hasn’t been revoked, deliberately steals data with the intention of using it to harm their former employer. Misuse can also be something as simple and passive as using default, weak or repeated passwords. It can be using undocumented backdoors into environments or shadow IT, or not having adequate PAM processes in place.
More often than not though, misuse has no malicious intent. If employees upload files to their personal Dropbox or OneDrive accounts for example, they can unintentionally be opening a door to a malicious actor, as corporate data is now sitting in an unknown – most likely insecure – location where the organisation’s IT has no purview and the same corporate governance and security processes aren’t in place.
Password vaulting – in which centralised privileged accounts are stored in a digital ‘vault’ – won’t always be enough to avoid this misuse. But by removing standing privilege and using modern-day PAM controls like least privilege, organisations can reduce the number of privileged accounts and their associated risks.
Malice
Often a result of mistakes and misuse, malice is seen when bad actors use stolen credentials to exploit vulnerabilities to gain access to protected assets or disrupt operations. These types of malicious attacks make the headlines for a reason, and we’ve all seen the stories about malware, spyware, ransomware and trojan attacks. Hackers can cause some serious damage with these types of attacks. For example, Nvidia, the largest microchip maker in the US, had to shut down parts of its business for two days because of a ransomware attack in which hacking group, Lapsus$, threatened to release 1TB worth of the company’s data — including employee credentials – unless they handed over a ransom.
Malicious attacks are unfortunately here to stay, but by taking caution to avoid mistakes and reducing misuse, organisations can lower the likelihood of being a victim of such an attack.
Flexible security measures are essential in the cloud
The cloud has made IT and security systems an ever-changing playfield – making it hard work for IT and security teams to stay ahead of the game. Traditional PAM solutions – which include the likes of password vaulting – are not always suited to this sprawling environment. They weren’t designed for the dynamic nature of cloud and can lead to cloud assets being unmonitored for significant period of time. They also cannot address persistent privilege or provide visibility across hybrid environments and applications.
In an era of agile working and elastic workloads, enterprises must be able to access and assess real-time activity in order to identify risky or misconfigured objects and automatically action remediation steps. In a hybrid environment, where workers are habitually working across a variety of devices, networks and systems, IT and security teams need to be able to clearly see and manage access in real time – they can then reverse, approve or quarantine users and give privileged accounts access when they’ve validated them. In this way, orphaned accounts – forgotten accounts that sit on the network and which are prime candidates for misuse – can also be eradicated.
Cloud-based PAM processes are the key here – enabling organisations to scale their security along with their cloud environment. Without traditional standing privileges and the vaulting of discoverable, privileged credentials, organisations have visibility and control over what’s happening in their systems. Indeed, incorporating least-privilege principles and just-in-time access is an essential element of any cloud-PAM approach. It ensures end users receive the right level of privilege for their immediate tasks, no matter where they’re working or what device, network or platform they’re using – protecting critical assets and data from prying eyes.