The three Ms of Privileged Access Management

An image of , News, The three Ms of Privileged Access Management

As a result of the rise in cloud adoption across organisations, the threat landscape has expanded, with cybercriminals taking advantage of any weaknesses in an increasingly growing attack surface. One of the most commonly used components in an attack today is the use of compromised credentials, in which bad actors exploit weak passwords, bugs and misconfigurations to gain access to sensitive and valuable information or system controls in what are known as ‘privilege escalation’ attacks. The Verizon 2021 Data Breach Investigations Report for example, found that 80% of breaches involve compromised credentials.

The issue is that Privileged Access Management (PAM) – in which IT and security teams control who has access to what on an organisation’s system, including giving users time-bound and temporary access privileges – is also sprawling as cloud adoption grows and IT systems become more complex to manage. Cyber attackers thrive on this complexity as they are able to gain initial access through a lower-level account then work their way – escalate – up the chain, taking control of more and more systems and administrative roles until they have compromised and have access to the entire IT environment. The results of privilege escalation can be highly detrimental, leading to a full-blown data breach with sensitive information at risk.

The good news, is that there are three areas – three Ms – organisations can make sure they are aware of in order to minimise the risks of privilege escalation attacks: Mistakes, Misuse, and Malice.

Mistakes

We all make mistakes – it’s a human trait. According to a recent report from Stanford University, around 88% of data breaches are caused by human errors. These mistakes could be anything from administrative account errors where excessive access has been granted, to user faults such as weak passwords or falling prey to a phishing scam. Technical mistakes like service or network configurations can also leave a system open for attack.

These mistakes can be the result of many factors. For example, public and private cloud providers can have differing complex configurations and settings (AWS is different in configuration to Azure for example), meaning people tend to skill up in one first and then another, leaving weaker areas vulnerable. Work overload, skills shortages, and too many manual tasks having to be completed under tight deadlines also add to the likelihood of mistakes occurring. Add to that business priorities competing with security needs as well as the increasing number and variety of attack surfaces in the cloud, and hackers have ample opportunity to sneak through a crack in the system.

The principle of “least privilege” controls is an essential tool in the box for limiting the scope of an attack in this scenario. Under these controls, users can only access what they actually need to complete a task. This limits the fallout of an attack as attackers are unable to move laterally through the system. In addition, following an identity-driven PAM solution, based in the cloud, can help weed out any errors or weak spots and users, and mitigate them before they escalate.

Misuse

We’ve all taken shortcuts. But when users intentionally compromise a system, or misuse their privileges, for expediency or their own personal gain, the consequences can be dire. Indeed, an estimated 74% of data breaches involve privilege access misuse or compromise.

Misuse can be intentionally active and malicious, like when a disgruntled employee, whose access hasn’t been revoked, deliberately steals data with the intention of using it to harm their former employer. Misuse can also be something as simple and passive as using default, weak or repeated passwords. It can be using undocumented backdoors into environments or shadow IT, or not having adequate PAM processes in place.

More often than not though, misuse has no malicious intent. If employees upload files to their personal Dropbox or OneDrive accounts for example, they can unintentionally be opening a door to a malicious actor, as corporate data is now sitting in an unknown – most likely insecure – location where the organisation’s IT has no purview and the same corporate governance and security processes aren’t in place.

Password vaulting – in which centralised privileged accounts are stored in a digital ‘vault’ – won’t always be enough to avoid this misuse. But by removing standing privilege and using modern-day PAM controls like least privilege, organisations can reduce the number of privileged accounts and their associated risks. 

Malice

Often a result of mistakes and misuse, malice is seen when bad actors use stolen credentials to exploit vulnerabilities to gain access to protected assets or disrupt operations. These types of malicious attacks make the headlines for a reason, and we’ve all seen the stories about malware, spyware, ransomware and trojan attacks. Hackers can cause some serious damage with these types of attacks. For example, Nvidia, the largest microchip maker in the US, had to shut down parts of its business for two days because of a ransomware attack in which hacking group, Lapsus$, threatened to release 1TB worth of the company’s data — including employee credentials – unless they handed over a ransom.

Malicious attacks are unfortunately here to stay, but by taking caution to avoid mistakes and reducing misuse, organisations can lower the likelihood of being a victim of such an attack.

Flexible security measures are essential in the cloud

The cloud has made IT and security systems an ever-changing playfield – making it hard work for IT and security teams to stay ahead of the game. Traditional PAM solutions – which include the likes of password vaulting – are not always suited to this sprawling environment. They weren’t designed for the dynamic nature of cloud and can lead to cloud assets being unmonitored for significant period of time. They also cannot address persistent privilege or provide visibility across hybrid environments and applications.

In an era of agile working and elastic workloads, enterprises must be able to access and assess real-time activity in order to identify risky or misconfigured objects and automatically action remediation steps. In a hybrid environment, where workers are habitually working across a variety of devices, networks and systems, IT and security teams need to be able to clearly see and manage access in real time – they can then reverse, approve or quarantine users and give privileged accounts access when they’ve validated them. In this way, orphaned accounts – forgotten accounts that sit on the network and which are prime candidates for misuse – can also be eradicated.

Cloud-based PAM processes are the key here – enabling organisations to scale their security along with their cloud environment. Without traditional standing privileges and the vaulting of discoverable, privileged credentials, organisations have visibility and control over what’s happening in their systems. Indeed, incorporating least-privilege principles and just-in-time access is an essential element of any cloud-PAM approach. It ensures end users receive the right level of privilege for their immediate tasks, no matter where they’re working or what device, network or platform they’re using – protecting critical assets and data from prying eyes.

An image of , News, The three Ms of Privileged Access Management

Chris Owen

Chris is currently responsible for helping to drive Saviynt’s product innovation, roadmap, go-to-market messaging and competitive intelligence.

He has acquired a wealth of experience in Identity & Access Management (IAM) and Privileged Access Management (PAM) over a 15-year career in various technical and leadership roles at Quest / One Identity, CyberArk, BeyondTrust and Centrify.

Chris began his career as a technical lead of one of the largest transformation projects in Europe at that time.

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...