A VIP pass at a concert can get you backstage to shake hands with the band. In the world of cybersecurity, “privileged access accounts” are essentially VIP passes — and bad guys want them. This is where the red-hot area of Privileged Access Management, or PAM, is important to business today. Successful management of these privileged accounts (also known as administrative accounts) basically keeps a company’s VIP passes in the right hands.
Privileged user accounts provide elevated access rights to critical systems and sensitive data; they are pervasive throughout the organization and can include applications, systems or individual user accounts. These accounts are a powerful lure to malefactors because elevated access can enable them to gain a foothold on a corporate system and then stealthily move throughout the network to compromise other systems within the breached environment.
Forrester Research estimates that 80% of security breaches involve theft of privileged credentials.* Among cybersecurity and privacy threat targets, accounts with elevated privileges are pervasive because they exist in most platforms, IT systems, and applications across an organization’s entire ecosystem. Unfortunately, many organizations spend a great deal of time and money managing normal user accounts, while underestimating the importance and risk posed by privileged accounts.
Exploits of these accounts often begin with phishing schemes that target employees and third-party vendors. This year, 38% of respondents to PwC’s Global State of Information Security® Survey reported phishing incidents, making it the top vector of cybersecurity incidents. The financial, reputational, and cybersecurity and privacy toll can be significant.
Just consider last year’s breach of the US Office of Personnel Management (OPM). Unknown hackers stole credentials of a trusted contractor to access government systems, resulting in leaks of sensitive information of 21.5 million individuals. This massive data loss severely eroded trust in the OPM’s cybersecurity and privacy capabilities and created potentially serious national security risks. And then there’s the cost of remediation: The OPM awarded a contract of more than $133 million for identity theft protection services alone.
As businesses begin to grapple with the compromise of privileged accounts, a number of factors point to potentially troubling trends.
For one, the number of privileged accounts appears to be rising. In our work with organizations across industries, we’ve seen that a single user may have access to five or sometimes many more privileged accounts across the business ecosystem.
Whether malicious or simply careless, insiders like employees and third-party business partners continue to be the primary sources of cybersecurity incidents. This year, 29% of PwC’s survey respondents attributed incidents to current employees, while 41% pointed the finger at third-party business partners, which often have digital access to the organization’s network, applications, and data.
It’s also worth noting that the ongoing adoption of cloud computing has created new risks. Service providers often grant privileged credentials to employees who interact with a company’s data and workloads. And the growing use of automation tools by cloud providers has augmented the number of privileged accounts, which in turn can broaden the attack surface.
But perhaps the greatest risks lie in the Internet of Things (IoT), where connected devices may be assigned to a privileged account but are rarely secured. This can enable cybercriminals to recruit an army of IoT botnets that target access to privileged account credentials. The potential for damage was decisively demonstrated in October’s DDoS attack on an Internet Domain Name System (DNS) provider. The hack enlisted hundreds of thousands of Web-connected devices, such as DVRs and webcams, in a colossal website takedown that began in the US and cascaded across the globe.
The risks of privileged account compromise constitute a threat of the first order. Yet our research shows that at least 40% of businesses have not implemented Privileged Access Management (PAM).
The reasons vary and may include a lack of awareness of privileged account abuse, prioritization of conflicting security initiatives and the relative immaturity of some organization’s cybersecurity and privacy practices. Cost is another deciding factor: The price tag of a PAM implementation can be a major investment that extends to millions of dollars, depending on the scope of the initiative.
Whatever the rationale, our work with businesses in the field indicates that many do not manage privileged accounts with the same rigor as they do human user accounts. We have found, for instance, that privileged account passwords are often not regularly changed and may be stored in unsecure files on devices like laptops. What’s more, privileged accounts are often shared among many IT users, which means that compromise of one set of privileged account credentials can open doors to other enterprise systems and applications.
Finally, many organizations grant third-party vendors like contractors and supply chain partners remote access to their company’s networks and data. As recent breaches have proved, compromise of third-party partners’ credentials is a risk to be reckoned with. Yet only 53% of this year’s survey respondents said they had implemented security baselines and standards for external business partners.
As risks associated with privileged accounts multiply, forward-thinking businesses are seeking ways to strengthen password integrity, improve IT efficiencies and lower compliance costs. That’s where PAM solutions come in.
PAM can provide a centralized methodology to integrate security controls across the perimeter, network, and application security zones. PAM also can help businesses manage privileged sessions to operating systems, databases, and applications. It offers unified reporting to enhance control over the PAM program and deliver secure remote access for external contractors through real-time session monitoring.
PAM helps businesses stay in line with internal policies as well as industry and government regulations by requiring that passwords be regularly changed to meet compliance requirements. PAM solutions also can help businesses achieve accountability by consolidating accounts, access rights, permissions, and audited activity to a single, centrally managed user identity. To do so, PAM employs enforced segregation of duties related to privileged accounts and helps administer granular access controls and workflows.
In the wrong hands, privileged account credentials can deliver detrimental results by malicious threat actors. The potential financial, reputational, brand value and customer trust impacts of an attack on privileged user accounts can be enormous.
PAM solutions are critical to helping a business deliver preventative and detective controls capabilities, including password management and integration with an organization’s overall Identity and Access Management (IAM) process definitions and technical architecture. An effective PAM implementation can provide controls and detection at every step to help deliver the right cybersecurity and privacy safeguards, prevent attacks, and mitigate impacts.
*Forrester Research estimates that 80% of security breaches involve theft of privileged credentials
Principal, PwC US
Managing Director, Cybersecurity and Privacy, PwC US