Privilege access management (PAM) as of late has become a major area of cybersecurity focus because cybercriminals have become more adept at targeting attacks at specific individuals within organizations. The goal of these attacks is to compromise the credentials of individuals within an organization that would most likely have access to an organization’s sensitive data, such as chief financial officer or head of engineering. The primary mechanism employed to compromise these credentials is a phishing attack in the form of an email so carefully crafted, that it fools harried senior executives into inadvertently giving up the keys to the proverbial digital kingdom.
Known as a whaling attack because of the value of the credentials being compromised, it’s not surprising that defending against these types of attacks is becoming something of an obsession for IT organizations. A survey of 200 cybersecurity professionals conducted by Cybersecurity Insiders, on behalf of Hysolate, a provider of software for managing virtual workstations that are optimized to protect privileged users, finds that 42 percent of organizations have completed or are actively implementing additional security measures for privileged users. Another 35 percent have identified privileged access management as a top three priority and are evaluating methods to help achieve that goal.
The Hysolate survey comes on the heels of a similar PAM report published by Gartner, forecasts that by 2021 a total of 40 percent of organizations that use formal change management practices will have embedded and integrated PAM tools within them to reduce the overall risk surface. That’s up from less than 10 percent in 2018. Much of the effort is being driven by a variety of regulations that require organizations to pass audits showing who in the organization has access to what data precisely when.
Overcoming PAM’s obstacles to find its value
Managed service providers (MSPs) should take note of this trend because implementing PAM is far from easy. Most organizations are not entirely sure who has access to what inside their organizations largely because business managers usually determine who should have access to what applications. That usually gets dutifully recorded somewhere in the bowels of the IT department. But when individuals take on new roles inside organizations, no one remembers to adjust their access privileges. Over time, these individuals wind up with access to nearly everything. In some organizations, everyone has privileged access to everything simply because it was deemed too inconvenient to manage the process.
Phishing attacks are the most common attack vector employed by cybercriminals, so most MSPs that focus on cybersecurity have already strengthened their ability to combat these threats on behalf of their customers. Beyond thwarting phishing attacks, there’s an opportunity for MSPs to help organizations bring some order to a chaotic set of privileged access processes. Those managed services should span everything from discovery and assessment to the daily management of the granting of the privileges themselves. That latter service is going to be especially attractive to any organization that operates in a heavily regulated industry. Third-party validation of a privilege access process goes a very long way to achieving both cybersecurity and privacy compliance mandates.
PAM, of course, isn’t going to prevent phishing attacks from being launched, but is a critical element of any strategy to constrain the attack surface that needs to be defended. Organizations that need to defend everything equally are doomed to cybersecurity failure. In fact, it’s arguably always in the best interests of the MSP to make sure the attack surface that needs to be defended remains as small as possible. A good place to start shrinking that attack surface is to reduce the number of high value credentials that can be compromised in the first place.
Photo: Elnur / Shutterstock