Professional Documents
Culture Documents
BT WhitePapers 6myths 2020
BT WhitePapers 6myths 2020
BT WhitePapers 6myths 2020
Busting the
6 Myths of
PAM
Privileged Access Management:
Sorting Fact From Fiction
TABLE OF CONTENTS The Guide to JIT PAM
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Browse Up Security
MYTH #4: PAM HELPS YOU MANAGE & CONTROL ACTIVE DIRECTORY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
MYTH #5: VENDOR ACCESS CAN BE SECURED USING THE SESSION MANAGEMENT CAPABALITIES
OF YOUR PASSWORD MANAGER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0
CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2
Ponemon Study:
Average size of a
2019 Cost of a Data Breach
data breach1
The recent Cost of a Data Breach Report
conducted by the Ponemon Institute and
sponsored by IBM Security reveals some
harrowing statistics around what cyber
breach victims face in the way of losses.
Currently, the global average total cost of a
data breach sits just shy of $4 million, with
around 25,575 records being the average size Average time to identify
of a breach. With the average time to identify & contain a data breach1
and contain a breach being almost 10 months,
it’s obvious that a solution is needed, and fast.
Reported increase in
breaches in 1h.20192
Browse Up Security Browse Down Security However, this approach comes with a number
of drawbacks. Although very secure, it’s
Browse Up security is a concept whereby IT On the other side of the spectrum, Browse impractical. Imagine a remote worker – do
systems are administered from ‘low trust’ Down security is the best practice for they typically have access to a secondary
devices that are at heightened risk of being mitigating risk in your environment. Browse system on an isolated VPN?
compromised, such as a personal home Down security involves having dedicated
computer. This is, unfortunately, a typical workstations for remote administration A much better alternative is Privileged Access
scenario today, proving that common practice that live on a segregated network with the Management (PAM).
isn’t always good practice. An end-user device OS locked down, along with email and web As stated by the National Cyber Security
used by an administrator can be one of the browsing blocked. Centre (NCSC part of GCHQ), “Browse up
easiest paths into the target system. is a bad security model, but is often used as
The idea is that if the “dirty”, less trusted
In computer systems where data integrity workstation/environment gets compromised, it makes administration easier for staff to
is important (such as cloud storage services, then it’s not directly underneath the clean manage. Privileged Access Management
which handle personal data or payments, or environment, and it would be difficult for (PAM) helps mitigate some of these risks.
industrial control systems), if you don’t have the malware operator to gain access to your Browse down is better, and coupled with
confidence in devices that are being used to clean environment, as it lives on a separate privileged access management, can really help
administer or operate a system, you can’t have workstation. you gain confidence in your management
confidence in the integrity of that system. interfaces.”
“
Browse Down Security Management alone isn’t scalable
and doesn’t mitigate risk enough on its own.
PAM: THE NUMBER ONE SECURITY PROJECT FOR 2019 Fact or Fiction: Busting the 6 Myths of PAM 5
“
By 2022, 90% of organizations will recognize that mitigation of PAM risk
“
is a fundamental security control, which is an increase from 70% today.
— Gartner, “Best Practices for Privileged Access Management Through the Four Pillars of PAM,” January 28, 2019
MYTH #1: ZERO TRUST IS ACHIEVABLE Fact or Fiction: Busting the 6 Myths of PAM 6
What Is The Zero Trust Model? 1 Technical Debt by Cloud, DevOps, and IoT does not inherently
support the zero trust model as it requires
First coined in 2010 by John Kindervag, If your organization develops its own software additional technology to segment and enforce
Principal Analyst at Forrester Research, it’s for consumption, and the applications the concept. For large deployments, this can
become a very popular concept with many are more than a few years old, you have be cost-prohibitive, and may even impact the
organizations seeking to reduce the risk of a technical debt. Redesigning, recoding, and ability for the solutions to interact correctly
data breach. redeploying internal applications can be with multi-user access.
costly and potentially disruptive. There needs
The principle behind zero trust is that it
to be a serious business need to undertake
requires strict verification measures for every “Reality”
these types of initiatives. Adding security
device and person accessing resources on a
parameters to existing applications to make One model that can help bridge the gap is
private network, regardless of whether they
them zero trust-aware is not always feasible. Just-In-Time Privileged Access Management
are within the perimeter of the network.
It’s extremely likely that your organization (JIT PAM). The ‘JIT’ part originates from
There’s no specific technology associated with
utilizes existing applications that have no within the manufacturing industry and is a
zero trust, rather several technologies (with
ability to accommodate zero trust. strategy that minimizes costs by reducing the
multi-factor authentication, or MFA, being a
core tenet) in order to reach the ideal state of in-process inventory level. It is driven by a
security. It’s therefore considered a holistic 2 Legacy Systems series of signals that tell the production line to
approach and an ideal that many companies make the next piece for the product and when
Legacy applications, infrastructure, and
work towards. it is needed.
operating systems are unlikely to be zero
trust-aware. They may lack the concepts of JIT PAM can help drastically condense the
Three Reasons Why Zero Trust least privilege and lateral movement, and privileged threat surface and reduce risk
they may not possess authentication models enterprise-wide, ensuring that identities
is an Unrealistic Ideal
that dynamically allow for modifications only have the appropriate privileges when
While zero trust has become a trendy based on contextual usage. Any zero trust necessary, and for the least time necessary.
catchword in IT, in practice, this model is implementation requires a layered approach This process can be entirely automated so that
generally impractical and unrealistic to to enable these systems. However, a layered it is frictionless and invisible to the end user.
implement. Though Forrester has provided a approach entails wrapping the external access
According to Gartner in their 2018 Magic
five-step roadmap to achieving zero trust, and to the resource and rarely can interact with
Quadrant for PAM, “By 2022, more than
while many of the recommended approaches the system itself. This defeats the premise of
half of enterprises using privileged access
have merit and seem logical, a number of zero trust.
management (PAM) tools will emphasize
unrealistic assumptions are made due to
just-in-time privileged access over long-term
the following issues facing almost every 3 Digital Transformation privileged access, up from less than 25% today.”
organization:
Even for organizations that are in a position Read a more in-depth overview of Just-In-
to build a new data center, implement Time Privileged Access Management.
a role-based access model, and embrace
zero trust 100%, the digital transformation
considerations can make the theory difficult
to embrace. The digital transformation driven
MYTH #2: SHARED ACCOUNTS ARE NEEDED TO ENABLE PAM Fact or Fiction: Busting the 6 Myths of PAM 7
Many IT organizations use shared accounts sophisticated phish, they can become a victim.
for privileged users, administrators or And if a superuser account is compromised,
applications so that they can have the the hacker may have instant access to the
access they need to do their jobs. If managed crown jewels.
incorrectly, this practice presents significant
security and compliance risks from
intentional, accidental, or indirect misuse of
“Reality”
shared privileges. If a shared privileged account is compromised,
then it carries potentially devastating risks
Even for the savviest IT teams, the task
as shared accounts are often used across
of managing shared accounts introduces
multiple applications and resources. If a
complexities and risks.
breach occurs, the attacker is able to span
multiple employee accounts and access
Shared Accounts are multiple locations across an enterprise. It
Hard to Audit makes it harder to pinpoint who has been
compromised and usually requires a lot of
According to a recent Monitor Report by systems that need to be touched to “fix” the
ICS-CERT, shared accounts “make it difficult problem.
to identify the actual user and they allow
malicious parties to use them with anonymity. A compromised shared account is like
Accounts used by a shared group of users Christmas day to a hacker. The good news
typically have poor passwords that malicious is that you don’t need to move to shared
actors can easily guess and that users do not accounts in order to enable PAM.
change frequently or when a member of the
group leaves.”
PAM Does More Than Manage “Reality” • Securing remote access pathways for
vendors and employees
Your Privileged Accounts A comprehensive PAM platform includes
far more than just privileged account and • Integrating vulnerability data to make
Managing privileged accounts is the tip
session management (PASM), though this informed privileged elevation and
of the proverbial PAM iceberg. Privileged
remains a key component. PAM also consists delegation decisions based on real-time risk
Access Management comprises of several
components, each serving a purpose in of privileged elevation and delegation • Logging all privileged access for auditing
the path to achieving the optimal balance management (PEDM)—also known as and reporting
between security and productivity. A central endpoint privilege management, secure
goal is the enforcement of least privilege, remote access (for vendors and employees), • Providing privileged user behavior and
defined as the restriction of access rights and and more. Some key PAM capabilities include: threat analytics
permissions for users, accounts, applications, • Discovering privileged accounts/credentials Integrating with identity governance
systems, devices (such as IoT), and computing on systems, devices and applications and solutions for seamless visibility and
processes to the absolute minimum necessary onboarding for ongoing management. management of privileged and non-privileged
to perform routine, authorized activities. identities enterprise-wide
• Automatically randomizing and storing
Alternatively referred to as privileged account passwords for both human and non-person
management, privileged identity management Simply put, PAM covers a much larger area of
privileged identities. security controls and threat mitigation than
(PIM), or just privilege management,
PAM is considered by many analysts and • Eliminating administrator and root people might think.
technologists as one of the most important privileges and simplifying enforcement of • The MITRE ATT&CK framework
security projects for reducing cyber risk and least-privilege policies
achieving high security ROI. • The Top 20 Critical Controls
Privileged access management addresses Additionally, PAM also helps in other, less
far more than your Active Directory conventional areas of risk across your
(AD) accounts. Active Directory (AD) is a organization, such as corporate social media
directory service developed by Microsoft for accounts. Passwords to your corporate
Windows domain networks. It authenticates Facebook, Twitter, or LinkedIn accounts
and authorizes all users and computers should be considered privileged; if the
in a Windows domain type network— credentials fall into the wrong hands, misuse
assigning and enforcing security policies could lead to significant, long-term brand and
for all computers and installing or updating reputational damages.
software.
“Reality”
However, in 2018, 52.2% of internet traffic
came from mobile devices and is predicted
to rise to 63.4% by the end of 2019. The
cocktail of increasing BYOD challenges
and expanding cloud services are all part
of the multi-platform movement towards
which IT environments are shifting. It’s also
worth noting that enterprises utilizing DMZ
networks (which often sit outside the walls of
AD) have additional security risks which PAM
can also assist in mitigating.
The concept of implementing privileged access Once the environment is installed for each BeyondTrust integrates with a wide range of
management can be daunting for many – component, internal automation (including third-party solutions. See the figure below for
especially if your environment is made up of a database maintenance), are all provided in a an overview of our partner ecosystem.
variety of operating systems, legacy software, leading PAM solution.
For less overhead and infrastructure
and far-flung global locations. Or, maybe you
requirements, PAM solutions can be deployed
have a small IT team that is already stretched
to the limit. However, a good PAM solution will
Implementation Made Easier in the cloud using SaaS (software as a service)
be simple to deploy and maintain over time. Through Integrations or a hosted solution such as AWS or Azure.
Managing credentials in the cloud can make
Implementing PAM is easier than you might In terms of implementation, you should managing privileged access easier and more
think. consult the experts from partners, vendors, cost-effective. For organizations looking to
and system integrators (SI’s). They have reduce privileged access risks, while facing
“Reality” experience installing PAM and can turn a ongoing staffing and resource shortages,
potentially steep learning curve into a very PAM cloud solutions provide reduced
PAM is comprised of three primary manageable project. Leading PAM providers administrative burdens along with rapid
components, with different efforts required will provide an extensive set of integrations, deployment.
for each, listed below from lowest to highest meaning you can benefit from technologies
effort and maintenance: working together straight out-of-the-box,
• Secure Remote Access (SRA): secure, maximizing your existing IT investments
Robotics
manage, and audit vendor and internal and making the entire process even more alyti
cs Proc
ess
t An Au
rea tom
remote privileged access without a VPN. seamless and efficient. For example, Th ati
on
Vu
ln
e
• Endpoint Privilege Management (EPM):
nc
e
ra
na
b
ilit
r
eliminate unnecessary privileges and
ve
yM
Go
elevate rights to Windows, Mac, Unix, Linux
an
tity
age
I de n
and network devices without hindering
men
productivity. Limited maintenance required
t
when environmental or application changes
occur.
Cloud Pla
• Privileged Account and Session
DevOps
Management (PASM): discover, manage,
tform
audit, and monitor privileged accounts of all
types. Medium-level maintenance needed,
when changes to procedures, environment,
or personnel occur.
Ide
nt
ity
ce
Ac
GR
C
ss
M &
an M
SIE
ag
em
en
t
Service M
anagement
CONCLUSION Fact or Fiction: Busting the 6 Myths of PAM 12
The BeyondTrust Privileged Access Management platform is an integrated solution to provide control and visibility over all privileged accounts and
users across all enterprise platforms. By uniting best of breed capabilities that many alternative providers offer as disjointed tools, the BeyondTrust
Privileged Access Management platform simplifies deployments, reduces costs, improves system security, and closes security gaps to reduce risks.
About BeyondTrust
BeyondTrust is the worldwide leader in Privileged Access Management (PAM), empowering organizations to secure and manage their entire
universe of privileges. Our integrated products and platform offer the industry’s most advanced PAM solution, enabling organizations to
quickly shrink their attack surface across traditional, cloud and hybrid environments.
The BeyondTrust Universal Privilege Management approach secures and protects privileges across passwords, endpoints, and access, giving
organizations the visibility and control they need to reduce risk, achieve compliance, and boost operational performance. We are trusted by
20,000 customers, including 70 percent of the Fortune 500, and a global partner network. Learn more at www.beyondtrust.com.
beyondtrust.com
V2020_03_ENG