Overcoming Hurdles to Implementing PAM

5

Regardless of the type of attack, a majority of cyber attacks take advantage of weaknesses in access management in order to exploit privileged access in some way. Privileged access management (PAM) is a crucial element of effective cybersecurity, but a recent survey found that there is some confusion about what PAM is or is not, and that organizations face a variety of potential hurdles when it comes to PAM.

Remediant—a leading provider of privileged access management solutions—commissioned Enterprise Management Associates (EMA) to conduct a survey of IT and cybersecurity professionals around the world—most of whom are familiar with PAM and are directly responsible for managing or granting privileged access to users. Companies from a broad range of industries and representing companies of all sizes took part in the survey.

State of PAM

There seems to be some confusion about what is or isn’t a PAM solution. The top result from survey participants when asked what they are currently using to manage privileged access is a directory service—namely Azure Active Directory (50%). A dedicated PAM solution was a close second (49%), but a simple password vault wasn’t far behind in third place (43%). Some organizations rely on custom scripts (29%), or just use controls native to the endpoint operating system (27%).

It’s encouraging that a dedicated PAM solution was at least in the top 2 solutions and was essentially tied with Active Directory, but it’s concerning that many companies and IT professionals seem to mistake identity and access management applications, or basic access controls for viable solutions privileged access management solutions.

Hurdles to PAM Implementation

The confusion seems to bleed over into the justification used for not implementing a dedicated PAM solution as well. When organizations that have not yet implemented a dedicated PAM solution were asked why, the number one justification was that existing access and password management tools are sufficient (29%).

Aside from general misperception about what constitutes a PAM solution, though, there are also other factors that get in the way of organizations implementing effective privileged access management. About 1-in-5 of those who have not implemented a dedicated PAM solution believe they are too complex (19%). Cost (14%) is also a hurdle to implementation, and in some cases the organization simply doesn’t believe there is value (14%) in investing in a PAM solution.

More Effective Privileged Access Management

The good news in the survey is that things seem to be trending toward more proactive and dynamic PAM solutions. Most of the companies that stated they have not yet implemented a dedicated PAM solution indicated that they plan to do so soon. Nearly two-thirds plan to implement a PAM solution in the next one to two years, and that number grows to 75% within 5 years.

That is just the first step, though. Almost a third of those with a dedicated PAM solution believe that it will only prevent some inappropriate use of privileged accounts, and almost 10% are not confident it will prevent the abuse of privileged access at all.

As companies seek out privileged access management solutions, it’s also important to recognize that not all PAM solutions are created equal. Privileged access is typically not needed indefinitely, and should not be granted carte blanche. Remediant’s SecureONE PAM solution employs a zero trust security model that grants and revokes privileged access in real-time—granting Just-in-Time, Just-Enough privileged access to get the job done without leaving the organization exposed to unnecessary risk indefinitely.

Share.

About Author

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 3 dogs, 4 cats, 3 rabbits, 2 ferrets, pot-bellied pig and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Twitter, Facebook, Instagram and LinkedIn.