Among the myriad cybersecurity challenges faced by organizations, managing privileged access continues to be one of the most critical and high-risk. This is a requirement that not only security leaders must own, but also board directors, general counsels, chief risk officers, chief information officers, and chief compliance officers.
Privileged access arrangements, which grant only certain users access to specific assets for determined uses and set durations, are a standard feature in digital environments. Privileged access manifests in various ways within an organization. For example, it may allow only named IT specialists to install software, machine-learning engineers to work in environments where artificial intelligence (AI) models in development use certain data, or restrict sensitive strategic plans or in-progress financial information to the CEO or CFO.
Consequently, privileged accounts by their nature are particularly attractive to cybercriminals. These accounts can represent a gateway to your enterprise’s crown jewels: intellectual property, customer data, operational systems, and financials. Forbes reports that 74% of breaches involve privileged credential abuse, citing a survey of IT decision makers by security vendor Centrify (now Delinea).
In addition to being responsible for cybersecurity oversight, board directors, leadership, and C-level executives are prime targets for breaches involving privileged credentials. Hence, it is every leader’s job to understand Privileged Access Management (PAM) — strategies and technologies designed to protect sensitive data and systems from unauthorized access by controlling and monitoring privileged accounts. A report from our colleagues at Marsh highlights PAM as a top five control in terms of impact on reducing cyber risk.
PAM has become more essential to the protection of information while at the same time more complicated than ever to maintain and sustain in the face of the increasing sophistication and persistence of bad actors. Here's what you need to know to execute it successfully.
Big data, AI, and politics intensify access management challenges
While privileged access management is a perennial challenge, it is now more complex with the explosion of the variety, volume, and velocity of data that organizations collect, and of the types of data residing in disparate silos. As a result, many organizations lack a comprehensive understanding of their data and its potential uses and attractiveness to hackers, amplifying vulnerability. For instance, bad actors can stitch together multiple ostensibly non-sensitive data sources to infer sensitive information like customers’ location and purchasing habits, which could then be used in phishing or similar attacks.
Access is proliferating alongside data. By the time firms realize they’ve granted access too liberally both within their own organizations and to third parties, it’s challenging to wind back. Cloud is a prime example of the risk this poses: Microsoft research shows that more than 50% of cloud identities have permissions that could cause “catastrophic damage” if used improperly, but only 1% of permissions granted are used.
The growing propagation of privileged access and the difficulty of defining sensitive data are combining to particularly troubling effect in today’s artificial intelligence arms race. Organizations are rapidly setting up environments to develop and deploy AI capabilities; while data in these environments or “sandboxes” varies, in all cases their proliferation increases exposure. Additionally, AI models themselves represent valuable assets that bring with them new and notable risks. Even slight tampering with a model can poison its outputs, degrading accuracy and usefulness, and thereby undermining business operations that rely on the model.
These practical challenges are playing out against a backdrop of geopolitical conflict with bad actors eager to exploit them. Leveraging the privileged access of high-level users can give state-sponsored hackers a direct path to intellectual property that can provide them with a strategic advantage. Recently, for example, a state actor leveraged control of an old test account at a software giant to exfiltrate emails and documents, including from senior leadership, in an attack that dragged on for seven weeks.
Six key strategic actions to strengthen privileged access management
All leaders should be able to engage IT and security about the effectiveness of their organization’s PAM strategy because the business’s most critical, sensitive assets — not to mention its reputation — are on the line. Here are six strategic actions to consider:
Implement least privilege principle
Adopting the principle of least privilege ensures that users are granted only the privileges necessary to perform their specific roles and responsibilities. By minimizing excessive privileges, organizations can reduce the attack surface and mitigate the potential impact of security breaches.
Deploy multi-factor authentication (MFA)
Strengthening authentication mechanisms with MFA adds another layer of security by requiring users to provide multiple forms of verification before accessing privileged accounts. This mitigates the risk of credential theft and unauthorized access.
Enforce time-, task-, and location-based privilege elevation
With the proper tools and implementation, organizations can benefit from a dynamic approach to privilege elevation that grants accounts only the privilege needed, just at the time it’s needed, to perform a certain task. This can both minimize the proliferation of privileged accounts and reduce the risk of unauthorized access and misuse.
Enhance monitoring and alerting
Implementing continuous monitoring and real-time alerting capabilities enables organizations to promptly detect and respond to suspicious activities associated with privileged accounts, mitigating threats before they escalate.
Periodically assess insider risks
In cooperation with human resources and legal departments and with buy-in from all leaders to enact a culture shift, consider a focused Insider Threat Program. If deemed appropriate for the organization, the program would entail routine criminal background and financial checks for those granted privileged access (with the option to switch to other roles if they do not want to participate).
Regularly audit and review access controls
Conducting regular audits and reviews of access controls ensures that privileged access rights are aligned with business requirements and security policies. Doing so helps organizations to identify and remediate any unauthorized or excessive privileges, reducing the risk of insider threats and unauthorized access.
Balancing innovation with privileged access security
Business and tech leaders well understand the need to swiftly start or scale initiatives in cloud, advanced analytics, and now generative AI. But they need to remain aware that without prioritizing comprehensive privileged access management, every innovative environment their organization stands up is a potential gap in its cybersecurity armor. Put simply, investing in their organization’s future cannot come at the expense of protecting what it most values now.