Busting the myths about privileged access management (PAM)

Graham Hawkey, privileged access management (PAM) specialist, Osirium

Privileged admin credentials have become the target of choice for hackers looking for a way to breach security defences. Verizon’s latest Data Breach Investigations Report reveals that three quarters of data breaches involve the human element – including social engineering attacks, errors, and misuse. With more people than ever across a typical organisation possessing potentially powerful access rights, this represents a significant risk. Admin accounts are ripe for misuse by criminals looking to steal or delete data, or cause damage by accessing and making changes to systems, servers, applications and devices.

Privileged access management (PAM) safeguards valuable account logins by ensuring that users only have rights to access to the systems they need to do their work, and for the shortest possible time period, and with the lowest level of privilege. Microsoft defines PAM as “an identity security solution that helps protect organisations against cyberthreats by monitoring, detecting, and preventing unauthorised privileged access to critical resources”.

When talking to their organisations about PAM, security teams may find they come up against certain assumptions. Here are five common ‘myths’ they might need to address, to make the case for investment, or secure buy-in from users, for example.

  1. Privileged credentials are already covered by our identity access management (IAM) solution.

This isn’t the case: IAM focuses only on proving the user is who they say they are – typically using credentials – before letting them log in. PAM applies policies that determine what each user can access, and with what privilege level; in other words controlling exactly what they do and how.

  • We have a record of all our admins, and we’re sure nobody can access anything they shouldn’t.

There is always too much privilege! How many staff have retained access to systems they no longer need after moving department, or leaving? Do you know who within your supplier and partner organisations has the means to log in to your IT environment?

Implementing PAM enables you to identify exactly who holds privileged admin credentials, and what they have access to, remove rights where they’re not required, and exert control by granting users the lowest level of permissions they need to carry out a task.

  • We don’t need to bother with PAM – it’s not legally required. 

Proper management of privileged access is now specifically required for compliance with many key regulations. including GDPR, PCI DSS, Sarbanes-Oxley and the Telecommunications (Security) Act 2021 (TSA). This is also the case for standard best practice frameworks such as Cyber Essentials, ISO 27001, and the new NHS Data Security and Protection (DSP) Toolkit. Taking their cue from regulators, cyber insurers too increasingly require customers to demonstrate the ability to manage privileged accounts to reduce risk before they will issue a policy.

  • PAM will increase the IT team’s workload, and reduce users’ productivity.

Implementing the approach can change workflows and processes in a way that improves the user experience, and reduces the friction that slows down admin tasks. Search and filtering functions, for example, will allow the right devices or services to be found quickly. Some PAM solutions enable the secure automation of common admin tasks, to ease the burden on IT. For instance, when connected with central HR systems, new starters can be automatically provisioned with the necessary user accounts and appropriate access rights.

Endpoint privileged management (EPM) allows security teams to remove local admin rights from users who don’t require them on a permanent basis, while elevating privileges for individual users in instances when this is needed, ensuring their work is not interrupted.  

  • Users will always find ways to bypass the tool, and unintentionally expose credentials.

PAM separates users from privileged credentials, and with no direct access to logins there’s no way they can misuse or leak them. Meanwhile, automating routine tasks that are carried out with admin rights – such as resetting passwords, or removing logins from staff who have left – will eliminate errors by taking the human out of the equation.

In an age where most cyber criminals prefer logging in to hacking in, controlling the misuse and abuse of privileged access is crucial. Most organisations have a complex, diverse IT estate with myriad endpoints, that creates visibility challenges, and is very difficult to control. Introducing PAM is a comprehensive and efficient way of establishing this control: protecting systems and data from attack, while ensuring employees and third parties can safely access the resources they need to do their work.

Graham Hawkey

PAM specialist Graham Hawkey has been working in the IT sector for more than a decade. His expertise in privileged access security spans eight years, including nearly six years with Osirium, the only UK-based PAM provider.  Graham works with a wide range of businesses and organisations across the UK in both the private and public sectors, helping to boost their cyber resilience. 

As one of the world’s fastest growing PAM providers, serving customers across four continents, Osirium has helped thousands of organisations over the past 25 years protect and transform their IT security services. In addition to PAM, Osirium also offers solutions for Endpoint Privilege Management and Privileged Process Automation. 

Recommended For You

About the Author: Michael O'Sullivan