The good news is that you don’t need to take on everything at once. In fact, we suggest you don’t.
We find that most organizations start strong when they adopt PAM. They get the vault set up and get domain passwords and local shared accounts under control. Then, they start to get complacent. They stagnate on their journey somewhere between stages two and three.
Most organizations start strong then stagnate somewhere between stages two and three
Meanwhile, the organization keeps growing and the IT environment gets more complex and difficult to manage Service accounts proliferate, unchecked. Identities multiply and become siloed in Active Directory, LDAP, etc. This is especially true for Linux systems in the cloud; with no centralized management like AD, local accounts abound. Cloud platforms like AWS have their own IAM services, which leads to more siloed accounts.
Just as technology mushrooms, the number of privileged users grows exponentially. Business users adopt more applications without IT management. Engineering teams spin up more systems, and developers store passwords in libraries and code.
Meanwhile, cybercriminals are getting more sophisticated and emboldened all the time.
To protect your growing attack surface, you can’t stagnate at the Basic stage. The jump to Advanced is an important one, and it’s manageable. Let’s break it down.
Fundamentally, the Advanced stage of PAM maturity is about implementing a zero trust model founded on the Principle of Least Privilege (PoLP). With this approach, users and systems should have only the accesses and permissions they need to do their jobs, nothing more.
Traditional password vaults offer a basic level of control and fundamental security benefits. Password theft, however, is only one step in a cybercriminal’s attack chain. Should an attacker successfully gain access to a system, they will also need the ability to export data without detection, so they can sell it on the black market or ransom it off. To further secure your organization, and mature in your PAM program, privilege elevation solutions should be used. This will allow you to assign admin rights to individual tasks, applications, or scripts that require them for a granular level of control.
There are two parts of your attack surface where maintaining least privilege is essential for a strong security posture: user workstations and servers. In both situations, privilege elevation capabilities allow you to easily assign or revoke privileges for a specific period, providing just-in-time, just-enough access when admin control is absolutely necessary.