Cloud PAM: Securing Your Most Valuable Data Against Account Takeover

With the rise in digital transformation and cloud adoption in recent years, business networks are growing increasingly diverse. Organizations are using both on-premises and cloud applications, as well as a variety of corporate and personal devices, and it’s becoming more and more challenging for security teams to monitor access because traditional network perimeters no longer exist in the remote era. Failure to address this challenge and properly monitor user access makes it much easier for bad actors to gain unauthorized access to a corporate network and, subsequently, confidential data.

Critical business data is often stored in “high-tier” business systems, which can only be accessed by privileged accounts that have been granted administrative levels of access. This makes these privileged accounts an enticing target for attackers who want to gain access to that data, either to hold hostage in a ransomware attack or sell on the dark web. And, unfortunately, they’re succeeding in hacking those accounts; 34% of identity-related breaches in the last two years involved the compromise of privileged accounts.

To find out more about how organizations can protect their most critical corporate data against identity and access breaches, we spoke to Amit Saha, CEO of Saviynt. Saha began his journey within the identity security space over 25 years ago, advising customers on how they should be managing and governing their identities, and examining the role of identity within each organization’s unique infrastructure. He joined Saviynt in 2013 with a vision of reimagining how identity governance should work. Saviynt was founded in 2009 as a solution to on-premises identity management and governance. In 2015, as cloud adoption began to pick up pace globally, Saviynt shifted course to provide identity governance-as-a-Service, delivering the flexibility, scalability and customization required to protect any cloud environment. So, Saviynt now gives organizations a clear insight into identity and access security across their ecosystems, helping them to achieve compliance whilst securing the data stored in their most critical corporate systems.

Managing Account Access: The Trials And Tribulations

Without the proper security measures in place, a hacker can easily gain access to a privileged account simply by stealing the user’s password in a phishing attack, or cracking it with brute force. Equipped with these credentials, the hacker can log into their target’s account undetected. From there, they can change account details to lock out the real user, steal data, and install malware. They can also carry out further social engineering and account takeover attacks within the organization using that account, or infiltrate a partner organization.

“Account takeover is definitely a real threat,” says Saha. “As organizations become more focused on digital transformation, they expose assets that were previously behind their firewall, giving the attackers an opportunity to exploit that and compromise those assets.

“And when the workforce is working remotely, or collaborating digitally with partners, the impact of a compromise like this increases because of privilege elevation or the lateral movement to access other privileged accounts. It could lead to enterprise-wide compromise.”

Privilege elevation is a particularly common vulnerability among cloud services, which are often misconfigured. Over half of enterprises using AWS, for example, have identities with the ability to escalate their own privileges to a “super admin” role. This means that bad actors can hack into standard user-level accounts and grant themselves admin privileges without approval, allowing them undetected, unauthorized access to critical business data.

Despite the risk associated with a lack of access security, only 38% of organizations are using multi-factor authentication (MFA) to secure their privileged accounts.

So, why are so many organizations struggling to manage and secure account access?

“There are traditionally two main challenges when it comes to privileged access management,” explains Saha. “First and foremost, is that implementation used to be a tedious and expensive exercise, especially when you’re setting up a lot of servers for video recording of sessions. So, many organizations focused on using those products just for critical workloads, leaving a lot of less sensitive workloads unprotected.

“But if a non-privileged ID is compromised, it can be used to move laterally or escalate privileges, bypassing the controls that have been put in place only on some workloads.”

The second challenge, Saha tells me, comes as a result of migrating to a cloud infrastructure, and the fact that it’s now not only humans that are given identities, but also machines and IoT devices. This means that legacy access management solutions, which granted access to human users, are no longer effective.

“Now, infrastructure is nothing but  code, and that’s changed how we look at identity and access management.

“Technologies previously used a jump box model, where privileged users would log onto a jump box with a password to record the transaction before they started performing any activities.

“Now, an identity could be a machine, or an IoT device, and the credentials are SSH keys or tokens; activities are being carried out from app to app or service to service, where there’s no human interaction. In these cases, the identity doesn’t log into a jump box for the session to be recorded.”

Securing High-Tier Accounts With Privileged Access Management

Cloud privileged access management (PAM) solutions can help organizations to solve these challenges, while improving their identity and access security. They enable admins to monitor all access to critical business systems and ensure better governance of privileged credentials. To do this, they encrypt and store all credentials of privileged accounts in a secure vault or generate ephemeral credentials, to which users can only gain access after verifying themselves using MFA. This prevents unauthorized actors from being able to sign in, even if they steal a user’s password.

Once logged in, the PAM solution records their activity, which is useful for auditing purposes but also helps admins to identify suspicious behavior. After the session ends, the credentials for the account are rotated, which eliminates the risk of a repeat attack, should a cybercriminal manage to hack into an account once, mitigating the damage caused by the breach.

PAM solutions help prevent cybersecurity attacks such as account takeover by working in line with the principle of zero trust, i.e., that you shouldn’t automatically trust any user or machine with access to your network, whether internal or external.

“Zero trust is a philosophy, not a particular technology, and it has to be implemented at every step of the way within a PAM solution,” says Saha. “So, first, you need to be able to verify the identity of the user or machine. This is where the integration with MFA comes in, to check whether the user is displaying malicious intent or trying to gain access from a compromised device.

“The second aspect is challenging static or ‘standing’ privileges.”

Standing privileges, as defined by Gartner, refers to accounts that have continuous privileged access across certain systems or applications. An example of this is the local “admin” login automatically assigned to each user’s desktop. Because they’re static and not regularly updated or changed, standing privileges enable bad actors to carry out repeat attacks using the same login credentials.

“A lot of organizations are moving towards a ‘zero standing privileges’ model,” Saha says. “This means that the account exists, but privileged access is only assigned for a limited duration, based on when the user actually needs it.”

This approach, also referred to as “just in time” provisioning, reduces the risk of repeat attacks and makes it much more difficult for a bad actor to get hold of credentials in the first place, because they change for each session.

The third and final aspect of zero trust security in a modern PAM solution, according to Saha, is the integration of PAM with continuous identity governance. “Rather than integrating a traditional PAM product with an identity governance product as an afterthought, they should be pre-integrated from day one. This ensures that, as soon as the user is onboarded in the organization, we are continuously monitoring their access and activity.”

PAM For Security; PAM For Compliance

In recent years, industries such as healthcare and finance are being increasingly put under pressure to ensure and prove the security of sensitive information. Some compliance standards, including HIPAA, PCI, FISMA and SOX, state that companies must apply least privilege access policies (such as zero standing privileges) to high-tier systems that store sensitive data. Because of this, as well as increasing account security, a PAM solution can also help organizations meet their compliance and audit regulations.

They do this firstly by eliminating the use of standing privileges, but also by monitoring and recording all user activity once logged into a high-tier system. These records can then be used for auditing purposes and to prove compliance.

To further meet this requirement, PAM needs to expand to also encompass what is called “sensitive access”, or access to sensitive personal or financial information, as well as high-tier business systems, says Saha.

“In the healthcare space, for example, nurses, external and internal physicians have access to patient care data. You need to ensure that they have access to only the appropriate or required number of patient record data, and not the not the entire set. That’s where there is a tighter integration between the context of identity or the context of sensitive or privileged access.

“It’s important to know the sensitivity of what the user is trying to do with that access, not just whether they’re allowed complete access to the system or not. “That’s where PAM solutions have to evolve, and is one of the things that Saviynt has been pushing for.”

Returning To The Office: The Future Of Access Management

As some employees start to return to their offices, either full-time or as part of a hybrid-remote work model, we can expect the concept of identity and access management to grow and evolve to meet an expanding network.

“Identity is the new perimeter,” says Saha. “When it comes to digital transformation, cloud computing or a work from anywhere model, the context of identity needs to be dynamic. It must support the business initiatives requiring privileged access from home, from the office, and from a secured or unsecured device.

“And because of digital transformation, you’ll have different types of identities to interact with. Identity itself has gone through a transformation. Before, identities were restricted to employees and contractors. Now, it encompasses machine identities such as workloads, RPA bots and IoT devices.

“There needs to be a way to implement the best practices of PAM across each of those identities.”

To keep up with these changes and secure their networks, Saha says, organizations first need to achieve visibility into how access is being used organization-wide.

“Every organization has a limited set of resources, so visibility is the number one priority to understand where your risks and vulnerabilities lie, and to understand the very nature of identity in your environment. Once you understand those interactions, you can identify to what extent you need to implement PAM.

“Then you need to balance out these controls with how the end user will interact with them. Consider how you can make the solution intuitive for your end users, both technical and non-technical.

“So, start with visibility, and then define what type of implementation you need and how much of an intrusive or intuitive process it should be.”

Thank you to Amit Saha for taking part in this interview. You can find out more about Saviynt and their cloud identity security services at their website and via their LinkedIn profile.