Interview: How Organizations Can Ensure Success On Their PAM Journey
Joseph Carson, Chief Security Scientist (CSS) and Advisory CISO at Delinea, discusses the benefits of privileged access management, some of the challenges organizations face when implementing a PAM solution, and how they can overcome those challenges.
Joseph Carson is Chief Security Scientist (CSS) and Advisory CISO at Delinea. Carson has over 25 years of experience in the cybersecurity space. A regular speaker at cybersecurity events globally, Carson is an active member of the cyber community. He’s a certified CISSP and an advisor to several cybersecurity conferences and governments.
Alongside his role at Delinea, Carson is a content creator, having written multiple books on the topic of privileged access management (PAM) and how organizations can ensure they’re taking the right steps on their PAM journey. He also hosts a podcast with Chloé Messdaghi of Cybrary, in which he shares news and insights from cybersecurity thought leaders.
At InfoSecurity Europe 2022, we spoke to Carson to discuss the benefits of privileged access management, some of the challenges organizations have when implementing a PAM solution, and how they can overcome those challenges. We also talked about how two PAM market leaders—Thycotic and Centrify—merged last year and rebranded in early 2022 as Delinea, and the work Delinea is currently doing in the PAM space.
Can you give us a brief overview of Delinea, your key use cases, and what sets you apart from other solutions in the PAM space?
In February this year, Delinea rebranded through the bringing together of two other big companies: Thycotic and Centrify. Both of those companies’ great technologies came together, and we decided that a new name would also be fitting. The name “Delinea” comes from the word “delineate”, which is to define the boundaries of a space. And we see ourselves as the organization that helps organizations to define the boundaries of access, specifically around authorization, which is all about privileged access.
So, through our new consolidated, unified platform we provide organizations the ability to move away from “persistent privilege.” That’s when employees have assigned privileges, which are persistent throughout that employee’s day job. Sometimes they’ll have privileges that might be elevated, and they’ll be able to get access to those for the time they have access to the session. But in most cases, unfortunately, they’re persistent, which means they always have that access.
Now, almost all users should be considered privileged. That’s not to say that they have equal risk, but it’s important to understand what risks, what applications, what data, and what actions each user can perform, and that will determine which types of security controls or auditability you want to put in place, depending on the risk that those privileges create.
Our platform eliminates persistent privilege by providing the disclosure of credentials at a minimum, i.e., for only the time the user needs them. You have the access when it’s authorized, when you need it, for the time you need it.
A quarter of all cybercrime victims in the US and UK have managerial positions or own a business, and 34% of identity-related breaches in the last two years have involved the compromise of privileged user accounts. Why are so many organizations struggling to secure privileged account access?
It’s a balance between business priorities. For many organizations, PAM is in the top five things they want to implement. But basically, organizations are struggling to get enough budget in order to make sure they can actually implement all the things that they want to.
But I think organizations need to relook at some of their top priorities. And the reason I say that is, an organization’s time is the most valuable resource they have. You can’t get it back. You can’t go and make more of it. So, for me, any solution that actually reduces wasted time should be a priority.
If you look at organization’s help desk calls, you’ll see that the majority of those calls are password or access related. When employees can’t access systems and they need to reset passwords, or they struggle to get access, or they need to create a new account, or they’re struggling to remember 50 different passwords—all of those that waste time. If you can reduce that waste of time, you can add significant value to the business.
And privilege access management is one of the few solutions that actually has a time-saving element. It reduces people’s wasted time, provides consolidation of security controls, consistent visibility and auditability, and—at the end of the day—it’s one of the few security solutions that also makes employees happy because it removes one of the biggest cyber fatigues we have: password pain.
What are some of the other benefits of implementing a PAM solution?
PAM also allows organizations to innovate. When you’re looking to bring in more solutions, those logins or authentication processes may not fit your business needs. But you can put a PAM solution in front of it and regain that consistency, and be able to use those login processes much more efficiently with the right security controls in place.
The next thing is also compliance, which is what the executive team really focus on in any organization. They want to check boxes. And with the audit and session monitoring capabilities of PAM, you’re getting a fast track to meeting compliance needs, which is also great.
And at the end of the day, cybersecurity is a world of insecurity and fear, and we need to start changing how we brand ourselves. We have to start bringing fun back into our industry and enable a CISO to say, “I’ve saved money. I’ve made our organization able to implement the newer solutions. I’ve made the employees happy.” That’s a positive thing to take back to the board, rather than always coming back with negativity and fear. If you can go back and actually show positivity to the board, that’s a change of mindset. And we have to start taking that more seriously and start prioritizing that.
My goal as an ethical hacker, pentester, and researcher is to make sure that a hacker’s job is more difficult. Privileged access management definitely makes it more difficult for attackers, because we force them to take more risks when they’re moving around the network. If they’re forced to repeat their techniques again, they create more noise in the network. And the more noise they create, the more visibility we get that they’re doing something malicious, and therefore we can stop them before the bad things happen.
So, privileged access management is one of the unique solutions that provides all of those different values that most organizations need to consider and start thinking about. But organizations need to make sure that they actually plan and execute and get the value as soon as possible, because all of those other solutions will become easier to implement if you have a PAM solution in place first.
Since the 2021 merger of Thycotic and Centrify and rebrand as Delinea earlier this year, what changes have you made to the platform, or what updates are you planning, to help organizations take control of their privileged access?
So, we have the great technologies and are unifying them, and we’re making it much more accessible for organizations of all sizes. Whether you’re a 10-person startup or you’re the largest Fortune 100 company, our goal is that all organizations of all sizes can get the luxury of having a PAM solution.
Traditional PAM focuses on privileged roles and sensitive infrastructure; typically, this was thought only in terms of admins as being privileged users, and the infrastructure has often been limited to servers, often located on-premises or locally. But DevOps, cloud infrastructure, remote work and SaaS could all benefit from extending PAM. All users should be treated as privileged users with the proper controls in place, including non-human ones. Applying consistent authorization controls against all these identities and all these assets is needed and will help reduce the risk and attack surface for modern organizations.
By preventing identity/credential theft, we can stop people from getting in the front door and push visibility and discovery out to all identities. But what if people get in via alternate methods, exploiting a zero-day vulnerability, or even a very targeted individual attack on a high-profile individual? This is where you establish controls over all privileged access to restrict unnecessary lateral movement. And then beyond this, follow the data to see where unneeded or unnecessary access is happening, human and non-human, and learn from that. It’s all about understanding and adapting to risk when and where you need to.
Zero trust has a lot of definitions in our industry depending on who you talk to. But at the end of the day, zero trust is all about starting with a “trust no one” posture and add trust on an as-needed basis. Extended privilege management is about understanding who and what in your organization needs access, and then establishing the necessary controls to elevate access when and where it is needed, adapting to risk based on behaviors observed throughout the organization. This is what we are talking about when we say privilege and identity are the future of security.
Delinea is the first vendor to extend PAM across the enterprise, covering needs like securing credentials with a vault, providing just-in-time and just-enough privileges on workstations and servers, securing credentials used in code, and helping to secure non-human identities like services accounts.
We have demonstrated continuous leadership by being the first vendor to provide PAM solutions built in the cloud, for the cloud, and we are consistently recognized for leadership and innovation by analysts.
Some legacy PAM solutions still allow the use of standing privileges. What are some of the risks associated with standing privileges, and how can implementing a modern solution that enforces “just in time” privilege help mitigate those risks?
That’s a great question. When you get into legacy PAM solutions, where you basically get an account and you’ve held persistent access just for that period of time, that basically allows attackers to gain access using methods like “pass the hash”. That’s when I have a credential and the attackers can discover that, then move around the network laterally, elevate, and get access to other systems they wouldn’t have been able to get to before.
So yes, it’s really important to make sure that you move to that principle of least privilege, which takes away all of those other types of risks. Using things like credential rotation, we can stop these types of attack by ensuring users only have access for the period of time they need it, and then once the session ends, that credential is no longer available. Therefore, they can’t do pass the hash again. So, it really helps organizations mitigate a lot of those lateral move risks that you have internally once an attacker gets access to a standard account for limited privileges.
Finally, what is your advice to organizations struggling to secure their privileged accounts against credential-related breaches and data loss?
Read my books! My role is a security researcher, that’s what my main purpose is. My background is as an ethical hacker and pentester, and I use that knowledge—along with my own analysis of the threat landscape—to create content.
I also have my own podcast that brings thought leadership, so people can listen in and get updated news and insights into what’s happening in the industry.
But I’ve written several books on the topic. And I definitely recommend these to any organization that wants to make a start on their PAM journey. There are a couple of resources in particular that I’ve created that will really help them be successful. The first one is The PAM Checklist. The PAM Checklist is a set of important questions akin to a self-assessment, so to know that you’re ready to take the PAM journey, and also where the best place is for you to start. What are your highest risk accounts? What security controls do you have today, and what do you ideally want to put in place?
The next part after the checklist is the Privileged Access Management for Dummies book. And that basically delves into all the different terms, the different steps, the different types of discovery, and the common life cycle. Those resources are there to help people make sure that they’re ready to go on that journey, and that they have enough information to do it successfully.
Thank you to Joseph Carson for taking part in this interview. You can find out more about Delinea’s privileged access management solution via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.