The Changing Environment of Privileged Access Management

I don’t have to tell anyone why we at Symantec, a division of Broadcom (NASDAQ: AVGO), are concerned about privileged identities and why the Enterprise should be as well.  They are the source of many of the data breaches you see in the news today, most recently where many high profile Twitter accounts were hacked and someone obtained credentials belonging to a small number of employees with privileged access and used those credentials to bypass two-factor protections and access a key internal system.

The key area of change that is driving these customer challenges today, is that privileged identities used to be IT focused only and now they are also outside of IT and everywhere in the organization.  In many enterprises today, C-suite executives are routinely granted privileged access as well as people in accounting, HR and marketing. But unlike traditional privileged accounts where the passwords are tightly managed and controlled, employees outside of IT rely on basic password security which can be easily hacked. They also often have more privilege than they really need.

I recently had the privilege of talking with Merritt Maxim, VP, Research Director from Forrester during a Symantec Enterprise webinar, where we discussed customer challenges associated with this dynamically changing environment and also emerging requirements not being addressed by Product Information Management (PIM) vendors today.

One area Merritt points out in our discussion, is the influence that the migration to the cloud is having on privileged access management.  He explains that privileged users are now managing a much broader range of endpoints than they were with only on-prem applications which creates new dynamics and new deployment models.  The enterprise will now need to protect accounts for both cloud and on-prem, increasing the breadth and complexity of privileged access management.  In addition, the variety of targets is expanding from where they are hosted to how they are accessed by employees which also contributes to the new complexity.

The good news is that a consensus is emerging among security leaders that there are specific steps we can take to address these challenges effectively and here our suggestions below for the Enterprise to consider: 

• Step 1:  Discover: Identify all privileged accounts
  Privileged access management systems used to collect an organization’s most critical data and lock it up or “vault” that data on a server. Today, going through the process of discovering how many privileged accounts you have and who they are is a key first step. Simply put: It’s difficult to prevent a data breach when an organization doesn’t even know what it needs to secure in the first place.
   
• Step 2: Implement: Deploy a hybrid privileged access model
  This deployment model must accurately reflect the reality of the modern enterprise and should be based on the model of “least privilege” - the restriction of individual user access rights within a company to only those which are necessary in order for them to do their job. To be effective, a privileged access management system should be a hybrid model that can address the needs of an on-prem AND cloud-based environment, while at the same time keeping the future in mind and how the environment will be evolving. This hybrid deployment of a least privilege business model will keep your infrastructure current and not open to attacks.
   
• Step 3: Redefine: Update the organization’s understanding of privileged users
  What it means to be a privileged user is changing. There is a slow growing awareness that these accounts need to be not just secure but also user-friendly. Business leaders – CEOs, CFOs – don’t necessarily know or should be expected to understand complex computer code, just as data-entry personnel or contractors must be able to do their jobs.  And all of them could be privileged users in the current environment.

With all the potential new privileged users, there is a need for high scalability and speed to scale up and scale down.  As Merritt explains, the combination of increased endpoints and the sheer number of new privileged users creates the need for this scalability.  As new business initiatives and programs ramp up, so must privileged access management.  As the initiative completes, it also needs to ramp down again quickly. 

New privileged access management systems, such as Symantec Privileged Access Management, that are based on principles of least privilege and zero trust allow customers to:

• Maximize your Investment: Symantec PAM combines the industry’s highest scalability with the lowest cost of ownership to deliver a solution that will protect the entire enterprise without breaking the bank.
   
• Protect Hybrid Enterprise: Symantec PAM controls privileged access across all IT resources, from cloud to mainframe, and compliments Symantec Endpoint and Network Security solutions.
   
• Address Regulatory Compliance: Symantec PAM provides many of the controls governing privileged access that are mandated by emerging data privacy laws and regulatory and industry compliance mandates.

In my next blog, the topic I will cover is “What is Privilege and How it is Changing” and I look forward to sharing more of or learning in the areas of Privilege Access Management.