Managing privileged access to IT systems is a delicate task. Owners of such accounts enjoy expanded rights; if control over them is lost, their actions can become a source of big problems for the business. How do PAM systems help deal with potential risks?
PAM capabilities
PAM (Privileged Access Management) systems have become an integral part of the information security perimeter of many organizations. In today’s environment, as the number of attacks and leaks increases and IT systems play an increasingly critical role for business continuity, access control is becoming a critical aspect of digital perimeter security.
Privileged access to IT systems implies the ability to operate on critical components of the company’s digital landscape and sensitive data.
One of the main problems that organizations face today is the possibility of data leaks, the source of which is internal users – employees or contractors. PAM systems help prevent unauthorized access to confidential information and abuse of privileges. That is, they help control administrators, external contractors, people who have access not only to files, but also to the infrastructure.
Around the world, about 3 billion records of personal data and payment information were leaked in the first half of 2022 alone (InfoWatch data). The number of compromised records in Russia during the same period amounted to 187 million records, with the share of leaks caused by intentional violations exceeding 96%. A significant increase in information leaks in the “trade secret” category was also recorded – up to 13% of the total volume. The dynamics of leaks over the six months of this year shows that the growth has not stopped.
PAM tools provide the ability to monitor and record all actions performed by users with privileged access, as well as proactively block unwanted and illegal actions. This allows potential security breaches or abuses to be detected.
Finally, many industry standards and regulatory requirements require organizations to implement access controls. PAM systems help companies meet these requirements by providing the necessary access control and auditing mechanisms.
The main idea of such systems is to provide full control over sessions on target devices, which are accessed by an employee responsible for their correct operation or who has unlimited access.
Typically this includes access control over RDP and SSH protocols, the ability to control HTTP(S), client applications and related protocols.
Therefore, before giving a user access to the infrastructure, it is necessary to give him unique access to the access control system itself (through a list of users inside PAM or with integration with the LDAP directory, AD, etc.).
PAM
According to the study for 2021, the volume of the PAM segment in Russia was estimated at 1.2 billion rubles (data from CISO Club). The segment share among access and account management solutions was 12.8%.
Until 2022, CyberArk, BeyondTrust and Thycotic, as well as ARCON, Delinea, One Identity and Wallix were the main of the most demanded foreign vendors of PAM solutions in Russia.
They offered a wide range of privileged access management products and solutions, such as password management, access control, and privileged account monitoring.
As for Russian developers of PAM solutions, until a certain point there were no clear leaders in this segment. However, a few PAM solution companies stood out. For example, Indeed PAM, SKDPU-NT from IT-Bastion, Rostelecom-Solar SafeInspect.
Previously, the segment of this class of solutions was niche and was perceived as “a good, but not always mandatory tool for additional strengthening of the information security perimeter.” As part of import substitution, companies primarily solved the problem of replacing products in more basic segments. However, now the situation is changing: taking into account the growth in the number of cyber attacks and data leaks, business is increasingly paying attention to this class of solutions and the demand for it is actively growing.
What do you need
However, there is still a movement towards the transition to PAM systems. It is determined by the following system capabilities required by business:
Protection against security threats. With the increase in cyber attacks and internal security threats, companies are realizing the importance of protecting privileged accounts.
Regulatory Compliance. Many industry standards and legislation (such as GOSTs, PCI DSS, GDPR) require regulation of access to privileged accounts. For example, FSTEC order No. 239 on approval of requirements for ensuring the security of significant objects of critical information infrastructure of the Russian Federation to Federal Law 187.
Management of risks. Companies are aware of the risks associated with inadequate management of privileged accounts. Data leaks, security breaches, and lack of user transparency can cause serious damage to a company’s reputation and finances.
Automation and efficiency. As the scale and complexity of company information systems increase, managing privileged access becomes an increasingly challenging task.
Basically, these functions relate to idM and iGA solutions; they work with accounts, and PAM systems control the actions of privileged accounts.
Checklist for choosing PAM solutions
Since choosing a PAM solution is an important step in ensuring security and protecting privileged access in an organization, it is important to pay attention to the functionality of the software. The set of basic functions should include:
Management and administration of privileged accounts: creating, deleting, changing privileges and passwords;
Accounting and auditing of privileged access: the ability to track who, when and with what privileges accessed the system;
Session Monitoring and Recording: The ability to record and analyze privileged access sessions to ensure accountability and detect unauthorized activity;
Password management: generation, storage, updating and automatic change of passwords for privileged accounts;
Multi-factor authentication (MFA): supports various authentication methods, such as hardware and software tokens, biometrics and one-time passwords;
Access control: the ability to configure granular access rights to resources in accordance with the roles and responsibilities of users;
Integration with other security systems: Integrate the PAM solution with identity, access control and SIEM (security information management) systems for more effective security monitoring and management.
Critical errors
When selecting PAM software, there are several major mistakes that can lead to serious consequences and cost the company dearly in the future.
The most important mistake is, as expected, the wrong choice of software. If a company implements an inappropriate PAM tool that does not meet its requirements or does not provide adequate security, this can lead to vulnerabilities and loss of control over privileged access.
In addition, it is possible to make a mistake with the configuration of the PAM tool. This can be a critical mistake even with the right tool selected. Incorrect settings will create weaknesses in the system, fail to provide sufficient protection, and even open the door to the company’s IT systems to intruders.
A common mistake is not training and updating enough. PAM requires a good understanding of its functionality and capabilities. The mistake lies in the lack of education and training of the personnel who will use and administer the PAM system, which will directly affect the effectiveness of its work.
Difficulties may arise with implementation and migration. A failed PAM implementation or improper migration of existing systems can have serious consequences in the form of data loss, service interruptions, and even system failures. The company must carefully plan the step-by-step implementation of the software, conduct testing and risk assessment, and have a backup and recovery plan in place to minimize potential problems.
Finally, even a successful PAM implementation can be ruined by insufficient scalability. Business growth, changes in organizational structure, and other factors may require an expansion of the PAM system. If the solution architecture cannot meet scaling challenges, the company will be forced to spend a large budget on updating and modernizing the system.
