Many organizations do a reasonably good job at limiting access to data and systems for their general user population. When it comes to privileged access, however, most simply attempt to limit who and how many people have this type of access without considering the inherent risks of granting wide-open root or admin level access.
The latest data breaches have been the result of attackers gaining elevated privileges to systems by compromising a privileged user's credentials and then using the authorized access to exfiltrate data.
The concept behind privileged access management – or sometimes privilege identity management – to better control privileged account access is not a new notion. But organizations need to take an important step forward in granularity.
Current PAM solutions provide better management of privileged accounts but do not solve the underlying problem with privileged accounts: that they allow unfettered access to the system; allowing whomever has access full control over the system.
While providing better control over and accountability for the use of privileged accounts, they do not provide the ability to truly provide access based on the well-understood concept of least privilege. And this is where that next level of granularity will help organizations provide their privileged users with the ability to do their assigned tasks without giving them the keys to the kingdom and putting the organization at unnecessary risk.
"Establishing controls around privileged access continues to be a focus of attention for organizations and auditors," says Gartner analysts Felix Gaehtgens and Anmol Singh in the research firm's Market Guide for Privileged Account Management. "Security leaders must be prepared to address the inventory, classification and use of privileged accounts."
Root or administrative access is typically meted out in its entirety to certain trusted individuals. The problem with this approach is that this level of access allows the user to take any action they want, on any system, regardless of the immediate objective or their respective role in the organization.
Threat actors specifically target these users through malware, social engineering or other lateral breaches. Once a threat actor or malicious party gains access to a privileged user's credentials, they often either have or can find a way to escalate to root access. The result? They "own" the environment, allowing them to execute their nefarious objectives.
By taking PAM/PIM to the next level — by limiting what specific actions a privileged user can take — organizations will not only be able to limit who has privileged access, but also dictate exactly what the user is able to do with that access. Far too many organizations, particularly in healthcare, are just concerned about limiting the number of privileged accounts they authorize for access. But we need more control.