Each year, the folks at Oxford English Dictionary reveal their much-anticipated “word of the year.” Well, if they decided to have a version that focused specifically on the InfoSec world, they would likely choose a word (or make that a phrase) that has been all over the media for the last several months: zero trust.
Of course, zero trust — which is a security framework that posits there is no such thing as a traditional network edge, and that all users and devices inside and outside the network are inherently untrusted until they are established otherwise — is not a new concept. It has been around for decades in one form or another. However, the pandemic has accelerated two trends that have turned zero trust from a best practice into a fundamental requirement: the growing migration of services to the cloud and the exponential increase of remote workers.
Why identity and access management are important
To address the significant security concerns posed by an expanding attack surface, many organizations have implemented Identity and Access Management (IAM) systems. This is certainly a step in the right direction. Yet there is a major problem as well: IAM systems cannot authenticate and govern devices that do not use a federated identity, such as networking equipment and specialized appliances. As such, organizations need to bridge this gap by taking control of shared privileged accounts. That is where a robust Privileged Access Management (PAM) system enters the picture.
There are many well-known security benefits of a PAM system, including: enhanced data protection, greater control over accounts and access, reduced exposure to insider threats, and reduced risk of malware and other cyberthreats. All of these advantages are pivotal, especially considering that IBM’s recently-released 2021 Cost of a Data Breach Report revealed that data breach costs have skyrocketed to $4.24 million (USD) per incident — which is the highest average total in the report’s 17-year history.
Privileged Access Management
However, there is another — and much lesser-discussed — core reason why organizations should adopt a PAM system: it greatly increases productivity. There are six key reasons this happens:
- A PAM system functions as a kind of “virtual concierge” that opens the door for authenticated end users to access the networks, apps, and accounts they need. Instead of sending requests to IT and waiting for approval, they can move forward and perform their tasks in a productive and secure manner.
- A PAM system informs all end users and third-party vendors that their access is being logged and monitored, which can make them more productive. For example, a third-party vendor who previously accessed an account for five hours prior to the implementation of a PAM system may reduce that to two hours after implementation — because that is the appropriate duration based on prevailing standards and expectations (surely the end user could still exceed two hours, but may have to justify this to their customer, whereas pre-PAM this was not something their customer could track and log).
- A PAM system greatly reduces the administrative burden on SysAdmins, since they no longer have to manually rotate and update credentials, or (as noted above) deal with an endless barrage of end user access requests. Furthermore, deprovisioning access for departing employees is fast and easy. This is extremely important, as a recent survey found that 25 percent of workers said they still had access to accounts from previous jobs.
- A PAM system removes the burden and cost of manually sifting through thousands of logs, in order to proactively detect evidence of suspicious or unusual end user behavior.
- A PAM system streamlines and simplifies compliance and auditing requirements, which ultimately makes it faster and easier to comply with various regulation programs such as SOC 2, ISO 27001, PCI-DSS, GDPR, HIPAA, etc.
Security remains the top priority for organizations in all sectors — and not just large enterprises, either. SMBs are increasingly being targeted by hackers who anticipate facing weaker (and in some cases virtually non-existent) defense systems. However, the need for robust security cannot undermine productivity since organizations must remain competitive and find intelligent ways to do more for less. A PAM system is a piece of the security and productivity puzzle, since they both work hand-in-hand to drive organizations forward.