Why Admin Rights need a Zero Trust Approach
5/5 (1)
Spread the love
5/5 (1)

Privileged accounts are gold mines for malicious actors. They offer persistent access to valuable corporate resources and pose massive risk to organisations. Once authentication has been breached and credentials are obtained by an adversary, moving laterally, and accessing multiple resources, is too easy. 

The most privileged access is not always granted to the most senior employees. Administrative and personal assistants often have the greatest access to corporate resources. They are low hanging fruit for attackers -usually among the least well-prepared to deal with breaches or attacks like phishing emails. Privilege promiscuity like this creates challenges around not only Privileged Access Management (PAM), but also other digital risk controls.

Scaling PAM is Complex

Think of PAM as a way of stopping people from abusing privilege. Imagine that you need a handyman for some repairs. The handyman is granted access to your house through the front door and is guided to the kitchen. The handyman is monitored and exits the kitchen as soon as the job is completed. The handyman then leaves the house. The worst outcome is a shoddy job or perhaps the theft of small pieces of cutlery or a few fridge magnets. In other words, the handyman’s access has been managed and privilege was only granted as needed. This is good PAM.

Bad PAM is a scenario where the handyman is granted access to your home and nobody is in to monitor the handyman’s activities. The handyman could be honest do the job and then depart. But, there is a significant risk that the handyman takes advantage of the privileged access granted. The handyman has access to all the rooms in the house and all the items in the house. The handyman can invite other people into the house, including a friend who can remove and copy data from all resident hard drives in the house. This access enables the handyman to steal credit cards, jewelry, PII, credentials and more.

Now, imagine that there are hundreds of handymen and other workers entering and exiting a house at varying times and for different purposes – each with distinct tasks and a need for access to different rooms and items, 24/7. This is the challenge faced by security operations – there are often hundreds or thousands of users with differing privileges to manage. Organisations are struggling to keep up with the sheer scale of the PAM challenge with all its moving parts. PAM also needs to consider the ongoing change in roles and responsibilities of staff, which directly impacts requirements for privileged access.

Privilege Sprawl and Privilege Overkill is Rife In Asia

Once an adversary breaches a privileged account, and is able to move laterally, they can access email accounts, intellectual property, employee data, customer data, sales data, invoicing approvals, expense approvals, and many other systems and processes. In addition to being exposed to short-term financial risk, an organisation also faces operational, legal, and reputational risk from such a breach. The attacker can unload ransomware or other malware to sabotage operations. They can steal PII and credentials, to sell them or use them to cause reputational and legal damage to the victim.

Privilege sprawl is common in Asian organisations. IT departments often struggle to keep track of who has access to what. Worse, IT departments typically over-provision their stakeholders with access. They are usually more concerned with getting positive feedback for the IT resources they provide from the business, than in aggressive risk management.

Specialised PAM solutions have emerged to mitigate the risk associated with unauthorised account access. The term privileged access management is a bit of misnomer. Today’s organisations need to ensure that all access is managed correctly. With an expanding number of devices, bots and people accessing corporate resources, the scope of PAM solutions is much broader than managing privileged accounts alone.

A Zero Trust Approach to PAM is Necessary

Organisations need to take a zero trust approach to PAM. Just-in-time access (JITA) needs to become the norm, ending persistent privileged access. Access needs to be granted for the minimum amount of time with the minimum rights required, ending privilege promiscuity. Zero standing privilege needs to be the default state of systems and networks. Access must be denied as soon as necessary work is complete and only provisioned when needed again. This approach is needed for risk management but few organisations in Asia have achieved this goal. The sheer number of moving parts involved in such an exercise makes it particularly onerous – this is where PAM solutions play a role.

Here’s a list of Ecosystm’s top five predictions that will affect enterprises, cybersecurity leaders, remote workers and the security posture in 2021. Signup for Free to download the report.

New call-to-action

Please rate this

Andrew Milroy is a well-known and respected thought leader and speaker in the APAC region. With more than two decades of experience in the technology sector, Andrew has worked with clients in a variety of tech domains including cybersecurity, cloud computing, IoT, blockchain, service provider strategies, and customer experience. His most recent work has been focused on the current challenges in technology markets, cybersecurity and digital transformation. Since moving to Singapore in 2011, he has held regional leadership roles with Frost & Sullivan and Ovum (now Omdia). Prior to working in Singapore, Andrew gained invaluable technology knowledge and insights while working in Europe, the United States, and Australia. Andrew is frequently invited to speak, chair and moderate at major technology events. He is also widely quoted on the global broadcast media, including BBC, CNBC, Bloomberg and Channel News Asia. Andrew has a BSc from Newcastle University (UK), an MA from Middlesex University (UK) and an MBA from MGSM (Australia). Andrew is a long suffering Sheffield United supporter and enjoys hiking and running in his spare time.

Similar Blogs

Join the community and receive insights and analysis directly to your inbox.

Connect with an Expert
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments