Privileged access management (PAM) tools offer significant security and compliance benefits that can be used to build a business case. This can be tricky, however, because most of the benefits are intangible. In other words, they’re based on what-if scenarios: In the event of a security breach, what costs would the organization incur? Based on your organization’s region and industry, you could calculate what it would cost to recover from a data breach.
Privileged access management is often seen as a necessary evil, a tool that is required to improve the company’s security and compliance posture, but brings little additional value. In my opinion, this is a misconception.
How Can Privileged Access Management Drive ROI for Your Business?
Besides the intangible benefits, there are also measurable benefits that can help you justify the investment in a privileged access management solution. Let’s take a deeper dive into the many ways PAM technology can deliver value to your organization and help you demonstrate return on security investment (ROSI) to business leaders.
It is often said that passwords are the weakest link. If you don’t have tools to manage them — and certainly if they are shared between users — they can quickly get out of control. People often write passwords down or store them in protected spreadsheets. Sometimes they are not changed frequently enough because it would be difficult to share them with the team and would be a manual effort.
With a password vault, credentials are stored in a safe, digital and encrypted location governed by access control policies. This is a good first step to reduce the risk posed by passwords, but it’s far from a complete solution.
Even if you store passwords in an encrypted vault and have access policies and processes, they’re still static, meaning someone could potentially write them down or copy and store them somewhere else. Implementing automated password rotation at regular intervals can help reduce this risk.
Nonhuman Account Management
Organizations tend to focus on accounts and passwords used by humans, such as those belonging to administrators, developers and external staff, because, to put it simply, humans make mistakes. Humans are vulnerable to phishing and social engineering attacks, can be bribed or threatened, and sometimes grow dissatisfied with their employer.
However, companies often neglect accounts designated for services, applications and machine-to-machine communication. This is largely due to the operational risk associated with changing them. In one particular analysis of high-privileged accounts, I stumbled across quite a few passwords that had not changed in more than a decade. When I asked why that was, the company said it simply had no clue what would happen if they were to change the passwords — in other words, the operational risk of changing the passwords was too great. Even though they understood the risk, they left the passwords as they were. These passwords were eventually put in a vault, but before that, they were stored somewhere in installation documentation — another remarkable situation I came across multiple times.
Privileged access management solutions can help you get these accounts under control and rotate passwords at regular intervals without service disruption. Hackers know they are usually static, which is why they still target them. Typically, these credentials have no expiration date or limit for unsuccessful login attempts due to the operational risk, leaving the infrastructure in a vulnerable state.
Third-Party Access Management
Many companies contract managed security services to maintain firewalls, virtual private networks (VPNs) or even the entire IT infrastructure. This usually requires network administrators to grant external parties access to the IT infrastructure, often with high privileges. Now, your contract might require certain security measures and policies, but you can’t control or monitor a third party’s IT environment to be sure. What if a service provider is breached and, by extension, your enterprise data is compromised as well? Even if you’re able to get financial compensation for your loss, you can’t take back the bad press and resultant reputational damage.
Most privileged access management solutions provide session management, which enables you to separate third-party access from the network. You can implement it in such a way that a password is not required; the password is injected during session start and login, and the third party never gets to see it. This method guarantees accountability, records a detailed audit trail of activity and enables security teams to terminate ongoing sessions if they detect suspicious behavior.
Speaking of third-party access, you might want to consider applying similar restrictions to your own staff. It would make their life easier, since they wouldn’t have to deal with the hassle of a remembering, storing and entering password. Plus, from an audit perspective, you will have much richer information, especially if you record sessions so they can be replayed later.
Some system-related vulnerabilities are easy to avoid by rotating passwords. Pass the Hash is a prime example. The vulnerability enables attackers to connect to other systems that have previously logged on to the compromised system. Simply changing the password protects against this threat since the hash won’t be correct anymore.
Emergency Access Provision
Sometimes it may be necessary for certain individuals to get emergency access to systems, such as when a critical service breaks or when regular administrators are not available and something needs to be changed urgently to restore a business-critical service. In these situations, there is no time to go through an approval workflow.
With a PAM solution, you can implement emergency access for relevant parties. For example, you could set up certain accounts that have broad access but, when used, trigger alerts so you can follow up. PAM tools also bring the benefit of an audit trail.
Audit and Compliance
There are many regulations, standards and best practices out there. In general, they have one thing in common: They require you to implement procedures for changes, document those changes and prove that procedures are followed. No one forces you to implement tools or software to do this — though impractical, error prone and incomplete, you could keep track of changes on paper if you wanted to. A PAM solution, on the other hand, will implement procedures, track changes and document relevant data for reports.
More Ways to Cut Costs With PAM Solutions
While the benefits described above can help you produce and prove a positive ROI, the following intangible PAM capabilities can lead more indirectly to cost savings.
Automate Password Rotation
Though password rotation is always a good practice for security, it might also be required to meet certain regulations, standards and best practices. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires users to rotate passwords every 90 days, while the National Institute of Standards and Technology (NIST) stipulates that passwords should only expire when a breach is suspected. Both have their own specifics on length, complexity, etc. ISO 27001 requires a password renewal frequency, length and complexity. Though the U.K.’s Communications-Electronic Security Group (CESG) advises organizations to change administrator password regularly, they don’t enforce it currently. Whatever set of standards you follow, the point is that requirements will change over time, and your organization will need to adapt to comply.
Even if you don’t need to comply from a regulatory or certification perspective, you should still change passwords after use or at regular intervals for high-privilege accounts. This can be accomplished manually, ideally by two parties, by setting a split password. But even if you have faith in your administrators, and even if they can pull it off with only one person, it would require a considerable investment of time and money. This is an expensive and error-prone process, and you’d need to do it every time a regulation changes.
Impact on productivity can be twofold. Automated session management and login tools can help your staff access systems and applications faster and more easily, saving them time and effort and boosting productivity. This is especially true when working across hybrid environments.
When using sessions for external parties, they will know they can be monitored. While this monitoring is meant to increase security, you can also see how productive they are, which should prompt them to stay on task.
Reduce Administrator Mistakes
You probably know what the average cost of a mistake represents in your company when a service is interrupted for an hour. You probably know how many mistakes on average happen over a year. When people know they can be monitored via a PAM solution, they are likely to be more conscious of what they are doing. What if you could reduce human error by 10 percent?
Imagine there is a breach and a system has to be restored to an earlier date. You’ll need to know what the password was at that point in time for that system. A privileged access management solution can record a history of the passwords available to aid your recovery process.
In the event of a breach or suspicious activity, you might want to reset the passwords of multiple accounts immediately. If you’ve implemented a PAM solution and password rotation, you can simply start a task to accomplish this. Rotating passwords can help stop or contain a breach in progress.
Reduce Audit Costs
A PAM solution keeps track of who used which accounts, which is important to guarantee accountability, especially with shared accounts. You can make an account exclusive, for example, so that only one person at a time can access a system. Your security information and event management (SIEM) process will gain more visibility and become more valuable with the ability to correlate system events to the person who was active on that system at that time.
When using sessions and recordings, you can get even more details. You can see not only what a person did, but also what they saw. For example, if someone connected to a database and then ran a query, you can see the query results they viewed.
Make PAM a Central Part of Your Security Strategy
Next time you need to provide audit information, don’t task someone to spend hours or days collecting all the information from various systems, formatting them and writing reports. A PAM solution can do all this and more, going beyond just security and compliance to provide the capabilities you need to manage your high-value accounts, empower your workforce and assure business leaders that their investment in security is delivering the returns they expect.