The other day, I was browsing for a movie when an inexplicable wave of nostalgia hit me. The result: two hours and 30 minutes spent rewatching “The Matrix.” It can happen to the best of us.

I was transported into Neo, Morpheus and Trinity’s strange and now comically dated world. While I watched them teleport through phone booths, learn new skills in the time it takes to load a minidisc, and effortlessly manipulate the fabric of space and time, I realized something troubling: Neo, Trinity and their team of rebels were actually privileged users of the Matrix. So were the agents trying to stop them. Even worse, Neo and company were outsiders abusing privileged accounts to destroy the system, and the agents were the legitimate security forces trying to stop them.

What Can ‘The Matrix’ Teach Us About Privileged Access Management?

Now, the Matrix in this analogy has it backward: In my world, the good guys are the guardians of the environment, and those trying to wreak havoc are the criminals I’ve spent most of my career working to stop. But despite that little detail, the movie does a great job of illustrating the power of a privileged account, as well as the advantages an attacker can gain by taking control of one. Neo’s role as “the one” also makes it very clear that an attacker capturing highly privileged credentials can be the difference between cybersecurity success and failure.

Outside of the Matrix and back in our world (or so we think), escalating privileges is a well-documented step in the typical attack chain. According to Forrester, 80 percent of breaches involve privileged credentials.

It’s no surprise, then, that many organizations are evaluating how they protect their privileged users, and that compliance regulations have strict requirements for privileged access management (PAM). Still, many organizations today face challenges that leave their privileged accounts exposed to compromise and their processes open to audit findings. How can they close these gaps effectively?

‘Take the Red Pill’ and Learn the Truth About Your PAM Program

Like Neo choosing to learn the truth about the Matrix by taking the red pill, it’s critical to understand your current privileged access landscape. Identifying your PAM processes and how privileged accounts are managed and protected today will help you recognize gaps in your security posture with respect to industry best practices and compliance requirements. You can then design a target future state and plan a road map by prioritizing the actions that will narrow your privileged access attack vector the fastest.

In most modern IT environments, this analysis forces you to look at maturity along two axes. The first is the capability of your PAM program: how much you are able to automate using a PAM tool, how much analytics you are leveraging and what other security tools you have integrated with, such as identity governance tools, security information and event management (SIEM), and user behavior analytics (UBA).

The second axis is how deeply integrated this PAM program is within your environment. Privileged accounts exist on all platforms, applications, endpoints and cloud workloads. What percentage of those targets have you onboarded into your PAM solution? The final goal in terms of PAM functionality maturity and adoption will differ from organization to organization, and the road map to get there needs to be aligned with your particular circumstances.

‘Walk the Path’ Toward Your Target PAM State

In the film, Morpheus tells Neo, “Sooner or later you’re going to realize, just as I did, that there’s a difference between knowing the path and walking the path.” Just like learning to bend backward to dodge bullets, the implementation of the necessary PAM functionality can be a long and arduous journey.

Taking the time to plan a road map can improve your return on investment (ROI) by helping you prioritize and upgrade your PAM capabilities where doing so will have the highest impact. Another way to ensure success is to approach PAM deployments in phases. Deploy foundational functionality first, such as password vaulting, account onboarding, and audit and logging. Then, align the business processes and roll out the solutions to your users. This will give you a solid foundation to build upon and allow you to show results in a short time — likely 12–16 weeks for on-premises deployments.

When deploying new functionality, you can speed up the implementation by leveraging accelerators in the traditional waterfall model:

  • Adopt an agile approach so you stay in lockstep with key stakeholders as their requirements evolve.
  • Leverage preconfigured integration patterns for platforms and applications based on industry best practices to design a secure solution.
  • Use DevOps tools and techniques to automate build, test and deployment activities so you get results faster.

Realize ‘There Is No Spoon’ and Grow the Scope of Your PAM Program

After Neo learns to open his mind to his new abilities in training, he is ready to take on the Matrix. Though the trenchcoat is definitely optional, you have followed a similar journey up to this point. Once you have developed a target state, created a road map and automated some PAM functionality to secure your privileged accounts, the hard work of operating and handling the day-to-day management of your PAM program begins.

It’s not enough to simply ensure that the program is running and supporting help requests. Most organizations are dynamic in nature; accounts are created and deleted every day, especially if you have espoused a software-defined workplace and a SecDevOps culture. It’s critical to keep your PAM program aligned to your organization’s needs to ensure that the privileged access attack vector continues to decrease. Reassess your road map quarterly and onboard a set number of new platforms and applications each month so you are steadily protecting more and more privileged accounts.

Introducing Privileged Access Management-as-a-Service

Even if you follow the above advice to the letter, keeping up with PAM can still be a challenge. IT managers often need more than specialized tools to aid them, especially in large, dynamic environments.

Today, IBM is introducing a new privileged access management-as-a-service (PAMaaS) offering to help our customers plan for, deploy, and manage a PAM solution to help protect against privileged credential abuse. PAM-as-a-service can support any deployment model, including in the cloud, on-premises and in a private data centers. PAMaaS can enable you to:

  • Set the strategy for your PAM program by aligning its scope to your security, compliance and operational goals;
  • Deploy foundational PAM capabilities faster to help you demonstrate success and gain better time to value with your chosen PAM technology;
  • Enhance your operational efficiency with improved business processes and continuous optimization of your solution; and
  • Expand the reach of your PAM program with the monthly onboarding of new platforms, targets and applications.

To learn more, sign up for our upcoming webinar, “Privileged Account Attacks – Are You Ready?

Register for the webinar

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today