The other day, I was browsing for a movie when an inexplicable wave of nostalgia hit me. The result: two hours and 30 minutes spent rewatching “The Matrix.” It can happen to the best of us.

I was transported into Neo, Morpheus and Trinity’s strange and now comically dated world. While I watched them teleport through phone booths, learn new skills in the time it takes to load a minidisc, and effortlessly manipulate the fabric of space and time, I realized something troubling: Neo, Trinity and their team of rebels were actually privileged users of the Matrix. So were the agents trying to stop them. Even worse, Neo and company were outsiders abusing privileged accounts to destroy the system, and the agents were the legitimate security forces trying to stop them.

What Can ‘The Matrix’ Teach Us About Privileged Access Management?

Now, the Matrix in this analogy has it backward: In my world, the good guys are the guardians of the environment, and those trying to wreak havoc are the criminals I’ve spent most of my career working to stop. But despite that little detail, the movie does a great job of illustrating the power of a privileged account, as well as the advantages an attacker can gain by taking control of one. Neo’s role as “the one” also makes it very clear that an attacker capturing highly privileged credentials can be the difference between cybersecurity success and failure.

Outside of the Matrix and back in our world (or so we think), escalating privileges is a well-documented step in the typical attack chain. According to Forrester, 80 percent of breaches involve privileged credentials.

It’s no surprise, then, that many organizations are evaluating how they protect their privileged users, and that compliance regulations have strict requirements for privileged access management (PAM). Still, many organizations today face challenges that leave their privileged accounts exposed to compromise and their processes open to audit findings. How can they close these gaps effectively?

‘Take the Red Pill’ and Learn the Truth About Your PAM Program

Like Neo choosing to learn the truth about the Matrix by taking the red pill, it’s critical to understand your current privileged access landscape. Identifying your PAM processes and how privileged accounts are managed and protected today will help you recognize gaps in your security posture with respect to industry best practices and compliance requirements. You can then design a target future state and plan a road map by prioritizing the actions that will narrow your privileged access attack vector the fastest.

In most modern IT environments, this analysis forces you to look at maturity along two axes. The first is the capability of your PAM program: how much you are able to automate using a PAM tool, how much analytics you are leveraging and what other security tools you have integrated with, such as identity governance tools, security information and event management (SIEM), and user behavior analytics (UBA).

The second axis is how deeply integrated this PAM program is within your environment. Privileged accounts exist on all platforms, applications, endpoints and cloud workloads. What percentage of those targets have you onboarded into your PAM solution? The final goal in terms of PAM functionality maturity and adoption will differ from organization to organization, and the road map to get there needs to be aligned with your particular circumstances.

‘Walk the Path’ Toward Your Target PAM State

In the film, Morpheus tells Neo, “Sooner or later you’re going to realize, just as I did, that there’s a difference between knowing the path and walking the path.” Just like learning to bend backward to dodge bullets, the implementation of the necessary PAM functionality can be a long and arduous journey.

Taking the time to plan a road map can improve your return on investment (ROI) by helping you prioritize and upgrade your PAM capabilities where doing so will have the highest impact. Another way to ensure success is to approach PAM deployments in phases. Deploy foundational functionality first, such as password vaulting, account onboarding, and audit and logging. Then, align the business processes and roll out the solutions to your users. This will give you a solid foundation to build upon and allow you to show results in a short time — likely 12–16 weeks for on-premises deployments.

When deploying new functionality, you can speed up the implementation by leveraging accelerators in the traditional waterfall model:

  • Adopt an agile approach so you stay in lockstep with key stakeholders as their requirements evolve.
  • Leverage preconfigured integration patterns for platforms and applications based on industry best practices to design a secure solution.
  • Use DevOps tools and techniques to automate build, test and deployment activities so you get results faster.

Realize ‘There Is No Spoon’ and Grow the Scope of Your PAM Program

After Neo learns to open his mind to his new abilities in training, he is ready to take on the Matrix. Though the trenchcoat is definitely optional, you have followed a similar journey up to this point. Once you have developed a target state, created a road map and automated some PAM functionality to secure your privileged accounts, the hard work of operating and handling the day-to-day management of your PAM program begins.

It’s not enough to simply ensure that the program is running and supporting help requests. Most organizations are dynamic in nature; accounts are created and deleted every day, especially if you have espoused a software-defined workplace and a SecDevOps culture. It’s critical to keep your PAM program aligned to your organization’s needs to ensure that the privileged access attack vector continues to decrease. Reassess your road map quarterly and onboard a set number of new platforms and applications each month so you are steadily protecting more and more privileged accounts.

Introducing Privileged Access Management-as-a-Service

Even if you follow the above advice to the letter, keeping up with PAM can still be a challenge. IT managers often need more than specialized tools to aid them, especially in large, dynamic environments.

Today, IBM is introducing a new privileged access management-as-a-service (PAMaaS) offering to help our customers plan for, deploy, and manage a PAM solution to help protect against privileged credential abuse. PAM-as-a-service can support any deployment model, including in the cloud, on-premises and in a private data centers. PAMaaS can enable you to:

  • Set the strategy for your PAM program by aligning its scope to your security, compliance and operational goals;
  • Deploy foundational PAM capabilities faster to help you demonstrate success and gain better time to value with your chosen PAM technology;
  • Enhance your operational efficiency with improved business processes and continuous optimization of your solution; and
  • Expand the reach of your PAM program with the monthly onboarding of new platforms, targets and applications.

To learn more, sign up for our upcoming webinar, “Privileged Account Attacks – Are You Ready?

Register for the webinar

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…