Identity & Access September 26, 2018
By Laurène Hummer 5 min read

The other day, I was browsing for a movie when an inexplicable wave of nostalgia hit me. The result: two hours and 30 minutes spent rewatching “The Matrix.” It can happen to the best of us.

I was transported into Neo, Morpheus and Trinity’s strange and now comically dated world. While I watched them teleport through phone booths, learn new skills in the time it takes to load a minidisc, and effortlessly manipulate the fabric of space and time, I realized something troubling: Neo, Trinity and their team of rebels were actually privileged users of the Matrix. So were the agents trying to stop them. Even worse, Neo and company were outsiders abusing privileged accounts to destroy the system, and the agents were the legitimate security forces trying to stop them.

What Can ‘The Matrix’ Teach Us About Privileged Access Management?

Now, the Matrix in this analogy has it backward: In my world, the good guys are the guardians of the environment, and those trying to wreak havoc are the criminals I’ve spent most of my career working to stop. But despite that little detail, the movie does a great job of illustrating the power of a privileged account, as well as the advantages an attacker can gain by taking control of one. Neo’s role as “the one” also makes it very clear that an attacker capturing highly privileged credentials can be the difference between cybersecurity success and failure.

Outside of the Matrix and back in our world (or so we think), escalating privileges is a well-documented step in the typical attack chain. According to Forrester, 80 percent of breaches involve privileged credentials.

It’s no surprise, then, that many organizations are evaluating how they protect their privileged users, and that compliance regulations have strict requirements for privileged access management (PAM). Still, many organizations today face challenges that leave their privileged accounts exposed to compromise and their processes open to audit findings. How can they close these gaps effectively?

‘Take the Red Pill’ and Learn the Truth About Your PAM Program

Like Neo choosing to learn the truth about the Matrix by taking the red pill, it’s critical to understand your current privileged access landscape. Identifying your PAM processes and how privileged accounts are managed and protected today will help you recognize gaps in your security posture with respect to industry best practices and compliance requirements. You can then design a target future state and plan a road map by prioritizing the actions that will narrow your privileged access attack vector the fastest.

In most modern IT environments, this analysis forces you to look at maturity along two axes. The first is the capability of your PAM program: how much you are able to automate using a PAM tool, how much analytics you are leveraging and what other security tools you have integrated with, such as identity governance tools, security information and event management (SIEM), and user behavior analytics (UBA).

The second axis is how deeply integrated this PAM program is within your environment. Privileged accounts exist on all platforms, applications, endpoints and cloud workloads. What percentage of those targets have you onboarded into your PAM solution? The final goal in terms of PAM functionality maturity and adoption will differ from organization to organization, and the road map to get there needs to be aligned with your particular circumstances.

‘Walk the Path’ Toward Your Target PAM State

In the film, Morpheus tells Neo, “Sooner or later you’re going to realize, just as I did, that there’s a difference between knowing the path and walking the path.” Just like learning to bend backward to dodge bullets, the implementation of the necessary PAM functionality can be a long and arduous journey.

Taking the time to plan a road map can improve your return on investment (ROI) by helping you prioritize and upgrade your PAM capabilities where doing so will have the highest impact. Another way to ensure success is to approach PAM deployments in phases. Deploy foundational functionality first, such as password vaulting, account onboarding, and audit and logging. Then, align the business processes and roll out the solutions to your users. This will give you a solid foundation to build upon and allow you to show results in a short time — likely 12–16 weeks for on-premises deployments.

When deploying new functionality, you can speed up the implementation by leveraging accelerators in the traditional waterfall model:

  • Adopt an agile approach so you stay in lockstep with key stakeholders as their requirements evolve.
  • Leverage preconfigured integration patterns for platforms and applications based on industry best practices to design a secure solution.
  • Use DevOps tools and techniques to automate build, test and deployment activities so you get results faster.

Realize ‘There Is No Spoon’ and Grow the Scope of Your PAM Program

After Neo learns to open his mind to his new abilities in training, he is ready to take on the Matrix. Though the trenchcoat is definitely optional, you have followed a similar journey up to this point. Once you have developed a target state, created a road map and automated some PAM functionality to secure your privileged accounts, the hard work of operating and handling the day-to-day management of your PAM program begins.

It’s not enough to simply ensure that the program is running and supporting help requests. Most organizations are dynamic in nature; accounts are created and deleted every day, especially if you have espoused a software-defined workplace and a SecDevOps culture. It’s critical to keep your PAM program aligned to your organization’s needs to ensure that the privileged access attack vector continues to decrease. Reassess your road map quarterly and onboard a set number of new platforms and applications each month so you are steadily protecting more and more privileged accounts.

Introducing Privileged Access Management-as-a-Service

Even if you follow the above advice to the letter, keeping up with PAM can still be a challenge. IT managers often need more than specialized tools to aid them, especially in large, dynamic environments.

Today, IBM is introducing a new privileged access management-as-a-service (PAMaaS) offering to help our customers plan for, deploy, and manage a PAM solution to help protect against privileged credential abuse. PAM-as-a-service can support any deployment model, including in the cloud, on-premises and in a private data centers. PAMaaS can enable you to:

  • Set the strategy for your PAM program by aligning its scope to your security, compliance and operational goals;
  • Deploy foundational PAM capabilities faster to help you demonstrate success and gain better time to value with your chosen PAM technology;
  • Enhance your operational efficiency with improved business processes and continuous optimization of your solution; and
  • Expand the reach of your PAM program with the monthly onboarding of new platforms, targets and applications.

To learn more, sign up for our upcoming webinar, “Privileged Account Attacks – Are You Ready?

Register for the webinar

 |  |  |  |  |  |  | 
Laurène Hummer
Offering Manager for IAM Services, IBM Security

More from Identity & Access
Identity & Access   May 24, 2023

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read
Intelligence & Analytics   April 19, 2023

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read
Identity & Access   April 11, 2023

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read
Intelligence & Analytics   February 24, 2023

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature