03 Jun Navigating the Cultural Shift in Privileged Access Management (PAM)

Why is a revolution in identity security strategy imperative?

– Crystal Trawny, Practice Director, Optiv

Denver, Colo. – Jun. 3, 2024

Navigating the Cultural Shift in Privileged Access Management (PAM)

Identity security has become a significant focal point of cybersecurity in recent years. As the global workforce has pivoted toward hybrid and remote work capabilities, employees are now less likely to solely interact with on-premises systems and networks. High employee turnover in the tech industry has also led to uncertainties and delays in deprovisioning processes. Adding fuel to the fire, cyber threat actors capitalize on this expanding attack surface to gain initial access to victim systems, escalate privileges and compromise data. A revolution in identity security strategy is becoming more than just a cybersecurity imperative; it’s a business imperative.

The Culture of PAM in 2024

These global workforce shifts and threat landscape evolutions have precipitated the need for a cultural shift in the way businesses approach identity security. It is evident that with greater cloud adoption comes the proliferation of machine identities and the need to manage them through identity and access management (IAM). But it is also important to not overlook the constant changing roles of people within an organization. This is where Privileged Access Management (PAM) becomes crucial, as it is essential to continually review users’ access to systems, directories and files.

Industry leaders are currently reevaluating PAM as we know it. This is no longer just an IT problem to solve, as every member of an organization must work together to ensure that users can access the right information at the right time and place — and nothing beyond that. As compliance requirements from federal regulations and cyber insurance providers continue to evolve, businesses can no longer afford to have laissez-faire attitudes to privileged access. Whereas many organizations have traditionally treated PAM and much of identity security as checkbox compliance measures, now is the time to develop a more strategic approach. By centralizing PAM within a cybersecurity strategy, companies can demonstrably enhance their risk posture.

Reevaluating Privilege in the Evolving Threat Landscape

It is no secret that privilege escalation is a popular, tried-and-true tactic leveraged by threat actors. With the popularization of remote access has come the rise of cyberattacks resulting from privilege escalation vulnerabilities. These critical flaws, such as the infamous “Dirty Pipe” vulnerability (CVE-2022-0847), inadvertently allow malicious actors to escalate privileges all the way to the root level and modify or rewrite files — even if the files do not contain write permissions. Because cyber adversaries can escalate privileges so quickly and easily, as well as cause such widespread damage, privilege escalation vulnerabilities often earn high CVSS scores of 7.0 and above. By exploiting such vulnerabilities, malicious actors can perform arbitrary code executions with root privileges — opening the door to undesired process changes, data theft, ransomware attacks and more.

Threats resulting from privilege escalation vulnerabilities are only going to become worse. Ransomware-as-a-Service (RaaS) networks capitalize on unpatched system and software vulnerabilities to transform cyberattacks into larger organized crime efforts. PAM is therefore a crucial business imperative.

Drivers for PAM

There is a strong interest in PAM products — and for a good reason. Compliance is often seen as the first step and motivator for purchasing PAM solutions. Annual audits require investments in PAM. Cyber insurance is a key factor, too. Organizations may not be able to use or even acquire cyber insurance without having an active PAM process in place. Although compliance is not and should not be the only driver for PAM investments, it certainly motivates organizations to regard PAM as a vital component of a cybersecurity program.

PAM is also a viable solution for reducing an organization’s attack surface and risk exposure. As noted earlier, a remote and hybrid workforce can contribute to an increase in potential threats such as ransomware attacks. According to the OpenText Cybersecurity 2023 Global Ransomware Survey, 46 percent of surveyed small and medium businesses (SMBs) experienced a ransomware attack in 2023. Such attacks are especially concerning for SMBs, as a ransomware or extortion threat could result in severe reputational damage and/or an inability to conduct normal business operations without paying a ransom. SMBs often have the most to lose from a cyberattack, and therefore investment in PAM solutions is particularly valuable for them.

Today’s Real-World PAM Challenges

Businesses may have complexities within their environment that prove difficult to navigate when seeking to manage and track privileged accounts. There is a common perception that traditional PAM models impede the user experience or workflows. These issues can lead to slower PAM solution adoption or rollout. Frustrations continue to grow when widening IT security skill gaps make it more time-consuming and costly for employees to master the ability to rotate, manage and secure privileged accounts. Plus, it can be difficult for organizations to keep up with regulatory requirements and patch updates as they struggle to maintain compliance. Such challenges indicate why it is important to have the right technology, expertise and strategy to integrate said technology into your environment the correct way — not just setting and forgetting it.

The Future of PAM

The PAM cultural shift is all about recognizing that organizations must replace their traditional compliance checkbox methodology with a more strategic, forward-thinking view that sees PAM as a central component of a cyber risk program. There are expanding use cases for PAM adoption, including the popularity of cloud migrations and digital transformations, as well as third-party and application integrations. Plus, as businesses continue to explore secrets management and streamline CI/CD pipelines, PAM will only become more essential for managing complex permissions and reducing the risks caused by shadow IT. Emerging attack vectors may strengthen the value proposition of PAM solutions to remove vendor access, enhance visibility and analytics, facilitate identity lifecycle management and update workforce password management controls.

While many organizations are on board with PAM, we are now at the point where PAM should be more cohesively woven into every aspect of an organization. Businesses should view PAM as a continuous, expert-driven journey that requires the support and collaboration of every department. Contact Optiv to find the best PAM solution that helps your team save time, ensure compliance and improve ROI.

Crystal Trawny is a Practice Director at Optiv supporting Privileged Account and Endpoint Privilege Management teams (PAM/EPM). With over 17 years of experience in Identity and Data Management, she is knowledgeable in Identity and Access Management policies, operational support and delivers projects across various industry verticals. Her portfolio includes several companies in the Fortune 500 as well as covering areas of financial services, energy, healthcare, technology, and manufacturing. She leads a team of IAM delivery professionals and is passionate about client success.