By Nate Yocom, Chief Technology Officer, Centrify
For the past few years, Centrify has been using a statistic from Forrester to demonstrate the importance of protecting privileged accounts, which estimates that 80 percent of data breaches involve privileged credentials. This first showed up in The Forrester Wave: Privileged Identity Management report in Q3 2016, and was used again in the same report in Q4 2018.
Recently I was thrilled to see the results of a survey we conducted with FINN Partners, polling 1,000 IT decision makers (500 U.S./500 U.K.) about their awareness of the privileged credential threats they’re facing, their understanding of the Privileged Access Management (PAM) market, and how Zero Trust can help reduce their risk of becoming the next data breach headline.
The headline stat from the survey:
This fact now confirms what we already know: The majority of cyber-attacks abuse privileged credentials, making it the leading attack vector.
Furthermore, it’s pretty close to the Forrester estimate, and lends credibility to why Gartner named PAM a Top 10 Security Project in 2018, and again in 2019.
Still not prioritizing PAM
What’s concerning about the survey, however, is that despite knowing privileged credential abuse is involved in the majority of breaches, most organizations and IT leaders are not prioritizing PAM or implementing it effectively. What’s worse, they continue to grant too much trust and too much privilege.
We’ve said or written it a thousand times: attackers no longer “hack” in, they log in using weak credentials and then fan out, seeking privileged access to critical infrastructure and sensitive data.
There are some very basic PAM capabilities and best practices that are still not being implemented, namely:
- 52 percent of respondents do not have a password vault! This is PAM 101, and one of the very first steps of the PAM maturity model. Over half aren’t even vaulting privileged passwords, which means they’re probably written down on shared spreadsheets.
- 63 percent indicate their companies usually take more than one day to shut off privileged access for employees who leave the company.
- 65 percent are still sharing root or privileged access to systems and data at least somewhat often, including to cloud infrastructure and workloads.
The modern threatscape – including cloud workloads – is not secure
If organizations are still struggling to implement some of the most basic or required PAM strategies, then it’s not surprising that the survey revealed most are also not securing modern attack surfaces, most notably cloud workloads.
While it’s encouraging to see that 63 percent of US respondents are controlling privileged access to cloud workloads, there’s a pretty big gap between them and the 47 percent of UK counterparts who are doing the same. Furthermore, that averages out to 55 percent of all respondents … which means that almost half are NOT leveraging PAM solutions to manage privileged access to cloud workloads.
This is a big focus area for Centrify right now. One area we know is a major pain point is directory services. Cloud services like AWS and Azure require the creation of a unique user directory, making a huge mess to create, manage, update, and revoke privilege when needed.
One solution is to provide multi-directory brokering, enabling an organization to leverage whatever user directory it’s already using to broker access to cloud infrastructure, services, and workloads. So, for example, if an organization is using Active Directory (AD) to control authentication, they would be able to leverage the existing directory to manage and broker privileged access to AWS or Azure.
That’s a perfect example of a modern attack surface that needs privilege management, but doesn’t have the native capabilities to provide it simply and effectively. Legacy PAM solutions simply cannot secure modern attack surfaces.
Organizations need to quickly move to Zero Trust Privilege backed by cloud-ready services that minimize the attack surface, improve audit and compliance visibility, and reduce risk, complexity and costs for the modern, hybrid enterprise.
Nate Yocom is Chief Technology Officer at Centrify and a member of CSA’s Hybrid Cloud Security Services Working Group.