Colorado Embraces Privileged Access Management
Cybercriminals typically have specific targets when they breach an organization, with the end goal of obtaining high-level credentials to infiltrate databases, applications or system-critical information.
PAM is a cybersecurity tool that protects those credentials by making them temporary. So, even if a hacker is able to obtain login and password information, those credentials may already be useless.
“It’s going really well,” says Blyth of the implementation. “For the first time ever, we have full visibility into privileged accounts. System administrators, domain administrators, everyone who has the ability to make configuration changes — those credentials are the most important to protect.”
Blyth draws an analogy in describing the PAM setup: “It’s almost like checking out a library book,” she says. “Account credentials are checked out when needed, and there’s a time limit. When the time expires, or when the user checks them back in, the credentials are changed for the next user or session.”
Doug Cahill, vice president and group director of cybersecurity at Enterprise Strategy Group, says that PAM is a critical element of any organization’s cybersecurity approach.
“PAM is part and parcel of zero trust,” he says, “or another big buzzword in security, least privileged access, or LPA,” also referred to as the principle of least privilege, or PoLP. “LPA gives the fewest amount of people access to the least amount of assets.”
Blyth’s team is deploying PAM for all privileged accounts, both on-premises as well as in the cloud, which can be particularly vulnerable. A not-yet-published survey by ESG found that cybersecurity professionals named overly permissive accounts and roles to be the No. 1 issue in cloud-based applications. In addition, 52 percent of respondents shared that it was difficult to map user accounts to sensitive data residing in the cloud.
If a state or government agency is planning to implement a PAM program, Mike Wyatt, a principal at Deloitte, advises that agencies have a multifactor authentication program in place first.
“So many breaches start with compromised credentials,” says Wyatt. “MFA is a straightforward rollout for systems such as VPN. PAM is often a heavier lift. It takes more time to integrate, especially if there are legacy systems. It can be a long journey.”
Achieving CIS Benchmarking Goals Is a Key Priority
Colorado’s PAM strategy is one aspect of a cybersecurity program that follows “good hygiene,” according to Cahill. Tracking and evaluating an organization’s cybersecurity hygiene is where benchmarking comes in.
Blyth says that her security team in Colorado has been working closely with the infrastructure team to increase its compliance with CIS Benchmarks.