In addition to limiting access, PAM delivers continuous validation, a “session reporting and recording capability,” he says. That level of accountability is key to robust zero trust.
Overall, zero trust assumes no person or machine that seeks access to a system is inherently trustworthy.
“We use policies to decide whether something is trustworthy or not before access is granted,” Patton says. “That’s exactly where privileged access management comes into play.”
How Privileged Access Management Helps State and Local Agencies
An elevated risk environment makes it imperative for state and local governments to do more to secure the credentials of their most-privileged users.
“Since the pandemic, there’s been an acceleration of ransomware and other malware-type attacks. It’s happened across industries, but state governments have really been hit pretty hard over the past several years,” Wyatt says. “And those adversaries usually are getting access with credentials that have privilege. They’re compromising privileged credentials.”
At the same time, the rising use of cloud solutions has potentially widened the attack vector, making PAM all the more important.
“Cloud environments have created a bigger landscape for them to protect,” Halvorsen says. “They have on-premises and cloud, and now they have multicloud environments. In all of those environments, they have to manage their privileged access, and they need PAM’s automated methods to do that.”
LEARN MORE: Why a strong cyber resilience strategy is essential.
State and local governments also struggle with “account sprawl,” where accounts linger on systems when they’re no longer needed and may include high-level access privileges, she says. PAM helps address this, ensuring that bad actors can’t exploit those forgotten or overlooked credentials.
State and local governments may also interact with third-party vendors, subcontractors and other service providers, some of whom may have privileged access, “and there can be a turnover factor there,” Wyatt says. PAM delivers added safeguards to prevent the misuse of those credentials and can also help third parties meet compliance standards, such as the National Institute of Standards and Technology’s SP 800-53 security and privacy controls.
How Government Agencies Enforce Privileged Access Management
Agencies can take a number of steps to make effective use of PAM’s powerful defensive capabilities.
PAM will typically incorporate a number of identity controls, including network access control, identity management and multifactor authentication, or MFA. To use those tools effectively in support of most-privileged credentials, it makes sense first to take an organizational approach, Halvorsen says, because identity goes beyond the control of the IT team.
Human resources, for example, should play a role in defining who has what credentials.
“Maybe someone changes departments. Did they get put into the right user groups? Did their old user groups get taken away?” Halvorsen says. It’s important to have a process in place to account for that, so that the right people have the right privilege.
That raises the question, who actually needs high-level access? “That’s going to come from the application owners. It’s going to come from the managers. It’s going to come from HR systems at the end of the day,” she says.
To help make the correct determinations, IT leaders need to have a solid understanding of their systems overall. To implement PAM effectively, “you need to understand why the technology that you have exists, and for what business purpose,” Patton says.
EXPLORE: Strategies for state and local agencies to secure contact centers.
That will help you to better understand what constitutes a privileged job, she says: “Finance is a privileged job. Yes! And technology management is a privileged job.”
Once you’ve defined your privileged users, PAM then can serve to reinforce those constraints. The right partner can help here.
“At Okta, we have something called identity security posture management. That gives you visibility into the identity posture,” whether on-premises or in multiple clouds, Patton says. “It will tell you who your high-risk users are. Those are the types of services you need right now because of the sprawl, because of the number of applications you’re deploying, because of people moving around.”
This kind of oversight should be an ongoing process. “You’re going to have people who have access to applications, and you have to monitor that. Should they have that access? For how long should they have that access? Who approved that access?” she says. For PAM to be fully effective, that kind of ongoing proactive identity management is crucial.
It’s helpful, too, to deploy PAM in the places where it will defend the highest-value targets. “State and local is where critical infrastructure is operated,” Patton says. “Privileged access is a way for us to ensure that we have as robust a critical infrastructure as we can have.”
How Privileged Access Management Supports Hybrid Work
The shift to remote and hybrid work makes PAM an even more pressing priority.
In the current environment, “you have people with privilege to do the most sensitive activities who are working from home, in an unknown security posture environment,” Wyatt says. “They may be perfectly good people, but their environment could have some sort of contamination in it.”
In a hybrid work environment, for example, “you don’t know who anybody lives with. You don’t know whether they are in their house or are sitting at Starbucks with someone looking over their shoulder,” Halvorsen says. In this landscape, “looking at access on a per-session basis is really important.”
DISCOVER: Hybrid work strengthens delivery of citizen services.
State and local agencies have historically relied on physical presence to reinforce access control: You badge into the building and work on a known device. Remote work undermines that approach.
“It takes us back to the zero-trust conversation,” Patton says. “The first step is to ask, is this person or this thing trustworthy? It’s more difficult to do that when they’re coming at you from the local library or on an airplane. That all makes privileged access management much more important for state and local government.”
