• United States




Pain in the PAM

Oct 11, 20163 mins
CybercrimeData and Information SecurityInternet Security

Why privileged access management poses unique challenges

open gate access
Credit: Thinkstock

In order to prevent security breaches, insider attacks and comply with regulatory mandates, organizations must proactively monitor and manage privileged access. As the compromise and misuse of identity is often at the core of modern threats, privilege accounts are a prime target for phishing and social campaigns.

However, a discovery gap between what access has been granted and what users are actually doing has made it difficult to understand security risks and has plagued identity and access management (IAM) for years. This lack of visibility also applies to privileged access. A situation that has been made even worse since few companies have implemented privileged access management (PAM).

Surprisingly, many organizations still rely on manual methods to manage privileged accounts and credentials, and most do not have repeatable processes to track the provision, management and retirement of these critical account entitlements. When implemented, PAM solutions provide valuable vaulting, single sign-on and multi-factor authentication capabilities to protect known privileged access credentials.

Due to rapidly evolving IT environments, enterprises are struggling to keep pace with the growth of privileged access accounts and entitlements, especially when it comes to discovery of hidden or unknown privileged access. This is primarily because organizations rely on self managed lists or vaulted PAM inventory lists. Anything outside of these “known” silos remains unmanaged and unaccounted for.  

The growing use of cloud services and applications is making matters worse, straining the ability of current methods to monitor across hybrid on-premises and cloud environments for privileged access. The type of entitlements granted are what determine if an account is privileged, and the challenge is continuously analyzing their growing number.

Some industry experts estimate that more than half of privileged access entitlements exist outside of traditional IAM and PAM solutions and are likely to be unknown.    

A new discipline, coined Identity Analytics (IdA) by Gartner, can help address the discovery gaps in IAM and PAM through the use of machine learning models that risk score down to the entitlement level. The IdA risk-based approach is designed to provide discovery including privileged access entitlements and to deliver full contextual visibility, monitoring, analysis and risk scoring – all of which facilitates remediation and management of privileged access risks.

IdA facilitates the complete accounting of enterprise privileged accounts and entitlements, including where administrative rights have been provisioned without accountability. This ability translates into finding normal accounts that have hidden privileged access entitlements. The tagging or labeling of accounts as privileged or supervisory is not enough; organizations need machine-learning models to find unknown privileged access and to provide a risk-based approach for managing privileged access.  

This new IdA intelligence from machine learning can help make IAM and PAM solutions more accurate by providing granularity down to entitlement risk scoring. That’s because machine learning models can absorb vast and varied sources of information and detect privileged access risks at the entitlement level. They work in concert to identify the “access outliers” and apply risk scoring based on behavior, peers, access, activities and context. Human efforts for this enormous task would be exhausting and futile, and still leave many unknowns and unforeseen access risks.


Leslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation. She received CSO Magazine’s 2010 Compass Award for security leadership and was named one of Computerworld’s Premier 100 IT Leaders in 2009. An Anita Borg Institute Ambassador since 2006, Leslie has mentored women across the world in technology. Leslie has also served on the board of the Bay Area CSO Council since 2005. Lambert holds an MBA in Finance and Marketing from Santa Clara University and an MA and BA in Experimental Psychology.

The opinions expressed in this blog are those of Leslie K. Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.