Pain in the PAM

In order to prevent security breaches, insider attacks and comply with regulatory mandates, organizations must proactively monitor and manage privileged access. As the compromise and misuse of identity is often at the core of modern threats, privilege accounts are a prime target for phishing and social campaigns.

However, a discovery gap between what access has been granted and what users are actually doing has made it difficult to understand security risks and has plagued identity and access management (IAM) for years. This lack of visibility also applies to privileged access. A situation that has been made even worse since few companies have implemented privileged access management (PAM).

Surprisingly, many organizations still rely on manual methods to manage privileged accounts and credentials, and most do not have repeatable processes to track the provision, management and retirement of these critical account entitlements. When implemented, PAM solutions provide valuable vaulting, single sign-on and multi-factor authentication capabilities to protect known privileged access credentials.

Due to rapidly evolving IT environments, enterprises are struggling to keep pace with the growth of privileged access accounts and entitlements, especially when it comes to discovery of hidden or unknown privileged access. This is primarily because organizations rely on self managed lists or vaulted PAM inventory lists. Anything outside of these “known” silos remains unmanaged and unaccounted for.  

The growing use of cloud services and applications is making matters worse, straining the ability of current methods to monitor across hybrid on-premises and cloud environments for privileged access. The type of entitlements granted are what determine if an account is privileged, and the challenge is continuously analyzing their growing number.

Some industry experts estimate that more than half of privileged access entitlements exist outside of traditional IAM and PAM solutions and are likely to be unknown.    

A new discipline, coined Identity Analytics (IdA) by Gartner, can help address the discovery gaps in IAM and PAM through the use of machine learning models that risk score down to the entitlement level. The IdA risk-based approach is designed to provide discovery including privileged access entitlements and to deliver full contextual visibility, monitoring, analysis and risk scoring – all of which facilitates remediation and management of privileged access risks.

IdA facilitates the complete accounting of enterprise privileged accounts and entitlements, including where administrative rights have been provisioned without accountability. This ability translates into finding normal accounts that have hidden privileged access entitlements. The tagging or labeling of accounts as privileged or supervisory is not enough; organizations need machine-learning models to find unknown privileged access and to provide a risk-based approach for managing privileged access.  

This new IdA intelligence from machine learning can help make IAM and PAM solutions more accurate by providing granularity down to entitlement risk scoring. That’s because machine learning models can absorb vast and varied sources of information and detect privileged access risks at the entitlement level. They work in concert to identify the “access outliers” and apply risk scoring based on behavior, peers, access, activities and context. Human efforts for this enormous task would be exhausting and futile, and still leave many unknowns and unforeseen access risks.