Decentralized PAM Advantages and Challenges: Keeping Organizations Secure from Edge to Cloud
By: Orhan Yildirim
The debate on centralized vs. decentralized IT has been going on for decades, and there are solid arguments for both choices. The rise of the cloud changed everything, and today “shadow IT” continues to challenge CIOs and CISOs who are charged with protecting the assets of their organizations while also not restricting the number of productivity tools available which employees and contractors continue to find and use rather than using “official” applications.
For example, even though comprehensive, unified collaboration applications like Microsoft Teams are available and can support virtual meetings, individuals or working groups may instead choose one of the many options available, many of which are free or very low cost (like Slack) and may use over-the-top messaging and voice applications like WhatsApp or Facebook Messenger.
Other companies allow business units to choose their applications, which those BUs can use a corporate credit card to license, driven by the “consumerization” of IT and a new generation of workers, including an increasing number of “gig workers,” and left unmonitored and unmanaged, while IT security risks are growing. We have seen massive hacks over the last year, including new phenomena such as strangers breaking into Zoom conferences where sensitive information was being shared.
Is there a way to support multiple cloud applications selected by different business units while still protecting an organization’s infrastructure, data, and other assets?
According to Verizon’s DBIR, weak or common passwords were the cause of 63 percent of all breaches, and 53 percent of the breaches were due to the misuse of privileged accounts with access to valuable data (personal health information, credit card numbers, social security numbers, and other content cybercriminals can monetize), as well as company strategic plans and secrets, intellectual property, and other sensitive information competitors or other adversaries covet.
The role of leadership within the CIO or CISO office is to decide for their organization what the definition of privileged data is, where it resides, and who has access to it. In a distributed IT environment, this is nearly impossible to do without software automation, and given that the control of privileged accounts is a major factor in compliance across all regulations in every industry, sustainable and effective measures must be put in place.
Whether local admin accounts for simple actions like setting up new users or privileged user accounts with access to multiple systems, every official organizational account must be monitored for who has access, what they have access to, how often they request access, and from which locations they request access. How is this possible in a multi-cloud, multi-application, “beyond hybrid” environment?
In a well-governed decentralized access management environment, a broader team throughout an organization can log in to an access control management system to add new employees or to create credentials for third-parties or visitors. For example, an office manager responsible for a branch office can set up a new user account for Microsoft Teams for a consultant coming in to develop a new product or support a new program.
In theory, because department managers are granting access rather than only one or two people in a centralized management model, there could be tighter access control, as the branch manager in this scenario can quickly make decisions about who can log in and access data and what level of access they should have, giving the office manager authority to set up and take down accounts over time.
The branch manager is theoretically more capable of applying the principle of Least Privilege, giving only required access to build the highest level of security. If an individual’s login credentials fall into the wrong hands, unauthorized people would be limited to the data they can see and the programs they can use. Decentralized access control can also result in real benefits, including streamlining workflow, instantly supporting productivity, and aligning with team members’ expectations in a self-service world.
With all the benefits come new risks, however. Organizational lack of visibility into access management undermines the IT team’s primary goal of limiting and tracking who is logging in to the system, making changes, and accessing data. In a decentralized model, different people will interpret company policy differently, creating a lack of consistency and increased risk, and as we saw in 2020, when masses of workers are forced to work remotely, the danger of unencumbered access creates a serious risk of breaches.
A decentralized access control model works only when governance is applied, and this can be done with the right Privileged Access Management software solution, especially when that solution was built for the cloud rather than premise-based.
Ironsphere’s solution strikes a balance between monitoring the system while supporting the autonomy that a decentralized system is designed around, as it identifies high-risk activities and provides alerts while running constantly and discreetly in the background. It can monitor the system for an activity that does not align with access policies and trigger an intervention, including in an emergency when a system is being attacked.
Our Session Manager, which is operating in many large enterprises and other organizations with highly distributed workforces empowered with decentralized IT elements, provides real-time monitoring, logging, and recording of all privileged users’ sessions and stops malicious activities by role-based segregation of duties and least privilege management, including command and context-aware filtering.
Specific benefits include:
- Man-in-the middle support for Telnet, SSH, RDP, VNC, HTTP.
- Logging, session recording, and session replay.
- Active Active redundancy.
- Enforces security policies transparently.
- Advanced policy, context-aware policy, managerial approval.
- Object character recognition for RDP, RDP session recording.
- Termination of all active connections automatically on network elements for maintenance mode.
- Session “take-over” and “session-leave” functionality by the privileged users on active sessions.
- Unified visibility with searchable command/keystroke logs and full play-back video recordings.
- Stop attacks with the least privilege functions, including command or application-based restrictions, managerial approval, geolocation confirmation, Multi-factor authentication/authorization, time & date-based access.
- Enforces role-based security policies centrally and silently.
- Meets regulatory compliance mandates including GDPR, ISO 27001, SOX, HIPAA, PCI.
- Single-Sign-On and 2-Factor Authentication support make system passwords invisible to users.
- Extend Active Directory group policies to IT and network infrastructure and support compliance.
- No agents, extensions, or applets. No hassle.
- Isolate Third Party access, control configuration changes, record all activities, and watch/participate in live sessions.
- Enable secure connections to any system, application, appliance, or website without disclosing the credentials.
To learn more about how your organization can have the best of all worlds while continuing to protect what you connect, please contact us.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.