MY TAKE: How SMBs can improve security via ‘privileged access management’ (PAM) basics

By Byron V. Acohido

As digital transformation kicks into high gear, it’s certainly not getting any easier to operate IT systems securely, especially for small- and medium-sized businesses.

Related: Business-logic attacks target commercial websites

SMBs are tapping into cloud infrastructure and rich mobile app experiences, making great leaps forward in business agility, the same as large enterprises. Yet all organizations today, no matter their size or sector, face the same daunting security challenge: how to preserve the integrity of their IT systems when the attack surface is expanding and intrusion attempts are intensifying.

I recently spoke to Maurice Côté, VP Business Solutions, Devolutions, a Montreal, Canada-based supplier of remote desktop management services about this. Côté outlined how and why many SMBs are in a position to materially improve their security posture – by going back to a few security basics, in particular by paying closer attention to privileged account management, or PAM. For a deeper dive into our discussion please give the accompanying podcast a listen.  A few key takeaways:

How SMBs got here

Some context: privileged accounts first arose 20 years ago as our modern business networks took shape. Privileged accounts assigned special logon credentials to system administrators in charge of onboarding and off boarding users, updating and fixing IT systems and carrying out other network-wide tasks.

Right off the bat, it became an engrained practice to ‘share’ the logon credentials to privileged accounts, that is to use one username and password to authenticate multiple users of a given shared account. Just as quickly, other lax security practices became the order of the day. Not nearly enough thought was put into issuing, monitoring and, when appropriate, proactively shutting down shared accounts.

In fact, sophisticated identity and access management, or IAM, solutions, of which PAM is a subset, came along to help companies improve their data governance. Expensive enterprise-grade IAM and PAM systems were all fine and well for large organizations.  However, SMBs predictably fell way behind — and never really regained much ground, with respect to reducing their exposure to shared accounts. SMBs don’t have anywhere near the volume of network traffic generating massive data flows that a large enterprise has.


By contrast, a typical SMB is likely to be transacting with a diverse array of contractors, everyone from facility maintenance crews to third-party service providers of all stripes. This daily horse-trading of marketing, financial, legal and operational data requires granting access to a diverse array of third parties. Meanwhile, the cloud-based collaboration tools enabling this activity are getting mixed and matched and continually updated on a daily basis.

There are a lot of moving parts to modern IT systems. Devolutions polled IT decision makers last October and found 78% of SMBs considered having a PAM solution in place as an important piece of a cybersecurity program – yet 76% of respondents also admitted that they failed to regularly use basic PAM tools and practices.

This inertia is not at all surprising. It likely reflects the erroneous belief held by harried decision makers at many small organizations that threat actors tend not to bother with smaller targets. They most certainly do. What’s more, SMBs’ understandably tend to be narrowly focused on their core business and often operate under very tight budget constraints, Côté noted.

The case for basic PAM

In point of fact, refocusing on basic PAM hygiene can make a profound impact in today’s operating environment. This includes leveraging a robust access management dashboard along with implementing two-factor authentication, password vaulting and password rotation; these are well-understood PAM practices proven to be very effective at shrinking the attack surface. Basic PAM can be integrated a number of ways into any business network and can be tuned to fit the specific operating profile of any given SMB.

A strong argument can be made that basic PAM services are a much better fit for an SMB, as compared to overpaying for a stripped-down version of an enterprise-grade IAM/PAM suite. All that’s required is for company decision makers to do their due diligence and find the right fit with the right supplier.

By engraining basic PAM practices into day-to-day operations, any SMB can make it much harder for intruders to breach their network; they can also improve their ability to withstand any data security audits, and likely run more efficiently, Côté told me.  “If you put security, compliance and productivity in a triad, and they’re all really strong, you can increase security drastically,” he observes.

This epiphany isn’t happening as often as it should. This could be because of confusing cybersecurity marketing messages, Côté says. A number of big-name IAM vendors are heavily pitching cool advances in enterprise-grade IAM and PAM technologies, he says. These are amazing innovations that can do wonders for large enterprises – but in many cases are overkill for the typical SMB, he says.

Deploying a well-tuned access manager and making smart, consistent use of two-factor authentication, password vaulting and password rotation may seem mundane; yet these practices lead very directly to establishing and maintaining a baseline for very effective daily monitoring of shared accounts, with no wasted moves, Côté says.

“It’s possible to severely limit the surface area that’s available to attack,” he says. “You start by finding all the accounts that have been out there for ages . . . Just performing a discovery and looking at what you have, and assessing the reasons for why they exist, is really a huge step.”

Clearly, basic PAM practices need to become an operating standard for SMBs. It’s long overdue. I’m optimistic that this is where we’re heading. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone