Q&A: Here’s why robust ‘privileged access management’ has never been more vital

By Byron V. Acohido

Malicious intruders have long recognized that getting their hands on privileged credentials equates to possessing the keys to the kingdom. This is because privileged accounts are widely deployed all across modern business networks — on-premises, in the cloud, across DevOps environments and on endpoints.

Related: California enacts pioneering privacy law

However, lacking robust protection, privileged accounts, which are intended to give administrators the access they need to manage critical systems, can instead be manipulated to enable attackers to move laterally across an organization’s network.

In recognition of the significant security risks privileged accounts can pose, industry research firm Gartner recently released the first-ever Magic Quadrant for Privileged Access Management.1-

Last Watchdog asked Adam Bosnian, executive vice president at CyberArk – the company that pioneered the market – to put into context how much can be gained by prioritizing privilege in today’s dynamic, fast-evolving digital business landscape. Here are excerpts edited for clarity and length:

LW: Why is privileged access management so important?

Bosnian: Privileged access has become the fulcrum of the success or failure of advanced attacks. Nearly 100 percent of all advanced attacks involve the compromise of privileged credentials.

This is a mounting challenge for organizations because privileged accounts exist and ship in every single piece of technology, including servers, desktops, applications, databases, network devices and more.  They’re a fundamental part of our IT infrastructure, which is why they carry such a high level of a risk if they’re not secured.

LW: Why are privileged credentials coveted by attackers?

Bosnian

Bosnian: From an attacker’s perspective, privileged credentials are the keys that can unlock almost any door. Regardless of whether an attacker is working from outside an organization or within as an insider, gaining privileged access is critical to executing an attack.

Attackers that are able to gain access to privileged accounts can elevate privileges and move laterally throughout the network to accomplish their end goal. The scary part is that the ‘end goal’ changes by attacker – but with exploited privileged credentials, they can access and exfiltrate data from databases, access ICS systems to impact operational technology, or even execute a complete network takeover, which we’ve seen a few times. If attackers steal your privileged credentials, you’re basically at their mercy.

LW:  How has the concept of privilege evolved over the years?

Bosnian: The definition of privilege continues to evolve as the technology landscape changes. Years ago, privileged access typically referred primarily to privileged users.

The concept was based on the root access that the accounts provided to IT and systems administrators, who used these power accounts to maintain the network and systems. Privileged accounts were typically shared, anonymous accounts that provided the user all-powerful access to the data and information systems on a network.

Today, the definition of privilege scales well beyond human users, but the power of the access points remains the same. Privileged credentials are now found everywhere – on-premises, on the endpoint, across hybrid Cloud and DevOps environments, and more.

LW: As the definition of privilege expands, what areas present the greatest risk?  

Bosnian: One of the most interesting emerging use cases is in Robotic Process Automation (RPA) tools. RPA software interacts directly with business applications and mimics the way these apps use human credentials.

This creates a vast new risk landscape for privileged access. Because these software robots automate and perform business functions across multiple business systems, an attacker gaining root access in an RPA tool would be able to move laterally across all of these systems.

With every tech advancement comes new privileged credentials, and accordingly, new attack vectors for our cyber enemies.

LW: What’s the future of privileged access management?

Bosnian: For a long time, privileged access was viewed as a compliance checkbox, and the business driver was audit requirements. However, there’s been a fundamental shift in the importance of privilege – and risk management is largely driving adoption.

You can feel the importance of privilege reverberate across the industry. Vendors are banding together in our global technology partner program, the C3 Alliance, and other collaborations and committing to incorporate privileged access security as a best practice across their own offerings.

Downloadable: Gartner Magic Quadrant for Privileged Access Management.

We’re seeing this shift in how the analyst community is covering and supporting privileged access management. Privileged access management is an area noted by Gartner in its first ever Magic Quadrant on the market. 1

Most importantly, we’re seeing it from customers and prospects, who are looking for security projects that can mitigate the greatest level of business risk, and are accordingly turning to privileged access management.

1-      Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Dale Gardner, Justin Taylor, Abhyuday Data, Michael Kelley, 3 December 2018

 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


(Editor’s note: LW provides consulting services to some of the organizations included in our coverage.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone