Author: Joey Sylvester
Identity and access management (IAM) is receiving heightened interest from insurers due to the critical nature of this area of cybersecurity. IAM focuses on how individuals identify and authenticate themselves to a computer network, and in turn, the level of access they're granted based on their authenticated identity.
Before tight access controls became commonplace, individuals may have been granted full access to company IT resources without regard to their job role. This approach to IAM lends itself to unfettered access for hackers looking to move laterally across platforms.
It's the exact reason why multi-factor authentication (MFA) became a strict requirement. Another critical component of IAM, MFA requires users to prove their identity beyond simple usernames and passwords that can be compromised with relative ease even by lower-level hackers.
We also see a need to limit employee's access to systems they need to perform their duties only. Not all employees need access to critical systems and sensitive data. For example, your typical sales-based employee doesn't need admin access to the human resources information system (HRIS). Their access should be limited to sales-based systems for their specific job responsibilities. This approach is what we call the principle of least privilege — granting needed access and nothing more.
A key step in the so-called cyber kill chain1 for hackers is gaining access to an internal asset by using phishing emails, exploiting an unpatched software vulnerability, using a zero-day vulnerability2 or some other method. Upon gaining access through one of these means, the hacker can use a malicious payload to gain control of the target. A hacker can then move laterally through a network, collecting credentials and comprising other assets or accounts along the way, all with a goal of elevating their access privileges.
An account with elevated privileges is an attractive target because it can grant hackers access to critical or sensitive areas of the overall IT system and authority to perform certain activities. So although accounts with low-access privileges lack authority to do activities that hackers desire, those lower-level accounts could be stepping stones into more privileged accounts. As such, it's imperative that accounts with privileged access be locked down to limit the ability of malicious actors to exploit them.
What is privileged access management technology and how does it work?
Privileged access management (PAM) is a crucial component in the IAM toolbox. PAM solutions grant better oversight and control over privileged and admin-level accounts. A PAM will monitor usage and can act as a gatekeeper for granting access. The PAM can be set to automatically detect unmanaged privileged user accounts and credentials — an important security feature as hackers attempt to escalate their privileges. This monitoring enables the IT staff to detect potentially malicious behavior and respond accordingly.
Further, the PAM solution allows the admin accounts to be isolated and monitored while in use. Accounts can be "checked out" for usage with a company-specified time limit, and all activity during a managed session can be monitored and recorded.
What does privileged access management cost?
Several vendors offer PAM solutions at various price points. Online comparisons can give a good overview of their services.3 The pricing can range from inexpensive to a significant investment depending on a number of factors, such as the number of privileged accounts to be managed, how much support is needed for the initial implementation, and whether your organization's architecture is hosted in the cloud, in on-premise servers, or a hybrid of the two.
Additionally, fully implementing a PAM solution will take time and resources. Adequate time should be granted to IT staffs to fully research and vet appropriate solutions for their organization.
Why do cyber insurance underwriters require privileged access management?
Protecting accounts with elevated authority is of paramount importance to underwriters who have seen their share of claims emanating from compromised admin accounts. Studies show investments in an IAM can reduce the amount of a claim on average by $224,396.4 Additionally, adopting a zero-trust model supported by robust IAM can reduce the potential cost of a breach by up to $1.5 million.
PAM solutions can stop lateral movement and unauthorized privilege escalation, both key goals in the cyber kill chain. By hampering hackers' ability to accomplish these goals, PAM solutions can be critical in cyber defense and can reduce both the likelihood and impact of cyber incidents.
For information on other key control requirements, check our recently published Cybersecurity Controls Checklist.