Many organizations do a reasonably good job at limiting access to data and systems for their general user population. When it comes to privileged access, however, most simply attempt to limit who and how many people have this type of access without considering the inherent risks of granting wide-open root or admin level access.
The latest data breaches have been the result of attackers gaining elevated privileges to systems by compromising a privileged user's credentials and then using the authorized access to exfiltrate data.
The concept behind privileged access management – or sometimes privilege identity management – to better control privileged account access is not a new notion. But organizations need to take an important step forward in granularity.
Current PAM solutions provide better management of privileged accounts but do not solve the underlying problem with privileged accounts: that they allow unfettered access to the system; allowing whomever has access full control over the system.
While providing better control over and accountability for the use of privileged accounts, they do not provide the ability to truly provide access based on the well-understood concept of least privilege. And this is where that next level of granularity will help organizations provide their privileged users with the ability to do their assigned tasks without giving them the keys to the kingdom and putting the organization at unnecessary risk.
"Establishing controls around privileged access continues to be a focus of attention for organizations and auditors," says Gartner analysts Felix Gaehtgens and Anmol Singh in the research firm's Market Guide for Privileged Account Management. "Security leaders must be prepared to address the inventory, classification and use of privileged accounts."
Root cause
Root or administrative access is typically meted out in its entirety to certain trusted individuals. The problem with this approach is that this level of access allows the user to take any action they want, on any system, regardless of the immediate objective or their respective role in the organization.
Threat actors specifically target these users through malware, social engineering or other lateral breaches. Once a threat actor or malicious party gains access to a privileged user's credentials, they often either have or can find a way to escalate to root access. The result? They "own" the environment, allowing them to execute their nefarious objectives.
By taking PAM/PIM to the next level — by limiting what specific actions a privileged user can take — organizations will not only be able to limit who has privileged access, but also dictate exactly what the user is able to do with that access. Far too many organizations, particularly in healthcare, are just concerned about limiting the number of privileged accounts they authorize for access. But we need more control.
Perfect privilege
In a perfect world, we'll have solutions that will provide for those who assign access rights but won't have access themselves. This already exists in other technologies, most commonly in encryption and encryption key management, and needs to be extended to privileged access management.
There are vendors in the space today that help define what a particular user can do with a privileged account – even down to command-level execution. This approach will allow an organization to specify what commands are available to a user for any given use of a privileged account.
The opportunities this affords are virtually limitless. Access required to complete a specific task could be granted at the time needed and tied to a service ticket or other form of request. True least privilege-based access could finally become a reality.
It's the next step in granularity. A lot of the exploits take advantage of having root. If a given account only had the ability to do one or two things, could malicious parties leverage that level of permission to complete their objectives or pivot off that account to do other things? Not likely. And it's a much-needed next step.
How access affects health IT
While organizations in every vertical must verify and vet vendors and third parties, those in healthcare IT should pay special care because of the privacy at stake and the compliance guidelines they must follow.
As current HIPAA guidelines stand, organizations only are required to verify that identities are tied to the person claimed, typically through some means of multi-factor authentication. The HIPAA requirements, the primary driving force for protecting patient data, don't mandate that organizations restrict access or abilities of privileged accounts once they've been properly authenticated.
Given the complexity of typical healthcare environments, a better way to control privileged access in a healthcare setting is crucial to protecting PHI. Investing in a current PAM solution would be a great first step, but implementing one that provides for more granular control is a much better and more secure solution.
Today vs. Tomorrow
We've focused our attention on limiting how many people have privileged access. It's a good sign that organizations are concerned about this access, but the conversation has recently turned to how we can do a better job of limiting what can be done with a privileged account. This is a great sign of the continuing maturity in the security space. We still need more solutions that provide for more granular, fine-tuned control and monitoring of these accounts.
As the threat landscape continues to evolve and as the criminals continue to refine their methods, we will need to not only improve the methods of authentication to privileged accounts, but also be able to restrict what a privileged account can do for any particular use of the account.
