You cannot afford to ignore compliance issues. Sooner or later, you’ll be required to demonstrate that you have the appropriate internal IT controls in place that minimize the risk of fraud and/or data breaches.
Typically, when organizations are looking to get identities and accounts under control, they’ll look to Privileged Access Management (PAM) to ensure their most sensitive data is only accessed by the people who need it, and that the proper controls are in place to prove that data was accessed according to standard procedures. Checking that those controls are in place is key to maintaining Privileged Access Management compliance.
Why is PAM such an important part of maintaining compliance within an organization?
Privileged Access Management touches everything in cybersecurity. Every single system within a company has privileged accounts behind it. People have privileged credentials to control Teams meetings, read employee emails, access sensitive databases and PII data and more. That's why privileged account management is so important to overall compliance. No matter what risk you point at in an organization, you can draw a threat vector from that risk to a privileged account somewhere. It’s the root of all threat vectors.
How do organizations typically fall short in terms of PAM compliance within the context of Privileged Access?
There are many organizations out there that take particular care to adhere to requirements and make sure privileged access is managed according to best practices.
However, many organizations often won’t recognize there is a problem until it becomes a problem. Let’s say a business has a group of admins who all share the root accounts for an important system, like a financial database. The business is operating and there are no issues, so the business doesn’t think there's a problem with maintaining operations as-is. However, if there's a breach, the company will have to react differently.
If there’s a specific regulation or requirement a business needs to adhere to, typically, there will be somebody employed at the company to ensure that compliance is met and proven on a regular basis. On occasion, auditors will get sent in and they will start rummaging around, looking for any vulnerabilities to flag in an audit. At that point, the company tends to react in order to close the audit point rather than address the bigger picture: the security vulnerability.
That's where I've seen organizations fall short most: waiting for a failed audit to take action. Organizational security is not just about passing an audit.
However, audits do offer an opportunity. Never waste a good audit, especially if you’ve been having trouble getting budget dedicated to resolving important security measures.
If you have an auditor coming in, spotlighting areas of concern can help add urgency to further securing your organization. There’s a big gap between the security team saying, “We need to dedicate resources to do something about this vulnerability,” and the businesses making those resources available and implementation a priority.
What are some common compliance frameworks that security professionals overseeing PAM implementations need to be aware of?
Depending on the type of organization or information an organization collects and uses, IT security and business professionals must be cognizant and compliant with the different types of data security frameworks applicable to the overall business. Here is just a small selection of compliance frameworks that IT and security professionals need to adhere to:
- ISO 27001: Used to establish, implement, maintain, assess and continually improve a robust information security management system (ISMS)
- HIPPA: Otherwise known as the Health Insurance Portability and Accountability Act, HIPPA’s most important provision is the mandatory safeguarding of all recorded personal health information (PHI), including PHI stored in an electronic form (ePHI)
- GDPR: General Data Protection Regulation (GDPR) aims to provide citizens of the EU with clear and understandable information about the processing, storage, use and, above all, the protection of their personal data
- SOX: The Sarbanes-Oxley Act was primarily enacted to combat corporate accounting fraud and aimed to advance the standard for corporate governance. However, as a result, it places pressure on public companies to identify, collect and provide more evidence of effective IT general controls (ITGCs)
- PCI-DSS: The overriding goal of the Payment Card Industry Data Security Standard (PCI-DSS) is to ensure payment card data confidentiality, which means making sure that you and your vendors have the proper operational processes and controls in place to secure customer data and ensure it is auditable
- NERC: The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system. Aims to establish a secure perimeter for cyber assets to mitigate unauthorized access and disclosure of critical information.
- FERPA: The Family Educational Rights and Privacy Act protects the privacy and personal information of student records and requires parents to authenticate their identities for access to information
- GLBA: The Gramm-Leach-Bliley Act (GLBA) is a US law that reformed the financial services industry, allowing commercial and investment banks, securities firms and insurance companies to consolidate and address concerns about protecting consumer privacy
- CCPA: The California Consumer Privacy Act gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law
When you take a step back and look at these compliance frameworks for what they are, they show a trend of society trying to keep up with digital transformation. It’s about recognizing the risks of what happens to individuals when this data is improperly handled by an organization, mandating what needs to be done in order to reduce those risks, putting the controls in place to do something to reduce those risks and compelling organizations to take steps to properly protect sensitive data.
Unfortunately, unless these frameworks are in place many organizations won’t pre-emptively take the steps needed to reduce risk and protect data.
What are the risks of not maintaining Privileged Access Management compliance?
Not maintaining Privileged Access Management compliance, especially with sensitive data, can introduce some severe consequences for organizations:
- Poor overall organizational security
- Privileged account abuse is linked to 70% of breaches, and 61% of breaches involve improper management of credentials. In addition, nearly 9 in 10 security professionals say that employees have more privileged access than necessary for their roles. Not getting a handle on privileged accounts leaves organizations significantly vulnerable to attacks
- Significant financial consequences
- Compliance frameworks and regulations are designed to make non-compliance a costly mistake for both large and small businesses. Depending on the compliance framework an organization needs to follow, there is a wide range of fees and fines that can be assessed for violations. Amounts vary widely, but are often flat fees, assessed fines or a percentage of revenue
- Reputational harm
- Data breaches make headlines every day and can cause brand—and subsequently financial—harm. Often, enterprises will try and keep their breach responses quiet so that all the public focuses on is the breach itself. However, there have been some cases where companies have improved their reputations after a breach. Organizations that recognize the issue and approach the breach head-on—inform everyone involved, offer transparency about what happened, why it happened, what they did about it and offer solutions in efforts to avoid another breach—can experience a net positive effect on their reputation
- Imprisonment
- For some select data compliance violations, business leaders can face imprisonment for violations
What are the mistakes companies make when they look to implement PAM?
Implementing privileged account management and maintaining privileged account management compliance can be a challenge. For organizations looking to make implementation and maintaining compliance as easy as possible, avoiding these mistakes paves a smooth path forward.
- Not mapping out PAM accounts
- Many organizations don’t recognize the full depth of the challenge of mapping out privileged (PAM) accounts. What are a business’ riskiest privileged accounts? How do you rank those privileged accounts according to risk? Often, companies will overlook that business analysis piece because they just want to simply tick the box and close an audit. Mapping out the full depth of privileged accounts gives organizations a solid foundation because they have a better understanding of their potential risks and vulnerabilities
- Not enforcing individual accountability
- Say you have 10 people and they've all got the same root username and password for a particular system. If one of them logs in to that system, you don't know which one of them is logged in because they're all sharing a generic account. That’s why one of the core concepts of improved Access Management is individual accountability. That way, if I, Alan Radford, am using an account with a username and password, it’s a way to identify that Alan Radford was using that account at that point in time and not someone else. If you give somebody a unique username and password, you’ve got individual accountability of who logged in. However, even with that, you may still not necessarily know what they're doing on the target system. Session recording keeps a log of activities that take place on privileged accounts and can monitor behavioral anomalies
- Not enforcing separation of duties
- Separation of duties is a key tenant of least privilege. Administrator accounts and standard accounts should be separate, even for the same user. If high-level system functions—reading, writing and executing databases and applications—are not split from lower-level functions, it leaves organizations vulnerable. Enforce separation of duties so it is clear what behavior is suitable for what accounts, which also helps for auditing and logging.
- Not implementing MFA
- A key tenant of Zero Trust is “never trust, always verify.” In our recent survey of over 100 security and IT professionals, 84% said they had a favorite password. We can infer from this that, while most people don’t reuse passwords for sentimental reasons, they likely do for practical reasons. Yes, MFA can introduce friction to a login experience. However, would you rather have MFA enforced regularly or would you rather have the significant risk exposure by just using a password?
- Not engaging the right stakeholders
- Implementing Privileged Access Management is not just an IT or security team initiative. Nobody understands your privileged access state better than your privileged users. Any users who frequently work with sensitive data or applications should be involved in Privileged Access Management implementation. Executive sponsorship is also key to ensuring the overall rollout and ongoing maintenance is addressed.
How can companies set themselves up best for success regarding overall PAM compliance?
- Don’t skip analysis
- Discovery and inventory of an organization’s riskiest accounts, who has access to them and ranking those accounts according to risk are some of the most helpful actions any organization can take. This not only gives an organization a wide-reaching view of potential vulnerabilities, it can also make it easy to see where potential compliance violations may come from. This view makes it easy to determine what controls need to be in place.
- Be familiar with applicable compliance requirements
- Each organization will need to individually assess the applicable compliance frameworks that must be followed, the type of data that must be handled carefully and correctly and the proper controls in place to prove compliance.
- Security and compliance are the objectives, but only parts of the opportunity
- Organizations often look at enhancing security as a necessary expense. However, enhancing security can also mean streamlining other operations. For example, utilizing a Privileged Access Management tool can decrease friction for provisioning high-level users looking to access a sensitive database. This example can also be extended to lower-level usages. Let’s say an organization needs to provision access to cloud applications for thousands of employees. An identity security solution could not only help prove compliance and close that audit point, but seriously streamline the way employees are given access to those applications and cut down on the time and work hours spent making those processes happen on a daily basis.
Most organizations are facing widespread identity sprawl and too much access to enterprise resources. There is a direct relationship between their privileged accounts and the systems they use on a daily basis. So, minimizing that threat vector by maintaining Privileged Access Management compliance and taking steps to close audit points are a great way for any organization to take the first steps to improve their security posture.