Everyone expects to use a password to log into their computer or an application they need for their work. But why and what is its role in cybersecurity?
At the most superficial level, providing a password or using multi-factor authentication (MFA) is an attempt to identify who is trying to access the system or service. Beyond proving the person's identity, identity might have some control over what the person can do with that service.
Passwords are famously insecure, as humans were never built to be comfortable with even reasonably simple password complexity. So they're easily broken or compromised through social engineering.
Providing identity has a limited role in security beyond making that initial connection. Identity Access Management (IAM) is the common grouping for tools that support these identity verification activities. IAM systems often provide extra services such as password generation or single-sign on, but they're still focused on trying to prove the identity of the person trying to get some work done.
To have more control over who can access which systems, with what level of access and possibly, requiring approval before granting that access needs more control. That's especially true when that user is a systems administrator and has elevated privileges to make significant changes, such as creating or deleting user accounts or updating customer data.
That's the role of Privileged Access Management (PAM) which typically provides centralised visibility and control over access. PAM can be a gateway to critical IT infrastructure. Connections are made securely, and in the best PAM solutions, the admin credentials are never accessible to the user making the connection.
IAM still has a role to play: to identify the person trying to access an IT system. It's PAM that applies policies to ensure that person should have access and make a secure connection to the target system.
Modern PAM tools, such as Osirium PAM, also include real-time session monitoring and recording features. That's valuable in case there's a need to investigate activity after a potential security incident. It's no wonder that PAM is a requirement in many cybersecurity standards such as Cyber Essentials, NIST 800 and others.
But even the best PAM solutions still assume that the person using PAM can be trusted to use the connection. That's usually the case, as admins are the most experienced IT team members. However, even the best can make mistakes which could do significant damage given their elevated privileges.
That need for trust reinforces the need for an experienced admin to perform routine tasks such as resetting a user's password. In an ideal world, they would be performed by Help Desk engineers or the end user requesting the change.
The best way to address that trust issue is to ensure users can't do anything other than the changes they should make, that correct processes are followed, and that there's a clear end-to-end audit trail of any changes made while using privileged access. That means the work has to be automated.
Many IT admins use simple automation writing scripts in Bash or PowerShell to save them from repeatedly entering long and complex command lines. But those scripts are risky: no one other than the author knows anything about the scripts, there's no audit trail, and it's too easy to embed user names and passwords in the scripts.
Robotic Process Automation (RPA) has been widely adopted for repetitive business operations. But RPA scripts are complex and expensive to build and can suffer from the same weaknesses for credential management. There are many business processes that suit RPA, but it isn't designed for IT operations.
Osirium identified the need for this automation very early and is still a leader in the field of secure process automation. Indeed no other PAM specialists offer a solution for automated administrator processes. Osirium Privileged Process Automation (PPA) was specifically built to address the needs of automating IT operations.
Automated workflows can streamline complex tasks. Rather than the admin starting a management tool, navigating through various screens, the workflow can use APIs to drive the system directly, so operations that may take minutes manually are completed in seconds.
The benefits for security are clear: fewer errors, better protection of credentials and no opportunity for credentials to be misused.
But there are many potential benefits for the business as well. Those tasks can be completed more quickly, and there's less rework due to manual errors. Even more significantly, having confidence that privileged tasks can be completed safely, they can be delegated to Help Desk engineers or to line-of-business users. A good example is in the NHS. Everyday IT tasks such as creating user accounts and disabling access are being performed by admin staff in GP practices rather than waiting for the centralised IT Help Desk. The same scenario would be applicable wherever there's a local need for IT admin support, but no IT staff, for example in hotels, shops, car rental, and many more situations.
For a change, an improvement in cybersecurity can also deliver measurable business benefits!
If you'd like to lean more, please get in touch.