ICS | Industrial Control Systems Security: Regulations
Privileged Access Management (PAM) can only work when it is consistently and ubiquitously in use. If system administrators either can’t or won’t use a PAM solution, security risks multiply. So do costs. When it comes to privileged access management, the best PAM solutions are the ones that gets consistently used.
The Inconsistent PAM Risk
You can think of a PAM solution like a key management box. Inside the locked box is the ability to open doors. Whoever controls the key box essentially controls all the locks in the building. If the box is left open or a master key is left under a rock “in case of emergency” then every door in the building might as well be open as well.
So it is with PAM. A PAM solution is supposed to lock critical systems up and protect them from unauthorized use. Yet, if users work around the PAM solution, then those critical systems are unprotected. PAM needs to be applied consistently and pervasively across all systems to be effective.
How PAM Inconsistency Sets In
No one sets out to build an insecure IT environment. Rather, acting with good intentions, a lot of smart people inadvertently set up a security regimen that is not sustainable. Systems and users that are somehow incompatible with the PAM solution create the need for “temporary” workarounds that negate the security benefits of a ubiquitous PAM solution.
Complex PAM systems may initially look comprehensive, but they’re generally too difficult to maintain and usage falls off over time. People are too busy with other work to find the time to fix the problem, so it gets worse.
How does this happen? One factor is the inevitable erosion of consistency that occurs when people come and go from jobs. The people who know how to run the PAM solution depart. The more complex the system, the bigger of a problem this will be. Newcomers have trouble learning the nuances and might not be aware of any customization that was done
Another issue is the continuing evolution of your own IT systems. Software agents and customized professional services inevitably need to be patched, maintained, and debugged as new and upgraded applications, hardware, and networks come online and create overlapping incompatibilities. PAM becomes yet another thing that has to be constantly maintained, fixed, and patched. The more complex the integration, the more ongoing work will be required to keep it functioning.
Deployment Length: The Canary in the Coalmine
The ultimate usage rate of your PAM solution can generally be predicted by the length and complexity of the deployment process. The longer the deployment, the harder the system will be to maintain, and the lower your likely usage rate.
If a complex PAM deployment starts out already relying on workarounds and intensive professional services, it is pretty much guaranteed to be doomed in the long (or even short) term. There is a high probability that privileged users will abandon it as it gets more and more difficult to keep it functioning as required and workarounds and short-term hacks proliferate.
Potential Impacts of PAM Inconsistency
Inconsistently deployed PAM exposes organizations to security risks and unnecessary costs. Problems range from minor to major. The scale of threats and vulnerabilities will determine the potential impacts, but the consequences can be quite severe.
- Security risks – Unauthorized and unmonitored privileged account access leaves an organization vulnerable to data theft, malicious disruption of systems, corruption of data and financial fraud. This includes insider and ex-employee threats. Having an only partially deployed PAM system may actually make this worse than having NO PAM system as the organization may not realize their vulnerability.
- Visible costs – Not having consistent, ubiquitous PAM can add expense to IT operations. Costs may include having to pay administrators for multiple PAM solutions (e.g. one commercial product and one “home made.”) Parallel licensing of PAM solutions is costly costs. In addition, there will likely be expenses associated with remediating a PAM-related control deficiency discovered on audit.
- Hidden costs – Time-wasting admin cycles build stealth costs for inconsistent PAM. When PAM solutions are in use, but not easy to use, admins have to spend time dealing with it. On a related front, if the PAM solution architecture requires excessive admin time to manage and change, that also causes an unseen drain on IT budgets.
- Incident costs – A major security breach due to inconsistent PAM will cost a fortune and wreak havoc on the IT department.
How to Avoid the Problem
Don’t confuse complexity for sophistication. The most elegant technical solution is generally the simplest one.
Consistent, ubiquitous PAM solutions are ones that are easy to deploy, simple and efficient to maintain, and able to work with virtually any privileged system. If the PAM solution is simple to use and designed for ease of deployment, it can enjoy 100% utilization.
So Why Wallix
The WALLIX PAM solution has a simple architecture designed for pervasive, sustainable deployment. It creates a single gateway with a single sign-on for access by system admins.
WALLIX Bastion agent less architecture is lightweight, making the solution inexpensive and easy to deploy and adapt. The agent less approach mitigates the risk that changes in protected systems will require an extensive revamping of the PAM solution.
WALLIX Bastion has a simple architecture, but a sophisticated and rich feature set that can scale with even the largest organizations. WALLIX Bastion gives you the tools to make PAM an enduring, pervasive, and consistent part of your security program.
Remember, the best PAM solution is the PAM solution everyone uses.
For more information about WALLIX, visit www.wallix.com.