#GartnerIAM: Common Privilege Pitfalls Are Easily Overcome
The four most common pitfalls of privileged access management (PAM) fall upon two trends – how to provision for remote access and how to manage credentials for privileged accounts.
Speaking at the GartnerIAM conference in London, Chris Clarkson, senior solutions engineer at Bomgar Corporation, said that as hacking and data leaking statistics have increased over the past few years “there has never been a greater need for PAM.”
Clarkson specifically pointed at the breaches of reused passwords, saying that “a key contributor is outdated methods of access and access to data,” and that many attacks could have been prevented and new threats will emerge in 2018 – so addressing your access strategy is critical.
Clarkson revealed what he determined to be the top four most common privilege pitfalls: the first is in protecting only passwords, only focusing on access, as you need to be able to provide monitoring and record access.
He said the second is to review partner and supplier privileged access, especially calling vendor access “a low hanging fruit.”
The third is knowing what your privilege footprint looks like, and how you manage the privilege and permissions of administrators as there is a shift to the cloud and the perimeter goes beyond the traditional borders.
“Look at solutions that automate discovery and on-board systems, automate tasks and delegate them,” he said.
The fourth is only prioritizing people when machines, static services and embedded credentials are also a problem, particularly when credentials are static and stored in clear text.
Clarkson said: “You need to create an access defined perimeter, so an admin is only allowed access to users they support and rights to fix their issues, then admins have access to their systems and have visibility of privilege.”
He concluded by recommending considering internal and external access, integrating PAM with your workflows and recording and monitoring where privileged users are going to get visibility.
Source: Information Security Magazine