Most cyberattacks use valid credentials one way or another. Whether it’s an actual insider attack from a disgruntled employee or an external attack using hacked or stolen credentials, at the point of access to sensitive systems or data, the attack appears to be legitimate activity at face value. That is why Gartner has ranked privileged access management (PAM) as the top priority on its Top 10 Security Projects for two straight years, and why it is No 4 on the CIS Top 20 Critical Security Controls. A recent survey, however, found that many organizations are reluctant to implement effective privileged access management because they feel it takes too much time and costs too much.
Enterprise Management Associates (EMA) recently conducted a survey on the state of privileged access management. The survey sampling included companies of various sizes and industries around the world with responses from IT and cybersecurity professionals who claim to be familiar with PAM and are directly responsible for managing or granting privileged access to users. The results illustrate some confusion about what PAM is in the first place and sheds light on some of the common complaints organizations have about the investment of time and money required for effective management of privileged access.
Privileged Access Management Takes Too Much Time
One of the concerning results from the survey is that 20% of organizations using a dedicated PAM solution reported that it reduces user productivity. Privileged access management is essential, but it is also important for cybersecurity to not get in the way of getting the job done.
Productivity aside, simply managing privileged access requires a significant investment of time for many IT and cybersecurity professionals. The survey found that all of the tasks necessary for effective privileged access management are perceived as time-consuming. Granting temporary privileged access as needed and revoking it when the need no longer exists is one of the core elements of PAM. Half of those surveyed stated that granting temporary privileged access is either very (29%) or extremely (21%) time-consuming, and half also reported that manually revoking temporary privileged access is very (33%) or extremely (17%) time-consuming.
Privileged Access Management Costs Too Much
Not every organization that participated in the survey currently has a dedicated PAM solution. When asked why, one of the leading responses was that it is too expensive (14%). The top response was the belief that existing controls would suffice (29%)—Active Directory or password management tools that are not, strictly speaking, PAM solutions. While that is not the same thing as citing cost, it is a close parallel because it suggests a willingness to rationalize why there is no need to invest further in this area.
Of course, failure to manage privileged access is costly as well. Almost 40% of the survey participants have experienced a data compromise or malware infection as a result of policy violations. Failure to manage privileged access effectively costs organizations an average of $23,400 per year, according to the survey.
These incidents also often cause server failures and unexpected downtime, which incurs additional cost and time as administrators work to remediate issues and repair any residual damage. Survey respondents reported an average of 8.5 hours per year devoted to responding to incidents resulting from privileged access management policy violations. That’s 8.5 hours the IT or cybersecurity professional could have spent on more important issues or on proactive projects that streamline business and help the bottom line.
A Better Way to Manage Privileged Access
There are two primary issues with traditional PAM solutions. One is the amount of effort involved in granting elevated access privileges on an as-needed basis, and the other is ensuring the privileges are revoked when the need no longer exists, to minimize exposure to risk and remove the potential for those privileges to be compromised or abused.
Gartner and CIS agree that PAM is crucial for effective cybersecurity. But organizations need a PAM solution that automates the process of granting and revoking privileged access, and that ensures the credentials are only valid for as long as necessary. Traditional PAM solutions seem to create as many problems as they solve and end up costing too much in terms of both time and money. A better way to manage privileged access is to adopt a solution that integrates seamlessly in the dynamic, hybrid cloud, DevOps environments that exist in organizations today, and automates and streamlines the whole process so IT and cybersecurity professionals can focus on more important tasks.