Zero Trust is a hot topic in cybersecurity. It is also one of those concepts that mean different things to different organizations and has a wide variety of interpretations and implementations. Regardless of how you approach zero trust, though, Privileged Access Management (PAM) plays an essential role.
Organizations have been implementing zero trust principles for a while now, but it has gained mainstream momentum over the past few years. The COVID pandemic forced a dramatic shift to remote work, which comes with some additional security challenges. Having employees connect to company resources and data from personal computers and mobile devices across the public internet expands the attack surface significantly and creates opportunities that threat actors can take advantage of.
There has also been a spike in ransomware activity, and an escalation of geopolitical tension—particularly between the United States and Russia. The Biden Administration has taken a number of steps to improve the nation’s cybersecurity defenses—especially for government agencies and critical infrastructure. In March of this year, President Biden issued an Executive Order that specifically directs federal civilian agencies to establish plans for Zero Trust Architecture.
That still leaves the question of “What is ‘Zero Trust’ and how do you implement it?”
It has been over a decade since John Kindervag coined the term “Zero Trust” while he was an analyst at Forrester. Kindervag realized that risk exists both inside and outside the network, and that inherent trust of any individual or device is bad for security. It takes the phrase “trust, but verify” popularized by President Ronald Reagan, and flips it around to “never trust, always verify.”
There is more than one way to arrive at that goal. The principles and practices can vary, but at its core Zero Trust is built on PAM. It is essentially an evolution of the principle of Least Privileged Access—the idea that accounts should be granted the minimum level of access necessary to perform the required task.
Traditionally, once account credentials were verified the individual, application, or system was granted free reign within the bounds of access privileges assigned to those credentials. Zero Trust takes a more cynical view and continues to verify the authenticity and access for accounts on a task-by-task basis—and PAM is the engine that keeps it moving.
The Importance of Identity Protection
What Kindervag recognized very early is that—at the point of attack—almost every attack leverages valid credentials. The idea that security should focus on external threats while inherently trusting employees and devices inside the network is severely flawed when threat actors can hijack accounts and systems and leverage valid credentials. Zero Trust addresses this issue with a focus on identity protection and PAM.
CyberArk hosted its Impact 2022 event in Boston this month. The company made a number of significant product announcements aimed at improving identity security. They announced Secrets Hub for AWS Secrets Manager, Identity Flows, Identity Compliance, and Secure Cloud Access.
What stood out for me, though, was the conversation between Robert Herjavec, “Shark Tank” investor and CEO of Cyderes, and Udi Mokady, founder, Chairman, and CEO of CyberArk, during a Fireside Chat session.
“I talk a lot about the proliferation of identity. Customers are running fast and they’re creating what we call cyber debt,” noted Mokady. He stressed that this is an issue organizations must address—especially identity cyber debt—and asked Herjavec for his thoughts.
“What we’ve always been saying to customers is before you build the habits, build the foundation,” explained Herjavec. He added, “I would say I wish people would stop for a second at the identity bucket, and not just see it as a checkbox. Let’s spend more time around architecture and what’s coming and how this is going to affect users.”
Herjavec pointed out that there is generally a rush to build out features while security lags behind, but that it is much easier to engineer properly from the beginning rather than trying to go back and fix it after the fact.
Privileged Access Management
The root of identity security is effective Privileged Access Management.
Gartner recently released its latest Magic Quadrant for Privileged Access Management. PAM is a relatively mature market—with more than half of the companies included by Gartner falling into the quadrant at the upper right. ARCON, BeyondTrust, CyberArk, Delinea, One Identity, and Wallix are all Leaders in the market according to Gartner, with CyberArk positioned as the highest both for its ability to execute, and for its completeness of vision.
The report explains, “A privileged access management (PAM) tool is used to mitigate the risk of privileged access. In other words, accounts, credentials and operations that offer an elevated (or “privileged”) level of access.”
According to Gartner, a PAM solution should include these core capabilities:
- Discovery of privileged accounts across multiple systems, infrastructure and applications
- Credential management for privileged accounts
- Credential vaulting and control of access to privileged accounts
- Session establishment, management, monitoring and recording for interactive privileged access
There is more to Zero Trust than just PAM. But, when you combine these core capabilities with the principle of “never trust, always verify,” the result is stronger identity protection that makes you more secure and puts you solidly on the path to Zero Trust.