Identity Crisis? How To Make Sure Your PAM Journey Doesn’t End In Confusion And Shellshock
In Partnership With
Ask a dozen different cybersecurity leaders what their biggest problem is, and there’s every chance you’ll get a dozen different very specific answers. But once you strip away the detail you’re likely to find that, somewhere in the middle of these challenges, they all draw on a small number of fundamental shared characteristics. Chief among those are the vexed questions of identity and access management.
A typically lively RANT roundtable, hosted in early June in London by representatives of Ultima and their partners at Delinea, certainly proved this point. The evening ended up shining an unforgiving spotlight on the identity-management challenges businesses of all shapes and sizes are constantly grappling with. Those battles are often being fought with diligent employees who are trying their hardest to increase their productivity and carry out their jobs in the most efficient manner, but who find that security and access-management processes have become a barrier.
The end result is CISOs and SOC leaders caught in a pincer movement between what are often competing business imperatives: protect the crown jewels and enhance the resilience of the enterprise, while also enabling employees to use all the tools the business has invested in to help outpace competitors and meet growth and profit targets. And that’s before considering regulatory compliance, where rules drafted in cybersecurity’s distant past (say, before 2020) may well stand in opposition to best-practice advice issued by state-run security centres in response to threats and incidents being seen right now.
A raft of tools and technologies have been developed to help security leaders and their teams to navigate these choppy waters, but they don’t always work well with each other or with the other critical business systems they are supposed to help security teams to manage. And often an identity-management solution or a privileged access management (PAM) system will – entirely understandably – seek to impose a single approach across the business, when the day-to-day realities for different teams (sales; HR; developers) will work far better if the rules are more flexible.
It’s no wonder that security leaders – and companies supporting them, like Ultima and Delinea – speak of PAM not as a product or a service but a journey. In particular, the problems posed to PAM solutions by the constant human churn in larger companies – the procession of joiners, movers and leavers (JML), each with their own different access requirements which change as they gain in experience and seniority within the business – are pushing specialists into new ways of working, as Ultima’s CTO, Matt Hudson, outlined.
“We pride ourselves on our technical expertise, but that expertise is a double-edged sword,” he told the select group of senior security leaders. “Our people are invaluable, but expensive. So we automate wherever possible. That’s the key to the whole identity piece. We see lots of mistakes with JML: we don’t do any JML manually for any of our customers. We automate it all, and we automate the ID with Delinea. We’re a customer of theirs as well as a partner: all our customers use their service.”
But questions over what to automate, how, when, where, and under precisely what circumstances, will differ from business to business. And as each of the leaders around the table opened up about their own challenges and experiences, it became increasingly clear that an automated approach will only help if the automation is capable of being applied regardless of the specifics of each individual installation.
Sub-Culture
“We’ve grown through acquisition and haven’t integrated well; people have come from companies where they’ve been able to do whatever they like,” one leader said. “Only in the last couple of years have we got to grips with access. It’s recognised as a key risk, and it’s a board-level topic. We realise it’s a risk we need to get on with. But there’s no appetite for an expensive solution either. We’ve just got to work through it, and get people to accept, culturally, that they might have less access than they’re used to.”
Other businesses, where users need greater autonomy because of the nature of the corporate structure, are struggling with further challenges.
“We’ve brought in some ID management products to make sure accounts are secure and monitored, but it’s still a challenge when you’ve got legacy systems that aren’t set up to work that way,” one CISO said. “That’s why we’re looking at redesigning the core tools for our customers – from around 40, down to two core products. We’re moving risk down massively by doing that.”
Different national approaches to identity – not just legal and technical, but cultural and social – are also raising different challenges for businesses that operate across borders.
“We don’t have a single accepted digital identity across the business,” a senior security leader working in a global corporation said. “In some countries, smartcards are issued to citizens: you can use them to open bank accounts, even buy houses. Here [in the UK] we have National Insurance numbers, but we don’t use them in that way. How does it validate your identity? Probably badly. If you connect it to four reference agencies, they all use it in different ways. It’s so 19th century.”
Around the room, several people mentioned the example set by Estonia, which has digitised its national ID system for relatively little expense and with no obvious issues around public acceptance. That won’t be possible in the UK, the roundtable agreed, though with no real consensus on exactly why. But the result remains the same: in the absence of a national system – and/or for multinational entities operating in different jurisdictions – the kind of privacy- and security-first mindsets apparently adopted by the vast majority of the Estonian population are Utopian visions of best practice that will remain out of reach.
Everyone Everywhere
For most businesses, then – with the ideal solution unattainable – the day-to-day work has to be around deciding which parts of the PAM and identity journey to tackle first. This is by no means a trivial matter as the answers are rarely obvious.
“We started on a PAM journey, then we stopped,” one leader said. “We then went on an asset-management journey, mapped the assets as best we could, then started the PAM journey again. But it didn’t just include privacy and access: it ended up being a much bigger program of work.” The takeaway, they said, had been that “we should actually do role management first, then work out how that maps onto other user accounts.”
“We’re in that process,” another leader concurred, noting that the key question for them had become “How much additional restrictions [we] have to place on people. For some it’ll mean really dramatic changes to how they do things today.”
The response was intriguing.
“There were two individuals who were, effectively, super-admins,” the first of the leaders replied. “They’d been there many, many years and they were the most difficult to take on the journey. But in the end they were the biggest advocates. The key thing that got them engaged was that the product we chose to rotate admin credentials connected to the active directory.”
“We made it a board-level topic, and we had the backing to make it happen,” another CISO recalled of the approach in their organisation. “But then you don’t progress as fast as you should, and you’re being pragmatic with people who don’t want to be interrupted – it can be difficult.”
And that’s without considering the wider picture.
“You’ve got the challenge with SaaS apps and websites that employees have control over,” another security veteran added. “We try to enforce single sign-in where possible, but God knows what’s out there and what employees have access to.”
And then there’s the leavers.
“We had an employee who left, and who emailed us the following year: ‘I’ve still got access’.”
Vanishing Point
The vexed question of how to handle service accounts is one that many organisations struggle to come up with answers for. Delinea’s experience has given them some insights, as the firm’s enterprise security engineer Scott Shields outlined – but even then, the work can often be remedial in nature rather than concerned with creating an ideal solution.
“It starts with discovery – you can’t protect what you can’t see – but then [it becomes] life-cycle management,” he said. “The root cause is that people create accounts, they’re all over the place, and it’s hard to know what their purpose was. So once you’ve [gone through the discovery process] you put them in a life-management solution that allows them to choose what they need a service account for. Let’s say you’re trying a new vulnerability scanner, and it needs a new account for 30 days: so in 30 days it sends a reminder or the account gets decommissioned. All the time it’s being looked after, and at the end of its life cycle what happens is predetermined. Now you know what’s covered.”
Other businesses have adopted the same philosophy but, in the absence of automated tooling, there is a reliance on individual managers, which is far from ideal.
“We’re guilty of putting the onus on line managers to know what their team members have access to, and to manage that,” one CISO said. “You send a spreadsheet out, saying: ‘Does Dave really need this?’. It’s just not fair on the line manager. Even with people leaving, they’ll get tickets asking what they had access to. Honestly? They don’t know.”
One potentially radical solution, a CISO suggested, could be to apply the same policies that affix to leavers to all service accounts and mover accounts: close the account when there’s a change, and start a new one. “Why don’t you look at the risk of not ceasing the account?” they argued. “Everyone’s indicated movers and service accounts are the bane of our lives, and if that’s the real problem, why not treat them all as leavers?”
The first leader to respond was in agreement.
“People carry passwords with them, they don’t want to give them up – they just want easy access,” they said. “But those roles and responsibilities are siloed. You shouldn’t be able to keep the same privileges when you move.”
But one attendee argued that this would only add value in businesses where the basics haven’t been done correctly and effectively.
“You only want to skip the ‘mover’ part of JML whenever you haven’t got a good joiner process,” they said. “You have to get the profile designed properly. If they’re not created with sufficient detail, monitoring the movers will not help.”
Way Of Life
Ultimately, the group seemed to agree, none of what a business or its security teams puts in place around access, identity and authentication will work properly unless and until all employees are read-in on the point and the purpose of the security measures they are going to be expected to comply with. When users are walked through the thinking behind a policy, they can at least glimpse the rationale for it, and understand why what may seem like a cumbersome or burdensome process is necessary. If that happens there is a lower likelihood that they will want to find a way to work around the measures. But when no explanation is made, there is no reason for rank-and-file employees to grasp the significance or purpose of the measures that have been taken, so if those measures introduce frictions that they find irritating or restricting, it is more likely they will find ways to subvert or bypass security.
“It’s all about educating your people,” one CISO said. “The people need to understand why things like service accounts and access to Keyvault are important. We have 18,000 people and, on the whole, they have no idea.”
“I agree 100 per cent,” another said. “We need to say, ‘We’re doing this, and this is why.’ Developers want to do the secure thing 99.9% of the time. They don’t want to do dodgy things and bring risk in. If we explain, they’ll usually go along with it. But if we just say ‘No’…”
“If you take them on the journey,” a third added, “they’ll go along with it. It’s not about what could happen, but why we do security. If we talk in their language and explain the risk and what we’re trying to protect, they’ll follow. But if we don’t explain why something’s important they won’t do it.”
A fourth person put it most pithily.
“If we don’t explain why we’re doing stuff, we’ll lose.”
Interested in learning more from Delinea and Ultima? Find out more here: Delinea / Ultima