December 05, 2019//Tony Howlett
As IT and security managers begin to organize and submit their 2020 budget requests, privileged access management (PAM) or vendor privileged access management (VPAM) may be on the list of competing priorities.
PAM is a more sophisticated way to handle administrator accounts and other high-level accounts, and VPAM uses the same idea, but it’s focused on vendors and third parties. Since both of these platforms have been hot topics during 2019, they may have even reached your radar for consideration to implement in 2020. But there are probably other potential security projects that want some of your IT or cybersecurity spend in the coming year.
Improved vulnerability management, better endpoint protection and cutting-edge items such as threat hunting and other advanced third-party services are all valid and important things to be planning for. So why should PAM and VPAM make the approved list?
First of all, don’t just take my word for it. Research firm Gartner has listed PAM as the No. 1 project in its recommended security projects for 2019. Other analysts and industry luminaries are also recommending it as part of a complete enterprise information security strategic plan. Forrester Research has also cited it as a best practice for IT security management.
Also, proper third-party vendor management is now required as part of several regulatory and compliance frameworks, including GDPR, CCPA, and NYDFS. Properly managing third-party credentials, especially for third parties using privileged credentials, is an important part of your compliance programs for these statutes. So plenty of independent voices are pushing for adoption of PAM/VPAM technology, which will validate your purchase of it.
Second, according to a report by IBM, 74% of data breaches involved a privileged account. For hackers to get into highly sensitive databases and systems that contain valuable information for them to sell or put up for ransom, they really need high-level access. If they can’t get it, or their use of a privileged account is flagged, the attack can be stopped in its tracks or at least limited in the damage it can do.
Third, PAM/VPAM projects are probably one of the biggest bang for your buck as far as increasing your defense-in-depth and “kill chain” for infections and malware that make it inside your network. Plus, by streamlining vendor onboarding and access into a single platform, you can save time. Though cybersecurity investments aren’t usually expected to generate a real dollar ROI, in this case, there is a slew of things VPAM platforms can offer for you to see real ROI: time spent setting up vendor access, vendor self-registration, compliance audits and more.
Forward thinkers in information security leadership should plan for the best but prepare for the worst. With phishing and targeted spear-phishing reaching new levels of sophistication and complexity, it is all but sure that most enterprises will experience at least a limited outbreak of some form of malware caught from an errant click by an employee. When this happens, you want to limit your exposure by preventing access to those highly valued credentials with privileged access. PAM/VPAM helps you do this by tracking all privileged access in a single place, obfuscating actual administrator privileges in a secure vault and providing audit records for after-the-fact review and forensic examination.
So, while many security projects will compete for your budget dollars next year, a good case can be made that PAM and VPAM should make the cut. If you are serious about improving the efficiency and security of your access and identity management processes and procedures, implementing PAM and/or VPAM should definitely be on your 2020 wish list.