How PAM Can Help You Get Visibility Into Your Outsourced IT OperationsAnirban Banerjee
The huge growth in popularity of cloud services means many companies are now relying on outsourced IT for services that once would have been maintained on-premises. Businesses benefit from expertise and economies of scale that would not have been available with an in-house solution but at the cost of a dramatic increase in the number of businesses and individuals with privileged access to their system.
If your business is increasingly relying on outsourced IT services, then tens or even hundreds of vendor accounts may have access to your system, many with elevated privileges necessary to maintain the processes your business relies on on a daily basis.
Left unchecked, these vendor-controlled accounts significantly increase the risk of data theft or other malicious activity:
- An employee of a 3rd party may (either accidentally, or maliciously) create a data breach that could cause significant damage both financially and to your reputation.
- An employee of a 3rd party may (again, either accidentally, or maliciously) make changes that damage your system, resulting in expensive downtime, or lost data.
- Your partner’s poor account management could result in disgruntled ex-employees continuing to have access to their and your systems.
- A hacker could gain access to the network of your partner and then use their credentials to access your system with the intent of either causing damage or stealing information.
The Importance of Visibility
The main challenge for most businesses is that many of the accounts used to access your system are not fully under your control. Without visibility, you are at risk. A partner’s security policies and practices may be lacking, and you’d have no way of knowing. Even if you specify that your partners must adhere to certain security practices, unless you undertake a full and regular audit of their systems (unlikely), you won’t know how secure they are.
If you can’t verify the security of the systems linking to your own you must instead monitor and control the actions of the accounts on your system – and that’s where Privileged Access (or Account) Management (PAM) comes in.
The risk posed by a malicious account holder is significantly reduced if that account is both controlled (it has access limited to what is required to fulfil its specified role) and tracked (behavior is monitored for suspicious activity). Without PAM software this is difficult, if not impossible.
How PAM Increases Visibility
PAM software is designed to help you protect your most critical assets by securing and monitoring the accounts that have access to your system. Without PAM, organizations are almost blind – they cannot see what privileged user accounts are doing, let alone spot suspicious activity or shut down aberrant behavior.
Tracking all your accounts
To achieve this, PAM software should first provide you with a complete overview of every privileged account. This is vital, particularly if you are currently managing your accounts manually or on an ad-hoc basis. It is not unusual for the number of accounts to far outstrip the number of users.
Some of your accounts will be provided for specific applications to give them access to perform a specific function, while others will be used by one or more employees or contractors. Some may be of no use at all anymore; these accounts increase your risk for no benefit.
If you are not currently tracking all your accounts, your business could be at significant risk (or may even already be under attack) without you knowing it. This is particularly true of accounts held by 3rd parties – employees from other organizations have just as much to gain by breaching your defences as your own employees, and you can’t even rely on the flimsy defence of corporate loyalty to protect you.
Controlling access to privileged accounts
Once your PAM software has tracked down all your privileged user accounts, you’ll be able to start reducing your risk. The easiest way to make an immediate impact is to use PAM software to reduce the number of unnecessary accounts. Although this article is focused on reducing the risk of outsourced IT operations, this, and several of the following points, will also apply to your in-house operations.
If your business has not used any form of PAM before, it is likely you have a large number of accounts that exist but have no use, many of which may have been created for temporary 3rd-party use, forgotten about, then never deleted. For those accounts that are still in use, you should now have information about what they are used for and who is responsible for them.
Restricting power of privileged accounts
PAM software is essential for enabling an important security principle: the principle of least privilege. Just like less powerful accounts, privileged accounts should only have access to the resources and network locations necessary to perform the function for which the account is intended.
Although by definition privileged accounts have increased access, it is rarely necessary for them to have the power to access everything – especially if the accounts are controlled by a 3rd party. Any account with more access and power than they require for their intended function creates an opportunity for abuse.
Protecting privileged accounts
It is important that you protect your privileged accounts so that they don’t fall into the wrong hands. With very little control over the day-to-day behavior and habits of workers in 3rd party IT teams there is little you can do to prevent them from being careless with their account details. They could be a copy of their password in an Excel file on their personal tablet, or keeping a copy on a sticky note attached to their monitor, and you wouldn’t know about it.
This means it is essential that you employ proper password best practice. A PAM solution makes this easy, enabling you to automatically force regular password resets or even one-time passwords.
Forcing users to update their passwords, perhaps once a month, is an effective way of ensuring that passwords remain unique and complex enough to keep your accounts secure. Better yet, implementing one-time passwords that change after every session poses a significant barrier to any would-be hacker, and will also increase your visibility and accountability.
When you outsource your IT operations, you put a significant level of trust in your partner, but trust should not be absolute; even a trusted organization can have the occasional untrustworthy member.
It is important that the trust you give out is verified and checked – and PAM software gives you the means to do it. All activity by 3rd party users – particularly privileged ones – should be logged and information about their activity retained for regular auditing.
This serves two purposes: first, it acts as a deterrent for anyone with access to your system, and secondly, it makes it significantly more likely that you will catch anyone tampering with your files.
Flagging unusual behavior
Outsourcing IT lowers your visibility because those workers are frequently working from off-site locations. With on-premises employees, your managers and HR team are a vital part of your security. But they can’t spot the changed attitudes or suspicious behavior that might indicate a person is a security risk when you use off-site 3rd party workers.
This makes it even more important that your PAM software tracks user behavior, flagging anything unusual. PAM software with granular security can take into account the user’s behavior, location, time of access, and many more factors to build up a profile of the risk to your organization.
Depending on the rules you set, specific actions (such as accessing files at an unusual time) can either flag an alert to allow investigation at another time or result in restricted access.
This significantly reduces the risk of stolen or hacked privileged accounts being used against your business, or of a 3rd-party employee using their legitimate accounts for illegitimate reasons.
Gaining visibility into your outsourced IT operations is almost impossible without effective PAM software. Onion ID has been created to provide complete visibility, complete control, and complete security over all your data, systems, and accounts.