MeriTalk sat down with CyberArk’s Federal Customer Success Director Kevin Jermyn to hear his thoughts and insights on privileged access management, and the impact it’s having on our Federal government.
MeriTalk: How is privileged access management (PAM) helping agencies protect their highest-value information assets, infrastructures, and applications?
Kevin: We see abuse of privileged access at the heart of almost all attacks. Whether that be a malicious insider or highly motivated external attackers, privileged access can be exploited and used to gain access to critical systems and sensitive data. With our government agencies, they hold sensitive information that could undermine national security or the welfare of citizens. So being able to secure that privileged access control and manage it – and then monitor as it’s going on – it presents a lot of challenges.
With a tool like CyberArk and an effective privileged access management program, we have to assume breach mentality. What that means is we’re thinking like an attacker, and if they’ve already gotten in – it doesn’t matter how – we need to understand what they’re actually after, and a lot of times that’s privileged accounts or privileged access. So, if we can put different, proactive controls in place around those privileged accounts, that’s how we reduce risk. What we’re trying to do is break that attack chain and put those different protections in place.
MeriTalk: What are the biggest opportunities when using PAM for Federal agencies?
Kevin: There are two main areas of opportunity. We see a lot of agencies that have deployed their PAM programs and focused around password rotation and session isolation for human users that are accessing privileged accounts and systems. However, there are two kinds of glaring gaps that I see with that. The first is around application credentials – sometimes referred to as non-person entities (NPE). We saw in 2019 that there was an OMB executive memo titled, “Enabling Mission Delivery through Improved Identity, Credential, and Access Management.”
The long and short of that memo was restrictions and requirements around reporting on non-human access, ensuring that it has strong authentication. It’s very similar to some of the requirements we saw coming out of the DHS CDM program around identifying who’s on the network – it’s not just who’s on the network, but what is on the network, and what do they have access to.
When we look at this, we look at different application script tools in the DevSecOps pipeline. Any non-human identity still relies on some level of privileged identity. An attacker doesn’t care if that privileged identity is human based or application based, they’re going to take the path of least resistance. So, protecting those application credentials by removing those hard-coded credentials and replacing them with a secure API call is a critical step.
Second area of opportunity is least privilege enforcement where we see the endpoint space. We look at antivirus enhanced detection response (EDR) agents and all these different compliance tools to protect the endpoint. This is where most attacks start on the attack cycle. We see a lot of hackers starting on the endpoint and then moving laterally until they find those privileged credentials needed to quickly carry out their attack. Without protecting privilege at the endpoint, it leaves a lot of vulnerabilities for credential theft and malware to get a start on the endpoint.
MeriTalk: In your opinion, what challenges or roadblocks stand in the way for agencies when implementing PAM?
Kevin: I think there are three main things, starting with lack of direction. A lot of Federal customers we work with are looking to deploy PAM due to an audit finding or to check a compliance box and those are two important reasons to deploy security tools. But we see a lot of customers that treat privileged access management like projects, and not a program. Agencies need prescriptive guidance on where they should be focusing their efforts, and they should be building a roadmap, with executive buy-in. Coming from the top down helps drive participation and they know it’s critical to program success.
The second main roadblock is the end-user adoption. One of the biggest challenges of any privileged access management solution is impacting the most privileged users of that environment – many of those who have mission-critical tasks, and they need to perform those tasks on a daily basis. They’re using a solution that slows down that mission, or worse, interrupts it. You need to make sure that user experience is not impacted, and that there’s a focus on native user access workflows to get to their privileged accounts that doesn’t impact them in a negative fashion.
And then last but not least, the third roadblock is resource requirements. Anyone that says PAM is easy, you should probably run away from them. Starting a PAM program is not an easy thing and requires a lot of technical resources working together, such as security and operations teams to discover and onboard those privileged accounts. Agencies need a way to effectively leverage automation, and build that into onboarding processes.
MeriTalk: PAM aims to add more monitoring and visibility into malicious cyber-attacks aimed at domain admin account credentials. Why would you recommend agencies to implement PAM into their security defense plans?
Kevin: PAM focuses on more than just domain admin credentials, however that’s a really good example of what we call the keys to the kingdom. Those extremely privileged accounts are that critical layer of the network. We see privileged access abused in almost every attack out there. We need to put proactive and reactive controls in place to ensure we know when those accounts should have that level of access. We should know who used those accounts and what they use them for. Protecting those privileged accounts is critical. We see a lot of agencies are adopting a zero trust model when they approach security in a solution. A PAM solution like CyberArk is a key part of the strategy.
MeriTalk: Through privileged access, a privileged account is determined to receive more information or higher privileges than other accounts. For an organization just getting started implementing PAM, how do they determine these privileged accounts?
Kevin: One of the challenges is where do I start with privileged access management. CyberArk has tools to help customers develop effective and mature PAM programs. And to do so, we understand it takes more than just a product. The product needs to be able to help find those accounts, especially those that the customer might not even be aware of, to really succeed. Organizations and agencies need strategic guidance.
CyberArk recently released guidance called the Cyber Blueprint. The blueprint is simple yet prescriptive guidance to help customers focus on the most critical accounts first when building their PAM program. We take three key concepts or guiding principles and make it simple for customers to articulate the value of what they are doing with CyberArk and why. Getting prescriptive guidance on the steps they can take with the least amount of effort helps them build that roadmap to deploy that path technology.
MeriTalk: When looking at multi-cloud, hybrid cloud, or on-prem environments, are there any deployment challenges for PAM, specifically for the public sector?
Kevin: I think the biggest challenge is ensuring different security levels with deploying in the cloud. If you’re taking a product that was designed to be installed on-premise and you’re installing infrastructure-as-a-service cloud provider, like AWS or Azure, there could be reduced security functionality, so it’s critical to choose a solution that supports on-prem hybrid cloud and all cloud approaches. We have spent a lot of time to make sure our products are cloud ready. So when you talk about the public sector, you look at support for GovCloud and support for installation on top of FedRAMP products or infrastructure, and we’ve done a lot of work to make sure that our product is available for automated deployments in those different cloud environments.
MeriTalk: As securing mobile devices increasingly becomes a concern for agencies, how is PAM able to help?
Kevin: So I think this is an interesting question. I think PAM solutions today are currently focusing on protecting the systems that help manage mobile devices, whether that be a Mobile Device Management (MDM) solution or some other tool that’s able to access and modify policies that are impacting those personnel or agency on devices. That’s kind of the sweet spot for PAM right now. A user’s device doesn’t necessarily require privilege to use fingerprint or face ID, so PAM solutions really shouldn’t get in the way of doing that.
To learn more on privileged access management, check out CyberArk’s website for more information.