How privileged access management can improve security for Higher Ed
March 3, 2020 3:45 pm
6 min read
This content is provided by BeyondTrust and Carahsoft.
Eighty percent of all data breaches involve privileged credentials. That’s why access control is the first of 17 domains in the Defense Department’s newly released Cybersecurity Maturity Model Certification (CMMC) framework.
Defense contractors will have to meet DoD requirements in these domains to be eligible for certain contracts starting later this year. The CMMC’s access control practices range from limiting access to only authorized users to locking down wireless access points.
That’s where a just-in-time (JIT) privileged access management (PAM) solution can make things easier. JIT PAM can ensure that identities only have the appropriate privileges when necessary, and for the least time necessary. This process can be entirely automated so that it is frictionless and invisible to the end user.
“JIT PAM lets you secure privileged accounts in a way that security is continuous, always on, and based on restrictions you can set through the platform,” said Craig McCullough, VP of public sector at BeyondTrust. “It’s based on the idea that privileges are elevated for a specific need or use, then removed as soon as the need is no longer there. Organizations use this strategy to secure privileged accounts from the flaws of continuous, always-on access by enforcing time based restrictions that meet behavioral and contextual parameters.”
That eliminates a lot of work for those who administer the accounts. Before, hundreds or even thousands of privileged access accounts had to be created and managed manually. People would share passwords, or store them in an insecure manner, such as spreadsheets or post-it notes.
With JIT PAM, new accounts don’t have to be made every time someone requires new privileges. Instead, a JIT privileged account automatically assigns the necessary privileges “on the fly” based on an approved task or mission and subsequently removes them once the task is complete or the window or context for authorized access has expired.
But JIT PAM solutions aren’t just useful for defense contractors.
One major university turned to BeyondTrust to implement a JIT PAM solution for its identity and access management needs. Chris Stucker, associate director for Identity and Access Management at the university, said higher education in particular has unusual struggles with identity and access management due to diverse user populations.
“Universities have complex identity lifecycles,” Stucker said. “Some people get their ID as young as 8 years old at basketball camp. There are students, who sometimes get student jobs. Then they get degrees, and some come back and become employees, sometimes in multiple roles within the organization. Then some leave employment to get masters or doctorates, and may return again. If that’s not enough complexity, we also have a major teaching hospital and health care system to add a few more layers. It’s tough to keep track of everyone. With JIT PAM, we don’t have to try. No spreadsheets, no sticky-notes. All we have to know is their current roles and attributes, and as Craig mentioned, we can tie access decisions to things like approved service tickets, known change windows, or other attributes like unusual locations or times of day – this kind of capability dramatically reduces our privileged attack surface and our risk from privileged account abuse.”
Stucker said they don’t have to rotate every password someone might have known when they leave the organization anymore either. With JIT PAM, most administrators never need to know the password, and if they do, passwords get rotated automatically. This dramatically improves productivity, since it’s a single process to let everyone in, and it provides administrators the visibility to look back and audit what people did.
That’s also important for remote workers — administrators can see what consultants did on the server.
“Remote access is the number one attack vector a threat actor will use to get into an organization,” McCullough said. “We basically shut that vector down with JIT PAM.”
That kind of visibility is new to identity access management platforms. Organizations are typically very siloed, with different offices, different campuses. That’s been the norm for decades. But JIT PAM is a paradigm shift, McCullough said.
“The default mode was giving everyone access to get their job done. And that was fine when everything was in one data center, people weren’t remoting in,” he said. “Now, you have exponential growth rate on the attack surface – it’s not only data centers connecting to each other, but also machines connecting to other machines, the internet of things – the attack surface has expanded to a degree that the old way of managing accounts just doesn’t work anymore.”
Visibility across the discovery process is one of the biggest components to JIT PAM.
“Finding out where everything lives is a huge task,” Stucker said. “It’s really insurmountable without a really good tech solution, and BeyondTrust offers that solution. We’re going to find out things we’ve never known before: where are privileged accounts, how are they being used, when, and from where?”
It does this by integrating with existing tools, both on the backend and in the user toolset. It audits user activity, aggregates the information, and controls the means of access. The problem is many organizations have too many tools. A security operations center can monitor them 24/7, but it’s just too much information.
“It’s the proverbial needle in a huge stack of needles,” Stucker said. “You have to filter out what’s ok to get a better handle on and visibility into the anomalies. No human could possibly go through or make sense of that much information in time to stop a threat before it’s a problem. You can’t detect, delay, disrupt without quick detection.”
“And remember, implementing the kind of solution that Chris is referring to does not need to be an all-or-nothing endeavor.” McCullough said. “Taking JIT PAM one step further, a Universal Privilege Management model allows you to start with the PAM use cases that are most urgent to your organization, and then seamlessly address remaining use cases over time.”
“Organizations that want to start with protecting privilege access from third parties, or eliminating administrative rights from users, can do so without implementing a full password management solution first. Then they can enhance the level of protection across their organization, over time, in a fashion that meets their budget and needs.”
Whether achieving compliance for DoD’s new cyber framework, or managing a complicated higher education identity lifecycle, JIT PAM can help agencies and organizations achieve the level of access control they need.