Cybersecurity professionals in the region wrestle with many challenges. One common one is the mountain of point solutions that cover one thing and rarely play well enough with others to allow SOCs to build a comprehensive view of their environment. We must solve this problem if GCC enterprises are to keep pace with the demand for digital experiences while adequately protecting themselves from the threat landscape.
Let’s look at identity and access management (IAM) and start with the point technologies that security teams use to deliver it. First up: it goes by many names—privileged access and session management (PASM), privileged password management, and privileged credential management. It is how IT admins and security functions enforce policies on user credentials to ensure authorised individuals and processes only access critical assets. Some PAM (privileged access management) vendors offer a single tool to cover PASM, others may only cover keys or passwords or sessions, but not all three and rarely across all environments.
And what about secrets management? This is often a standalone tool used by DevOps teams to keep their unmentionables unmentioned—business-critical IP, passwords, encryption keys, and other things used by humans and machine processes in rapid-paced CI/CD environments. According to analysts BeyondTrust has spoken with, some 75% of organisations are on a mission to consolidate IAM vendors and tools but are having difficulty finding an all-in-one platform that addresses all the use cases of PASM and modern secrets management.
These days, privileged passwords can be “managed” by something as rudimentary as an Excel spreadsheet (yes!). To ensure robust protections, we need to move closer to an advanced enterprise suite that automates the discovery of privileged accounts and credentials. It must also automate onboarding and access control and offer centralised protection, storage, rotation, alerting, reporting, and oversight for all enterprise credentials. Granular session management (including pause, lock, and terminate capabilities) and recording are also essential for oversight and accountability, especially if the organisation operates in a highly regulated industry.
But modern PASM must include secrets management. The secrets vault will hold sensitive credentials and IP-related data, including the passcodes needed to create, access, terminate, and deploy pipeline resources. Any data sensitive enough to qualify for the vault is encrypted before it is stored, making it inaccessible to unauthorised parties. And secrets vaults are designed for high availability, using redundant backup systems to ensure continuity in the event of loss or corruption.
The secrets management solution should be cloud ready because that is where today’s businesses and their dev teams operate. Frameworks like Kubernetes and Kubernetes Sidecar and development tools like Terraform, Jenkins, and Ansible should all be covered.
There are four main reasons for wanting secrets management packaged with PASM. The first involves discovery and onboarding. If the two functions are part of one platform, visibility gaps are eliminated when trying to bring all the keys to the kingdom together.
The second reason for unification is consistency when enforcing security policies. Separate platforms might see one rule for credentials normally managed by IT and another for those managed by security. Oversight of all privileged credentials should occur in a single pane, no matter who the designated overseer may be. This is how best practices are enforced. If PASM and secrets management solutions are combined, that means automated generation, rotation, and management of credentials. This is a great approach for reducing the attack surface in a cloud environment because it mitigates the risk of human error by minimising the viability of password reuse as an attack vector.
Third, the combined solutions deliver simplified auditing and compliance. The role-based access and granular logging associated with PASM and secrets management are essential tools when it comes to rapid reporting—a prerequisite of smooth compliance audits and viable cyber insurance.
And finally, integrated PASM and secrets suites allow easier integrations with other platforms, services, and applications.
Productivity vs security
Today’s IT environments are a swirling soup of complexity. We have domain overlap, users are scattered to the four winds, and security teams are overworked and under-resourced. Cloud, multi-cloud, on-premises, hybrid and hybrid all need cyber-cops on the ground observing and capable of acting. But the cops must be able to do so with minimum disruption to the law-abiding innovators adding value to their organisations.
The right privileged password management tool, with secrets management out of the box as standard, is a giant leap towards lowering the enterprise’s risk profile. Such a solution must cater to all types of privileged accounts (both human and machine), all types of credentials (text and other), and it must monitor every single session (no exceptions). The platform must be centralised and built around identities, infrastructure, and applications. Automated agents within its core functionality must be capable of recognising unauthorised activity and other anomalies and of providing clear visibility of these threats the instant they emerge.
When considering the ideal elements of an effective PASM and secrets management amalgam, automation is top of the list. Automation of discovery and account onboarding. Automation of the storage, management, and rotation of privileged passwords. And automation of many basic tasks to allow security staff to involve themselves in more challenging tasks, like threat-hunting.
The unified solution will also implement a just-in-time access model and zero trust. Advanced reporting, auditing, and forensics will oil the gears of compliance and a range of integration options will cover an array of further use cases. If all this is in place, if the integration of PASM and secrets management is handled properly, then you have an agile business capable of automating safety in everything it does. Doesn’t that sound like the perfect place to be?