Decentralized Privileged Access Management (PAM) Benefits and Challenges: Keeping Edge-to-Cloud Organizations Secure

Decentralized Privileged Access Management (PAM) Benefits and Challenges: Keeping Edge-to-Cloud Organizations Secure

May 02, 2021 / Kron

The controversy over centralized vs. decentralized Information Technology (IT) has raged for years, and both sides have powerful arguments. The emergence of cloud technology has changed everything. Today "Shadow IT" presents another challenge to CIOs and CISOs responsible for not restricting the number of productivity tools employees and contractors find and use instead of "official" applications while preserving their organizations' assets.

For instance, some companies use Microsoft Teams, a comprehensive, unified collaboration application for virtual meetings or workgroups. There are also free or very inexpensive (e.g.,) countless options to choose from, such as Slack, WhatsApp, or Facebook Messenger and other voice applications.

Other companies may allow their business units to choose their applications. In this scenario, business units run by new generations of employees, such as IT "consumer customization" and a growing number of "temps," will buy licenses with the institution's credit cards, and if this is not controlled and managed, the associated security risks will increase. Huge hacking events occurred last year, including intrusions at Zoom conferences where confidential information was exchanged.

Is there a way to protect the organization's infrastructure, data, and other assets while supporting multiple cloud applications selected by different business units?

According to Verizon's DBIR, 63 percent of breaches are caused by weak or commonly used passwords; 53 percent included misuse of privileged accounts with access to critical data (personal health information, credit card numbers, Social Security numbers, and other content that cyber-criminals can cash in on), corporate strategic plans and secrets, intellectual property, and other sensitive information that competitors or third parties wanted to obtain.

CIOs or CISOs are in charge of determining what data is confidential inside the company, where it should be stored, and who has access to it. This is nearly impossible to do in a distributed IT world without software automation. Furthermore, if authorized management is regarded as a critical factor in ensuring compliance with regulations in all industries, long-term and ascendant steps should be taken.

Every privileged account should be tracked in terms of access, areas accessed, frequency of access requests, and locations from where access requests are submitted, whether they are local administrator accounts that conduct basic operations like creating new users, or privileged user accounts with access to multiple systems. In a multi-cloud, multi-application, "beyond hybrid" environment, how is this possible?

A larger team with complete control of the organization may log in to an access control management system to add new staff or build credentials for third parties or guests in a well-managed and decentralized access management environment. An office manager in charge of a branch office, for instance, may create a new user account in Microsoft Teams for a potential consultant who may help develop a new product or provide support for a new program.

Theoretically, we can speak of stricter access control since the department heads grant access, rather than just one or two people, as in the central administration model. In this scenario, the branch manager can quickly decide who logs in and accesses the data, and what access levels they have; Thus, the office manager has the authority to open and close accounts over time.

In theory, the branch manager can more easily implement the Least Privilege principle, granting only the level of access required to maintain the highest level of protection. When others capture a person's login information, unauthorized persons can only view the visible data and the programs they can use. In the self-service environment, decentralized access control will provide real benefits, such as streamlining workflow, promptly boosting productivity, and aligning team members' expectations.

Many of these advantages, though, come with new threats. The lack of visibility into access management at the enterprise level makes it difficult for the IT team to restrict and monitor those who log in, make changes, and access data. Different individuals can perceive company policy differently in a decentralized model, there will be no consistency, and risks will rise. The danger of unrestricted access under circumstances that require a large number of employees to operate remotely, as we saw in 2020, brings serious violation risks.

Only when governance is applied does a decentralized access management model function. This can be achieved with a Privileged Access Management (PAM) software solution, particularly cloud-based rather than on-premises.

As it detects high-risk activities and warnings when operating consistently and confidentially in the background, Single Connect, Kron’s PAM solution, strikes an adequate balance between monitoring the system and promoting autonomy, which is the cornerstone of a decentralized system. It can monitor the system for activities that do not comply with access policies, including initiating an emergency if the system is attacked, and perform an intervention.

Single Connect’s Session Manager module, which is used in the majority of large organizations and other institutions with a workforce empowered with highly distributed and decentralized IT elements, provides real-time monitoring, logging, and recording of all approved users' sessions, as well as role-based task distribution, including command and content-aware filtering, and prevents malicious activities with least privilege.

The different advantages it provides include:

  • Man-in-the-middle support for Telnet, SSH, RDP, VNC, HTTP.
  • Logging, session recording, and session replay.
  • Active-Active redundancy.
  • Application of security principles in a transparent manner.
  • Advanced policy, content-aware policy, and management approval.
  • Object character identification (OCR) for RDP, RDP session registration.
  • Automatic termination of all active connections on network elements for maintenance mode.
  • Session "take" and "log out" functions by privileged users in active sessions.
  • Combined visibility with searchable command/keystroke recordings and complete playback of video recordings.
  • Stopping attacks with least privilege, such as the command or application-based constraints, administrative validation, geo-location verification, multi-factor authentication/authorization, and time and date-based access.
  • Centrally and silently enforcing rule-based security policies.
  • Compliance with regulatory standards such as the GDPR, ISO 27001, SOX, HIPAA, and PCI.
  • With support for Single Sign-On and Two Factor Authentication (2FA), ensuring that users do not see their system passwords.
  • Extending Active Directory group policies to IT and network infrastructure and support compliance.
  • No agents, plugins, or apps. No hassle.
  • Isolating Third-Party access, checking configuration changes, recording all activities, tracking live sessions, and engaging in sessions.
  • Providing a secure connection to any system, application, device, or website without revealing credentials.

Contact us to learn more about how to protect what you connect in your organization while benefiting from the positives of both elements.

Other Blogs