Privileged Account Management (PAM) software has been around for decades, resulting in many different approaches to securing privileged access to critical assets. Accounts with more access need stronger protection, which is what PAM solutions strive to provide.
Over the years PAM software has evolved from simply vaulting passwords to using proxy servers to handle those vaulted passwords, resulting in blurred lines between the distinction of Privileged Account Management and Privileged Access Management. Despite this important change, the issue remains that there are many standing accounts in any network that have admin or other elevated privileges (resulting in potential attacks such as Shadow Access).
Even as recently as the past couple of years, issues remain with traditional PAM solutions such as:
As we’ve previously discussed, we’ve analyzed thousands of networks and found that most have 3-5 admin accounts per physical admin user. When you think about that at scale, an environment with 25 admins could easily have between 75-125 standing admin accounts. Yikes! These admin accounts always exist, are vulnerable to attack, and are the keys to your kingdom (I.e., Active Directory and domain controllers).
So, what can we do to alleviate these problems with traditional PAM? The only way to solve the issue of standing privilege is to remove the privilege entirely when it’s not actively being used – and this is where Ephemeral Accounts come into play.
Ephemeral Accounts typically have short session-based lifecycles; when they are not actively being used, they are typically disabled or deleted. Stealthbits Privileged Activity Manager (SbPAM) uses Activity Tokens, ephemeral accounts that are dynamically created, delivered just in time, and with just enough privilege to perform the necessary privileged tasks. The beauty of Activity Tokens is that when they’re not in use, they’re not left “standing” in the environment and vulnerable to attack – drastically reducing an environment’s attack surface.
Simply put, how can attackers obtain their goals (compromised domain admins, Active Directory, domain controllers, etc.) if the privilege to do so only exists while an admin is using it?
For day-to-day administrative tasks, SbPAM provides a secure mechanism to give admins access to the critical resources they need without the usual privileged account overhead or complex access policies.
Ultimately this unique approach, utilizing Activity Tokens (Ephemeral Accounts), results in Zero Standing Privilege – complete removal of vulnerable privileged accounts that drastically reduces your attack surface.
As we’ve seen through the recent explosion of ransomware attacks and breaches, any organization can fall prey to an attack. While perimeter and endpoint defense is still critical, you also need to be prepared for scenarios where attackers successfully compromise a user in the network.
A hallmark of modern ransomware is lateral movement followed by privilege escalation resulting in broad-scale impact. Without the ability to move laterally in the first place, it becomes significantly harder for ransomware or its operators to achieve their goals – thanks to Activity Tokens and Zero Standing Privilege.
Privileged Access Management tools have proven to be essential components of information security and compliance programs, yet privileged account compromise remains a nagging issue despite broad-scale adoption of password vaults.
Stealthbits’ approach to Privileged Access Management (PAM) fills the gaps and overcomes the challenges of traditional PAM solutions, providing comprehensive visibility into an organization’s privileged account footprint, surgical control over privileged account usage, and the ability to effectively reduce the threat surface and lateral movement attacks privileged accounts allow.
IDENTIFY THREATS. SECURE DATA. REDUCE RISK. Learn more about how Stealthbits can protect your organization’s privileged accounts, resources, and more, here.
Also, watch this video to learn more about Ephemeral Accounts here!
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in StealthAUDIT. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, data storage, and automation. He has a Bachelor’s degree from Bryant University, and outside of tech he enjoys running, tennis, and snowboarding.
Reduce the opportunity for lateral movement attacks through privileged account reduction. Start an instant free trial of Stealthbits Privileged Activity Manager today!Start Now
Start a Free Stealthbits Trial!
No risk. No obligation.