Why are we writing this?
Something feels broken with Privileged Access Management, I don’t mean a product we need to fix or create but I think our fundamental approach to PAM is wrong. It certainly feels to me that we’re now trying to fit a square peg in a round hole and I’d like us to openly discuss this more so that we can create safer environments. That in itself is a strange statement because it implies that PAM solutions aren’t safe, which is not the case at all. They’ve all been tested, validated, tested some more and it’s safe to say, they’re pretty damn safe solutions when it comes to their security design.
That doesn’t mean they make you safer though.
In this blog we’re going to look at what we believe to be broken. I’m pretty sure you can add more to this list and this is really there to get people talking and discussing these things so that the industry can move forward.
I’ve also failed in making this short and concise. There is either a lot to say, or I just ramble, but either way.. I’ve now decided to do 12 days of blogs as we go into these in more detail, so this is the summary blog.
Why Should You Listen?
As I mentioned in my first ever blog on here, this blog is a collection of thoughts. It’s our experiences through our eyes. You may agree with it or you may not, we don’t believe there is a right or wrong answer when it comes to thoughts.
But this is meant to be thought provoking, it’s meant to spark ideas, collaboration, differences of opinion – all of which are healthy.
So why should you listen to my thoughts?
I’ve worked in the PAM space for 20 years now. I started life my proper working life as I call it, as a consultant working my way up to a role of technical authority before moving into vendor space. I have to say, I’ve worked for some excellent vendors and with some excellent people many of whom I’m still friends with now. At every vendor, I’ve believed in the technology I’ve worked with, have believed in the people, the message and the hype. These vendors are all still great they all offer something that could be a benefit to all, but it’s only now I’ve left vendor world that I can truly talk about what I believe to be broken or wrong.
I’ve had various technical and leadership roles with Quest/One Identity, CyberArk, BeyondTrust, Centrify and Saviynt and honestly feel I’ve at least amplified some of the problems we see now. You always ask yourself whether you could have done more or better, or suggested different things. Personally I see that as a great thing, reflection often offers great insight.
And just because I’ve been around the block a little, that doesn’t mean what I say I right, it just means I have an opinion on this subject that some of you may identify with.
It’s also important to say, this is not a vendor bash, nor do we expect comments to vendor bash. Our problem is with what we’re calling the market and why we’re calling its the market which often excludes some of the more niche focussed vendors who solve problems well.
So What are the top 12 Challenges?
You’ll find a summary of these 12 challenges, and over the next 12 days, we’ll release a detailed blog on each subject. Luckily the writing has already been done, we just like to build a bit of suspense.
- Market Approach to PAM
- Vaulting & Session Management
- Business Password Management
- Discovery
- Service Account Management
- Machine Identity Management
- Secrets vs Passwords
- Policies
- Agents vs Agentless
- Native Cloud
- IAM Cross Over
- User Experience
1. Market Approach to PAM
The market approach to PAM is driven by a number of things, including:
- Industry Analysts
- Vendors, their market size and clever marketing
- Customer Requirements
So why do we say the market approach is wrong? Well, if you started a PAM program now and were going to market, one of the first things you may do is look to industry analysts to validate your requirements and vendor selection criteria. But look at any top analyst report and they’ll tell you a list of vendors who have the following capabilities (And yes, all those capabilities):
- Password Vaulting Session Management
- Agent-based Privilege Management
- AD Bridging
- Secrets Management
- CIEM
And then they may proceed to give you a list of use cases which resemble features of a product, in which case you’re already at a loss.
The above are all technical approaches to solving privileged problems, they shouldn’t be used to define PAM.
There are many more technical approaches to solving privileged problems and some vendors who do not have the large portfolios which go un-noticed as a result.
2. Vaulting & Session Management
Vaults are a good thing, they securely store and rotate credentials and allow you to control who has access to them at given times.
My pet peeve here is we seem to have taken something that was really designed for built-in, default, shared credentials and decided to stick every credential in there because it’s called a credential vault
Vaults were never really intended or designed for this purpose, or at least not the big enterprise type vaults. Over the years we’ve enhanced these to make them take other credentials but that doesn’t mean it’s the right thing to do
Think about the goals of PAM programs: By the way, these are goals are the most basic of goals to demonstrate a problem with our approach.
But if we look at our approach to PAM, it’s often discover all the accounts and stick them in a vault.
- Does this reduce the number of account? No
- Does it reduce risk? You may say yes.. personally I think it just shifts risk.
My biggest issue though, is with user experience which you’ll find further below. I also believe a distributed model for vaults is one that works best. Why would you put a secret for a Lambda function in an on-prem vault? It’s bonkers. We should have many vaults, with consistency across access control and policies.
Then we have session management and recording.
Oh how we used to laugh every time we read a RFP and the requirements listed session management and recording.
I’ve likely been involved in over 1000 PAM programs in some shape of form and responded to hundreds of RFx’s. What amazed me was that every single one wanted session recording. The ability to record a video of user sessions with an audit trail of commands/keystrokes
Why oh why oh why?
I think I can count on one hand the number of customers I’ve actually seen use this, yet it’s a must have for all?
Are people really going to sit there watching a video session? Why? You already get logs into your SOC, can already see who has done what? Why do you need a video taking up space?
3. Business Password Management
In our blog called PAM 101 we discussed how privilege is a business problem and related to access to sensitive data. As users we have access to a host of applications and data sources which contain sensitive data. This could be our payslips, our HR system, absence systems, corporate benefits, payroll, car lease platforms etc. Whatever it is, our users have business passwords which cannot be stored in traditional PAM vaults. They were never designed to cater for this type of individual access and control.
Some have tried to offer this, and you can understand why. It’s a logical thing for them, it’s the right thing but then they have tech debt which really stops them from offering the best experience.
This is compounded by the fact that most of us use password managers in our personal lives so expect that same time of user experience with a browser extension, autofill, upload, creation, generation and sharing of credentials & passkeys.
Business password management is something very few still do, but is critical in securing the enterprise and helping implement good password hygiene.
4. Discovery
For the most part, Discovery sucks
If the approach to PAM is discover everything, vault it, manage it or remove it then this needs to start with visibility. If you want to protect something, you need sight of it.
Yet, you install a product which scans your AD, builds a list of servers, tells you the accounts on them and wants to vault them?
It’s certainly a start, and it’s certainly better than nothing so not knocking it. But right now, that’s telling you everything you know you have, and that’s not where the weakness is.
The weaknesses are:
- The servers you don’t know are on your network or are not tied to a domain
- The service accounts you have no visibility in to which are hardcoded into apps, config files etc.
- The various cloud platforms you may or may not know you have
- Shadow IT
- Your end users business accounts and access
- Scale and Speed – Yes, I’ve seen discovery scans configured to run every day, but they don’t complete within 24 hours so you never get a full view
- Schedules – I get it, schedules for on-prem works as it’s more static and more defined in nature. Why are we not doing more continuous discovery in cloud though? If it was as simple as just workloads, then provisioning via automation into a PAM solution would be the straightforward answer. It’s not just about workloads though, as accounts and identity are everywhere
5. Service Accounts
Service accounts are PAM vaults just don’t go together. If anyone is doing full service account management with there traditional PAM solution, I’d honestly love to hear to from and how you went about doing this and what challenges you faced.
From what I’ve seen and been witness too, this is almost impossible.
The reasons are 2 fold
- Discovery – People really have very little idea as to where service accounts are actually used. Yes, discovery will tell you a server has a service account and what service its running, but you still have no clue where the account is being used
- Rotation – Are you really going to rotate a service account and risk taking an application down? I’ve seen one example of this where it took out an ATM network
Service accounts need a different approach which has to start with discovery and auditing, followed by lifecycle management, ownership and attestation.
6. Machine Identities
Certainly a hot topic at the moment, and something most PAM vendors are talking about in some form.
I find this area fascinating and have done a few blogs about previously as well as some strategy papers on how vendors can further themselves in this area
What is a machine ID? The market is currently stuck between NHI (Non-human identity) or Machine Identity as a description but basically anything non-human could be considered a machine ID, such as a service account, or embedded credential, IOT devices etc.
Most people also think of the authentication mechanism when defining machine ID’s as being something like a certificate or token, but in reality is can be anything, even a password.
One thing for sure is that we have a lot more of them than we have people, we have little in the way of visibility or what they’re really used for, and our PAM solutions really have no clue about them. There are some interesting smaller vendors in this ever-growing space though, which we’ll talk about in the follow up to this blog.
7. Secrets vs Passwords
Why do we need a password vault and a secrets vault? Surely a vault is a vault. In fact, I’d say Vaults are almost a commodity item now, but the market seems to have them as separate things for some reason. Or is that a vendor thing to make more money?
We’ll talk about what a vault really is in our vault follow up but it’s frustrating that you need to purchase 2 different things for the same purpose.
It may be that you have an Enterprise Password Vault for your infrastructure but then a separate secrets vault for your ops teams, but we all know it doesn’t stop there. You’re likely to use cloud native secrets managers too for your cloud secrets. This is often referred to as vault sprawl but personally I think this is great and the best way to work. I do however thing we need consistency across these vaults in terms of security policy.
8. Policies
Ok not all policies are bad. Just the ones you must write for least privilege tools because who has time to define them? It’s a never-ending cycle of responding to events which have taken place and then deciding whether you want to allow it in the future.
I remember once being involved in a project, where it was someone’s full time job to literally watch events across Windows Desktops and make a decision on whether they should elevate it or not in the future.
My problem with policies are largely that, they’re hard to maintain, hard to manage and most of all, they’re mainly static in nature.
We say we’re trying to remove risk and remove privilege, but then have a static policy in place that allows that person to run with privilege. Oh and we also remove 2FA, re-authentication and other controls because it gets in the way of the user.
There are some good policy engines within solutions though, some are dynamic, others have nice templates and then we have open-source policy too.
More follow-ups to come on this
9. Agent vs Agent-less
I remember 1 year working for a particular vendor, we were responding to a well-known analysts questionnaire so that we could be considered for there well known industry report in the PAM space… *Cough* MQ
Whilst we had a well-rounded platform that had the usual stuff. A vault, session proxy, recording, secrets management, CIEM etc. We failed to qualify for that *cough* MQ because we didn’t have an agent.
So, is the market as we know it really driven by technical capabilities of some vendors rather than the best approach to do something?
I get that agents have their benefits, but these benefits are largely applicable for on-prem or static infrastructure. Times have moved on and in the world of dynamic infra, containers and functions, using agents to control privilege may not make sense.
Ultimately our market approach needs updating, which luckily has started to happen which should pave the way for innovation. At that time, what was most frustrating, was in order to be featured, you had to follow the crowd rather than innovate and approach things differently.
10. Cloud Native
I’m not sure just calling this cloud native really does it justice. If we take the 3 major providers of cloud services, Microsoft, AWS and Google, each one of them are adding more and more functionality to cater for privileged access management and identity management as a whole
These don’t necessarily play to well with traditional PAM vendors which then leads to fragmented solutions, disjointed user experiences and ultimately failure of some form.
Ok that may be a little dramatic, but here we go
Each one of these platforms has:
A secrets Vault
Support for least privilege at the identity/role layer
Most have session proxy capabilities
Audit
There are major benefits to looking cloud native, not least in performance and security in which case, does PAM need to mature more into a de-centralized model with a control plane?
Also, look at Microsoft making strides into least privilege for endpoints with InTune. That may well be good enough for most in which case do we think this could be a declining market for others?
11. IAM Crossover or Convergence
This one is difficult. To use a super annoying phrase which is already outdated
‘Identity is the new perimeter’ I’ve lost count how much I’ve said that over the last 8 years but safe to say, it’s not new anymore. So is Identity the perimeter? No… There is no perimeter
Ok, rant over.
But seriously, in the market you’ll see changes of messaging from PAM vendors to become more identity centric and talking about IAM. You’ll see mergers and acquisitions, portfolio consolidations all of which are taking place on a monthly basis it seems.
PAM and IGA/IAM are so closely aligned yet so far away. The real reason for this is unfortunately history. PAM was a technically driven solution lead by security or PAM teams, IAM was seen as a business issue driven by CIO’s. These two things are slowly but surely coming together from a culture perspective which should lead the way for converged platforms to see better success.
The interesting part will be should PAM converge with IGA or Access Management.
My personal thoughts:
PAM + Access Management should now be one thing, they are hand in hand. PAM has moved beyond servers and infrastructure, therefore the app experience of Access Management and role capabilities are the missing piece. The IAM part of that could be lightweight IAM or full blown IGA but one thing is certain:
Governance of privilege is critical.
12. User Experience
I’ve saved the best till last and this is something I could literally talk about all day. Just don’t test me on that (unless you struggle sleeping)
PAM programs fail due to user experience – This happens time and time again. People will look for ways around controls if they feel like you’re taking something away from them or forcing them to do something.
If we go back to the start of PAM, it was really designed for IT administrators accessing servers whether checking out a password or starting a privilege session.
No one liked giving away passwords because you lose traceability and control, so privileged sessions it was.
This pissed of Unix/Linux admins because they were forced through a browser, and annoyed Windows admins for the same reason. They lost their freedom and with it the ability to copy/paste, transfer data etc. Some of which you may not have wanted them to do, but ultimately the perception was you were taking things away from them and users don’t like that.
Now, times have changed… How many people still log on to servers? Admittedly most orgs still have them but it’s not like it was 20 years ago.
Also, PAM is not just for IT admins. PAM is about controlling access to sensitive data which could be a finance person accessing a web interface? Are we going to make them go through a vault and session proxy? No chance
What’s funny is when these projects begin to fail, people blame the technology and look to replace it. I’ve seen many a time where people want to rip and replace their vault as an example.
If this is driven by the above, then this is largely a pointless exercise and you’ll hit the same problems. Most companies don’t have a vault problem, they have an access problem.
It’s funny that we spend so much time talking about flexible working but what we really mean is flexible hours. There is very little in the way of flexible working because tooling often works to prevent us from doing things rather than enabling it.
Coming up next – The 12 challenges of PAM (and maybe a better looking blog post)