Transcription
2020 STATE OF PRIVILEGED ACCESS MANAGEMENT (PAM)MATURITY REPORT
Executive SummaryWith up to 80% of breaches due to compromised credentialsaccording to leading analysts, more organizations than ever areprioritizing privileged account protection. As Privileged AccessManagement (PAM) becomes top of mind, C-level, IT and cyber securityprofessionals are seeking a framework in which they can properlyassess, manage, and minimize risks to privileged credentials.Thycotic’s free, online PAM Maturity Assessment helps organizationsdetermine progress along their journey to lower privileged access risk,increase business agility, and improve operational efficiency. Basedon security industry best practices and deep experience with morethan 10,000 PAM customers worldwide, the PAM Maturity Assessmentasks questions that determine how far an organization has progressedthrough the four phases of PAM maturity described below.PHASE 1AnalogOrganizations in the Analog phase of PAM maturityface a high degree of risk. Securing their privilegedaccess is limited and minimal. Privileged credentialsare managed mostly manually and may be trackedwith spreadsheets. As a result, these organizationsoften provide excess privileges to people whodon’t need them, share privileges among multipleadministrators, and neglect to remove privileges whenusers leave the organization or change roles.Service accounts are created “in the wild,” leading topoor documentation, poor mapping to applications orcore services, and “re-usage,” where a single accountis used repeatedly for numerous services. Securityand operations teams are typically unaware of thebreadth of web applications in use and allow usersto make independent decisions regarding privilegedaccess and permissions.PHASE 2BasicHow to DefinePrivileged AccessManagement (PAM)Privileged access must bedefined around the specificsituation of each organization.We recommend you performa Data Impact Assessment todetermine which privilegedaccounts are being used toaccess your most sensitivedata, including intellectualproperty. You can then audit andconfirm who should have accessrights to view and managethis sensitive data. Privilegedaccounts are everywhere inyour IT environment and canbe human or non-human.Some privileged accounts areassociated with individualssuch as local administrators ornetwork administrators, whileothers are service accounts usedto run databases, appplicationsand other systems and aren’tassociated with a person’sunique identity.Organizations transition from Analog to the Basic phase of PAM maturity by adopting PAM securitysoftware and automating time-consuming, manual processes. They have implemented a passwordvault to store privileges but are typically implementing password management tools moreappropriate for consumers than enterprises.They focus on privileged accounts managed by domain administrators and other IT users and as aresult they have a limited view of the privileged account attack surface.Organizations in this stage must make periodic pushes to discover and rediscover new accountsacross the network. Occasionally business-critical applications experience downtime becausenew usages of service accounts have not been onboarded and associated with the correspondingservice account managed in the PAM solution. This sometimes leads to an atmosphere of mistrustbetween teams, making full adoption of a PAM solution difficult.thycotic.com sales@thycotic.com
PHASE 3PHASE 4Organizations in the Advanced phase of PAM maturityhave moved from a reactive to a proactive privilegesecurity strategy. PAM becomes a top cyber securitypriority, with a commitment to continuous improvementof privileged security practices.As the ultimate stage of PAM maturity, organizationsin the Adaptive Intelligent phase take continuousimprovement to a higher level, integrating leadingtechnologies such as artificial intelligence and machinelearning to collect information and adapt system rules.These organizations fully automate and manage theentire lifecycle of privileged accounts, from provisioningto rotation to deprovisioning and reporting.AdvancedAdaptive IntelligentAs organizations move from a reactive to a proactivestrategy they enter the Advanced phase of PAM maturity,they broaden their definition of privileged accountmanagement and expand their PAM policies to activelymanage service accounts, as well as web and SaaSapplications managed by developers and business users.They consider every account a privileged account andhave a consolidated view of all accounts, credentials,access and user permissions, for all types of privilegedaccounts throughout the organization.Privileged Access Management Maturity ModelLAGGARDSLEADERS4321BASICANALOGADVANCEDLow risk toarchitrcture &operationsADAPTIVEINTELLIGENTSECURITY POSTUREMaturity ModelHigh risk toarchitrcture &operationsthycotic.com sales@thycotic.com
86%This report summarizes findings based on 568completed surveys.The results are far worse than you might think—andmay go a long way to explaining why four out of fivebreaches are related to compromised credentials.of organizations fail to meeteven a basic PAM maturity level.Are you including privileged accounts in your broader IT cyber security policy?YES78.4%NO21.6%3.7% 0.4%9.8%ANALOGBASICADVANCEDADAPTIVE INTELLthycotic.com sales@thycotic.com86.1%4 in 5organizations include privilegedcredential protection as part oftheir cyber security strategy,their PAM security practices arewoefully lacking and even worsethan you might expect. This meansorganizations have acknowledgedthe problem but are failing to putthe necessary security controls inplace to reduce risks.86%of respondents are still strugglingto get beyond the Analog phaseof Privileged Access Management(PAM) maturity!
Among those failing to reach even a basic level of maturity:59%of organizations have noidea how many privilegedaccounts they have orwhere they’re located.55%17%of organizations’privileged accountsnever expire or getdeprovisioned.of organizations arestoring all their privilegedaccounts in a secureprivileged accessmanagement vault orpassword manager.If a survey respondent answered “no” to any offour critical questions, they were designatedto the “Analog” phase of maturity. In otherwords, if they weren’t including PAM in theircyber security strategy, weren’t discoveringprivileged accounts, weren’t deprovisioningprivileged credentials or weren’t storingcredentials in a secure vault, they haven’tachieved even the Basic level of PAM maturity.In sharing the assessment results in thisreport, Thycotic encourages organizationsthycotic.com sales@thycotic.comacross the globe to examine their ownPAM practices and target specific areas forimprovement. We’ve highlighted three keytakeaways in this report along with specificrecommendations and suggested resourcesfor further learning and action steps.Our goal is help you apply lessons fromthe PAM Maturity Model to your own cybersecurity strategy regardless of the size ofyour company, your industry or the numberand type of privileged accounts you need to
Key TakeawaysKEY TAKEAWAY #1You can’t protect whatyou can’t see. Your firststep must be to automatediscovery of privilegedaccounts.KEY TAKEAWAY #2Basic PAM hygiene won’timprove without stoppingbad habits while adoptingand automating betterones.KEY TAKEAWAY #3Only with greater PAMmaturity can you gaincritical insight to reducecyber risk.thycotic.com sales@thycotic.comMost disturbing of all the PAM Maturity Assessment results isthe lack of visibility into how many privileged accounts exist in anorganization and where they are located. More than half (55%) ofsurvey respondents aren’t automatically discovering privilegedaccounts. Because privileged accounts such as local admin andservice accounts exist everywhere in multiple places throughoutan organization, trying to manually discover and manage them isvirtually impossible. Your first step should be to automate privilegedaccount discovery so that you can see what you need to protect.Then, apply basic PAM security controls to use complex passwordsand rotate passwords on a regular basis.It’s clear from those taking the PAM Maturity Assessment thatingrained bad habits continue to hamper efforts in securingprivileged access. Less than one in five organizations areusing a password vault and most still don’t require Two-FactorAuthentication. If you aren’t already using one, you need toimplement a password vault manager as soon as possible. Then,establish and automate specific security policies that promoteproper PAM security hygiene, especially for deprovisioning privilegedcredentials. Multi-Factor Authentication should be standard for allprivileged accounts and an audit trail of privileged account usageshould be instituted to meet policy and compliance mandates.Once you achieve basic PAM security practices, you’re ready to goto the next level of maturity, and become more sophisticated in yourknowledge, insights, and actions. Most organizations are unableto monitor for suspicious privileged account behavior and onlyone in eight has implemented a least privilege policy for accountaccess with application control. Fully one third (34%) of respondentsdon’t apply Privileged Access Security with their DevOps teams.You should begin evaluating PAM solutions for privileged behavioranalytics and a implement a least privilege strategy to ensure yourorganization can realize the full benefits of advanced and agile PAM.
KEY TAKEAWAY #1You can’t protect what you can’t see. Your first step must beto automate the continuous discovery of privileged accounts.Once you’ve been able to identify all your privileged accounts you can begin to implement basic PAM securitypolices, such as automating password creation and rotation for accessing privileged accounts.SURVEY RESULTSIf you can’t see it,you can’t protect it.59%of organizations taking the assessment aren’t discoveringprivileged accounts with automated tools, meaning theylikely don’t know how many privileged accounts they haveor where they’re located.QUESTION #2Are you discovering privileged accounts automatically in your organization?YES41%NO59%Without an automated process for identifying privileged accounts it’s nearly impossible to keep track of themmanually, if at all. This means 55% of organizations likely have no idea how many privileged accounts theyhave or if they might have been compromised. With hundreds and sometimes thousands of privileged accountsthroughout an IT environment, organizations face serious risks from both internal abuse and external threats.Creating passwordsmanually and neverchanging them invitesdisaster.thycotic.com sales@thycotic.com10%of organizations are generating complex passwords for allprivileged accounts and rotating them on a schedule
QUESTION #3How many of your privileged accounts utilize automatically generatedcomplex passwords and are rotated on a timeframe?0%31% 25%36%25-99%23%100%10%9 of 1033%31%“I’ve got to write itdown, so I don’t forget.”57%10%organizations rely on human-createdpasswords for privileged accounts—and these passwords may neverhave been changed over a period ofmonths or even years.thycotic.com sales@thycotic.comof organizations have institutedcomplex password generation andregular rotation of their privilegedaccounts passwords.of organizations allow passwordsto be viewed by any user.of organizations don’t address theissue at all.of organizations fully rotatepasswords on a schedule.
QUESTION #5Are you using any tools to prevent passwords from being disclosed duringusage?YES43%NO57%Allowing employees to see passwords for privileged accounts poses the risk that those passwords will be writtendown for reference in a spreadsheet or Post-it note, easily shared with colleagues, or used to access systems byskirting security controls. Automated tools exist to help ensure that no employee needs to see a password to gainaccess, especially for privileged credentials.RecommendationsLack of visibility into how many privileged accounts exist in anorganization and where they are located is an enormous risk fororganizations. Because privileged accounts, such as local adminand service accounts, exist everywhere throughout an organization,trying to manually discover and manage them is virtuallyimpossible. Your first step should be automating privileged accountdiscovery on a continuous basis so you can see what you need toprotect. Then, apply basic PAM cyber security strategies to identifyweak passwords and remediate them using complex passwordsand regular password rotation. Conduct a complete discovery of all privileged accountsacross the enterprise Identify weak passwords on privileged accountsand remediate them Establish a password rotation protocol for allprivileged accountsthycotic.com sales@thycotic.comFree ResourcesWindows Privileged AccountDiscovery Toolthycotic.com/freediscoverytool/At the click of a mouse, Thycotic’sFree Privileged Account Discovery Tooldiscovers your Windows privilegedaccounts and generates immediate,detailed reports.Service Account Discovery ccount-discovery-tool/The Service Account Discovery Toolmeasures the state of privileged accessentitlements in your Active Directoryservice accountPrivileged Account Management forDummies eBookthycotic.com/PAMforDummies/This free eBook is written for IT teams andsystems administrators along with securityprofessionals responsible for protecting anorganization from security threats.
KEY TAKEAWAY #2Basic PAM hygiene won’t improve without stopping bad habitswhile adopting and automating better ones.To stop ingrained bad habits when accessing privileged accounts, you need to make processes easier as well asmore secure. That means automating password management through a secure vault to store credentials, implementing Multi-Factor Authentication, and keeping a record of usage.SURVEY RESULTSWho, what, when,where ?17%of organizations are storing all privileged accounts in a securePrivileged Access Management vault or password manager.Twenty-eight percent of organizations are doing nothing to protectthem, likely using spreadsheets or putting them on paper.QUESTION #4How many of your privileged accounts are being stored in a secure vault?0%27% 25%26%25-99%30%100%17%The risks of not storing passwords in a secure vault are clear. Organizations have no visibility into when passwordsare used, no insight into what security controls are applied to privileged accounts, and no idea who is using them orwho has access. This situation makes it difficult to demonstrate compliance with ISO standards, mandates such asPCI, and many other regulations and compliance requirements.A single passwordcan’t fully protect aprivileged account.thycotic.com sales@thycotic.com57%of respondents aren’t using Two-Factor Authentication orMulti-Factor Authentication with privileged accounts. Thatleaves a single password as the only obstacle between acyber criminal and privileged access.
QUESTION #6Do you enforce 2 factor authentication or Multi-Factor Authentication tobe used with privileged accounts?YES43%NO58%Most compliance policies and legal regulations require that privileged accounts be safeguarded with at least Two-FactorAuthentication for good reason. A password should never be the only security control protecting a privileged account as it’stoo easily compromised. Privileged account access should always be established with security controls that verify identityand build trust. Combining Two-Factor Authentication with Privileged Access Management, for example, enables an organization to adapt a zero-trust approach for access to sensitive systems or data, ensuring every access request is continuouslyverified.of respondents fail to maintain an audit trail of privilegedaccount activity.Who used thisprivileged accountlast, and when?58%QUESTION #7Do you maintain an immutable audit trail of privileged accounts activity?YES46%NO54%Lack of an audit trail for privileged access is especially important in responding to data breaches. Without an audittrail, the only way to fully remediate a domain administrator account breach, for example, would be to rebuild the entireaccount activity from scratch since there would no way of knowing exactly what a cyber criminal might have modified.No organization wants to find itself in such a position, when quickly responding and remediating a breach can be thedifference between a minor incident and a major disaster.The never-endingstory of privilegedaccount risk.thycotic.com sales@thycotic.com55%of organizations have privileged accounts that never expireor get deprovisioned. This is a major risk when organizationsfocus only on provisioning privileged accounts but neverremove them.
QUESTION #9Do you automatically retire privileged accounts no longer in use?YES45%NO55%Organizations face a very high risk of compromised privileged accounts if they fail to remove them once theyare no longer required. Cyber criminals enjoy going after low-level privileged accounts that are left dormant,keeping a low profile while waiting for the right moment to abuse them.RecommendationsUnfortunately, ingrained bad habits continue to hamper efforts toproperly secure privileged access. Far too many organizations failto use a password vault manager and most still don’t require TwoFactor Authentication. If you haven’t already, you need to implementa password vault manager as soon as possible. Then, establishand automate specific security policies that promote properPAM security hygiene, especially for deprovisioning privilegedcredentials. Multi-Factor Authentication should be standard for allprivileged accounts and an audit trail of privileged account usageshould be instituted to meet policy and compliance mandates. Discover and minimize all domain admin and serviceaccounts Vault all passwords for privileged accounts with passwordmanagement software Institute Multi-Factor Authentication for all privilegedaccounts Conduct session monitoring and recording for privilegedaccess Establish PAM security policies to safeguard systems andmeet compliance mandates thycotic.com sales@thycotic.comFree ResourcesSecurity Policies Templatefor Privileged mplate/Privileged account credentials are a primetarget of hackers, so it’s critical that youput password protection policies in placeto prevent unauthorized access anddemonstrate security compliance.Privileged Access ManagementPolicy Templatethycotic.com/policy-template/The free Privileged Access ManagementPolicy Template saves you hours ofeffort defining clear and consistentpolicies that everyone who usesand manages privileged accountsunderstands and accepts. It contains40 pre-written policy statements, basedon requirements outlined by CIS, NIST,PCI and HIPAA.
KEY TAKEAWAY #3Only with greater PAM maturity can you gain critical insight toreduce cyber risk.As organizations move from Analog to Basic PAM security hygiene they can implement more sophisticated measures to protect their networks and endpoints with automated software tools. These measures include behavioralanalytics along with a least privilege strategy with application control to secure endpoints without impacting pro-SURVEY RESULTSJust because youdon’t see it doesn’tmean it’s not there.61%of organizations taking the assessment aren’t checkingautomatically for suspicious activity with privileged access,meaning they’re likely already a victim of cyber crime andjust haven’t discovered it yet.QUESTION #8Do you have a way to automatically detect and respond to anomalousprivileged activity?YESNO39%62%Unfortunately, it’s probably not a question of if you’re going to be a victim of cybercrime, but rather when it’s going tohappen. Given the limited staff resources of most organizations, an automated tool to detect suspicious activity shouldbe put in place along with a formal incident response plan to manage security incidents that occur. Those organizations not automatically checking for suspicious activity regarding privileged accounts are likely already a victim ofcybercrime.You’ve got to reinin overprivilegedusers.thycotic.com sales@thycotic.com12%of organizations have implemented both Privileged AccessManagement and application control on their endpoints toenable a least privilege strategy.
QUESTION #11What percentage of endpoints are protected by privilege management andapplication control?12.0%23.4%32.7%32.0%A least privilege strategy is becomingrecognized as essential to protectingboth human and non-human privilegedaccounts. Cyber security regulationsare evolving globally, aimed at ensuringemployees are not overprivileged withaccess. Several countries have significantfinancial penalties for failure to comply.Yet, four out five respondents—86%—areexposed to the extremely high risk ofcompromise from overprivileged users.Only one of those overprivileged useraccounts needs to be compromisedfor attackers to gain access to anorganization’s entire network.0% 25%25-99%100%Ignore DevOpssecurity at yourperil.34%of organizations haveadopted a DevSecOpsapproach to integratecyber security into thedevelopment process.34%of organizations still havenot introduced securityinto DevOps.32%of organizations don’t havethe security team involvedin the developmentprocess.QUESTION #10Do you utilize a credentials management tool during your softwaredevelopment processes?YES34%NO34%DON’TKNOW32%thycotic.com sales@thycotic.com
Organizations that have moved to using DevOps for continuous delivery and continuous integration have benefitedfrom being able to quickly deploy new updates and features in near real-time, greatly improving efficiency. The needto include security into DevOps has introduced a concept known as DevSecOps—building security into the development process and lifecycle. Those organizations that have adopted DevSecOps can realize significant savings overthose that try to “bolt on” security measures at the end of the development cycle.RecommendationsOnce you achieve basic PAM security practices, you’re ready togo to the next level of maturity. That means implementing a leastprivilege strategy, monitoring for suspicious behavior with privilegedaccounts, and preparing and testing an incident response plan. Youshould evaluate automated PAM solutions that enable behavioranalytics and least privilege strategy with application control toensure your organization can realize the full benefits of advancedand agile PAM. Least Privilege for Dummies bookthycotic.com/least-privilege-dummies/This free eBook is the perfect startingpoint for you and your staff to understandthe basic concepts of least privilege andkey steps to planning your least privilegestrategy, including how to apply leastprivilege with application control.Implement privileged behavior analytics to help detectsuspicious activity Free ResourcesPlan a least privilege strategy for privileged credentials withWindows Least PrivilegeDiscovery Toolapplication controlthycotic.com/least-privilege-tool/ Develop and test an incidence response plan Centralize control over privileged access in a single interfaceWith this tool you can discover localadmin accounts, service accounts, andapplications in use on endpoints.to better manage often overlooked accounts such as DevOps,service accounts and cloud resourcesBottom LineThe key to improving cyber security with Privileged AccessManagement stems from an understanding and implementation of aPAM lifecycle approach. Only a comprehensive solution can ensurethat your “keys to the kingdom” are properly protected from hackersand malicious insider threats. And, it will ensure access controls meetregulatory requirements for compliance mandates in your industryand geography.For more information about Thycotic and the PAM solutions weprovide, visit our website at www.thycotic.com.thycotic.com sales@thycotic.comIncident Response Plan e template provides a checklist of roles,responsibilities, and actionable steps tomeasure the extent of an privileged accountcyber incident and contain it before itdamages critical systems. The templateis customizable to match your incidentresponse policies, regulatory requirements,and organizational structure.
DEFINEDISCOVERREVIEW & AUDITMANAGE &PROTECTRESPONDTO INCIDENTSDETECT USAGEMONITORCONCLUSIONAchieve more mature practices with a PAMLifecycle Model.The 2020 State of Privileged Access Management (PAM) Maturity Report is a wakeup call for organizations worldwideto immediately assess their PAM practices with a goal of moving beyond dangerous habits to implementing a PAMLifecycle Model. A PAM lifecycle approach provides a framework for any organization to manage its privilegedaccounts and access as a continuous program rather than a one-off project.thycotic.com sales@thycotic.com
DefineStart by defining what ‘privileged access’ means and identify what a privileged accountis for your organization. It’s different for every company so it’s crucial you map outwhat important business functions rely on data, systems and access. Gain a workingunderstanding of who has privileged account access and when those accounts areDiscoverused.Identify your privileged accounts and implement continuous discovery to curb sprawl,identify potential insider abuse, and reveal external threats. This helps ensure ongoingvisibility of your privileged account landscape crucial to combating cyber securitythreats.Manage andprotectProactively manage and control privileged account access, schedule password rotation,audit, analyze, and manage individual privileged session activity. For IT administrators andprivileged account users, control access and implement superuser privilege management toprevent attackers from running malicious applications, remote access tools, and commands.Least privilege and application control solutions enable seamless elevation of whitelistedapplications while minimizing the risk of running unauthorized applications. Secure accessto systems and services that reside on-premise and in the cloud, including IaaS, PaaS, andSaaS.MonitorMonitor and record privileged account activity. This will help enforce proper behaviorand avoid mistakes. If a breach does occur, monitoring privileged account use alsohelps digital forensics identify the root cause and identify critical controls that can beimproved to reduce your risk of future cyber security threats.DetectEnsuring visibility into the access and activity of your privileged accounts in real time willhelp spot suspected account compromise and potential user abuse. Behavioral analyticsfocuses on key data points to establish individual user baselines, including user activity,password access, similar user behavior, and time of access to identify and alert you ofunusual or abnormal activity.RespondWhen a privileged account is breached, simply changing the password or disablingthe account isn’t enough. While inside, hackers could have installed malware andeven created their own privileged accounts. If a domain administrator account getscompromised, for example, you should assume that your entire Active Directory isimpacted and investigate and make changes so the attacker can’t easily return.Review andAuditContinuously observing how privileged accounts are being used through audits andreports will help identify unusual behaviors that may indicate a breach or misuse.Automated reports help track the cause of security incidents as well as demonstratecompliance with policies and regulations. Auditing privileged accounts will also give youmetrics that provide executives with vital information to make more informed businessdecisionsthycotic.com sales@thycotic.com
PAM Maturity Index Scoring MethodologyThe chart below shows the scores assigned to each question in the Index.Question #QuestionResponseOptionsResponseScoreCumulative ScoreConsiderationsQuestion 1Are you including privileged accounts in your broader IT cybersecurity policy?A-YesB-NoA-100B-0If B, then automaticcumulative assessmentof ANALOGQuestion 2Are you discovering privileged accounts automatically in yourorganization?A-YesB-NoA-100B-0If B, then automaticcumulative assessmentof ANALOGQuestion 3How many of your privileged accounts utilize automaticallygenerated complex passwords and are rotated on a timeframe?A-0B-33If A or B, then automaticcumulative assessmentC-66D-100of ANALOGIf A or B, then automaticcumulative assessmentof ANALOGQuestion 4How many of your privileged accounts are being stored in a securevault?A-0B-33C-66D-100Question 5Are you using any tools to prevent passwords from being disclosedduring usage?A-100B-0Question 6Do you enforce 2fA or MfA to be used with privileged accounts?A-100B-0Question 7Do you mantian an immutable audit trail of privileged activity?A-100B-0Question 8D you have a way to automativally detect and respond toanomalous privileged activity?A-100B-0Question 9Do you automatically retire privileged accounts no longer in use?A-100B-0Question 10Do you utilize a credentials management tool during your softwaredevelopment processes?A-100B-0Question 11What percentage of endpoints are covered by privilegemanagement and application control?A-0B-33C-66D-100After the survey is completed, the chart below is used to assign thefinal Maturity Level.Note: Any score of zero for any of questions 1-5 will automaticallyresult in a “Analog” assessment for the organization.thycotic.com sales@thycotic.comCumulative PointScoreMaturity LevelDetermination0-2751- Analog276-5502- Basic551-8253- Advanced826-11004- Adaptive Intelligent
About ThycoticThycotic is the leading provider of cloud-ready privilege management solutions. Thycotic’ssecurity tools empower over 10,000 organizations, from small businesses to the Fortune 500,to limit privileged acco
prioritizing privileged account protection. As Privileged Access Management (PAM) becomes top of mind, C-level, IT and cyber security professionals are seeking a framework in which they can properly assess, manage, and minimize risks to privileged credentials. Thycotic's free, online PAM Maturity Assessment helps organizations
