The linkages between privileged access management and zero trust

Some IT professionals are now asking about the value of PAM within a zero-trust strategy.

To understand the purpose of zero trust, it’s important to know exactly what it delivers. Zero trust is not a technology or set of tools, but rather an entire security paradigm or framework. It works on the principle of least privilege – the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform authorised activities. Never trust, always verify, is the mantra.

Within a zero-trust environment, both devices and users must be authenticated before being granted access permission. The approach is very familiar in the world of protecting IT assets that sit outside an organisation’s tradition perimeter, such as remote workers and cloud-based resources. But zero-trust applies to all users and devices, regardless of where they reside and assumes they are a potential attacker until they prove otherwise.

Managing authorisations – who can do what and where – is an essential ingredient of the “Never trust, always verify” mantra that guides zero trust. Modern PAM is the key to managing authorisations at disparate levels because it can enforce authorisations on how systems are accessed and then apply granular controls on administrative tasks, applications or services running on workstations or servers. Many organisations have even implemented the use of granular endpoint management functions such as application control for regular employees on workstations before applying access controls to servers via traditional PAM. This in turn lowers their overall attack surface.

For this reason, modern PAM, which entails privileged account and session management (PASM), privilege elevation and delegation management (PEDM) and secure remote access are key enablers to a successful implementation of a zero-trust strategy.

Implementing a zero-trust strategy

A popular analogy used when discussing zero-trust is a person boarding an aircraft. That person will firstly be checked and scanned as they walk through security. They will be checked again before being allowed to board the aircraft and yet again once inside the plane as they make their way to their seat.

This process of constant checking is exactly what modern PAM achieves in a zero-trust environment. Users and devices will be constantly challenged to prove that they are who they claim to be and that they have the right to do what they want. Traditional PAM can provide restriction about the zero trust path you take. However, another advantage of modern PAM encompassing Password Safe and Endpoint Privilege Management from BeyondTrust is the flexibility to start with your own priorities around zero trust. Want to start with PEDM rather than PASM? That flexibility is available.

VIEW ALL

When undertaking a zero-trust strategy, there are some key steps that will need to be taken. These steps include:

• Gain senior management support:
  The planned strategy will have an impact on all areas of the business, and so it is vital that support is obtained from the top. Brief senior leaders on what is required and the benefits it will deliver.
• Review the proposed architecture:
  No two zero trust deployments are the same. It’s therefore important to allow all parties involved to review the proposed architecture to ensure it will meet their requirements. This will minimise the likelihood of problems during the deployment process.
• Assess internal IT skills:
  While some organisations will have the skills needed for a successful deployment in-house, others will need to look for external assistance. Assess the capabilities of your internal IT team before work begins.
• Check the credentials of chosen technology vendors:
  The term zero trust has been adopted by a large number of technology companies that use it to promote a diverse range of technologies and tools. Carefully assess what a vendor is actually able to deliver before signing a deployment contract.
• Undertake a rollout:
  It should be remembered that a zero-trust strategy is a journey and not a “big bang” deployment. Many organisations find it more beneficial to take a staged approach and add additional components and capabilities over time.
• Conduct ongoing reviews:
  Zero trust is not a set-and-forget item but rather something that will require ongoing management and review. Check that everything is operating as it should and where and when adjustments might be required.

Modern PAM provides valuable tools for a security team’s zero-trust toolbox. Understanding its role in achieving the principle of least privilege will help you to maximise your investment as part of a zero-trust strategy.

Scott Hesford is director of solutions engineering, Asia-Pacific and Japan, BeyondTrust.