Extended PAM for integrated, multi-layered cyber defenses
Jon Kuhn
This post is part of a 2-part series:
Read Part 2: Extended PAM: Intelligent automation for risk-based, adaptive privilege
Increasing IT complexity and an endless array of IAM and cybersecurity tools make it challenging to combat privileged account attacks effectively. As a PAM industry leader, Delinea is creating a future in which you can understand, manage, and defend your entire privileged attack surface from a single solution across both traditional and emerging use cases.
We call this vision Extended PAM. We believe it’s the only way cyber pros can scale operations and can keep pace in the digital arms race against increasingly sophisticated cybercriminals.
Why does the industry need Extended PAM now?
PAM works. The principles of PAM (vaulting, just-in-time, just-enough privilege, session monitoring, privilege elevation and delegation, etc.) effectively protect enterprises from data breaches and ransomware by minimizing privileges available to credentialed users and granting elevated privilege with just-in-time approval. These capabilities can prevent breaches and limit or eliminate lateral movement caused by stolen credentials and insider threats. Companies have been using PAM to control access for domain admins and other privileged users for many years now.
But the paradigm has changed radically since the early days of PAM. PAM was created when the primary concern was the admin, who physically worked within the network. The resources they had access to largely focused on servers, usually located in a data center.
Remote work, hybrid IT environments, and new application types are expanding the attack surface
But now, remote work, hybrid IT environments, and new types of applications and endpoints continue to expand the privileged account attack surface. The number of human and machine identities, endpoints, infrastructure, and apps has exploded. The decentralized way that organizations build and manage applications increases the number of identities in play while making it harder for security to stay on top of organizational risk — with shadow IT challenges caused by various groups bypassing security standards for the sake of agility. With more and more automation and interconnection, there is an increasing risk of data exfiltration and lateral movement.
Meeting compliance standards and avoiding costly data breaches and ransomware attacks demands identity and privileged access controls for all these use cases. Major analysts recognize this evolution in PAM and have expanded their definition to include new use cases such as DevOps and CIEM capabilities.
The problem? Standalone cybersecurity solutions each solve part of the identity challenge, but without coordination or consistency. These disconnected security solutions create inconsistent policies that lead to risky security gaps.
Here are some of the more prevalent problematic security solutions
Multiple vendors mean multiple interfaces, with identity forests, limited integrations, and fragmented reporting. With multiple tools each managing and monitoring different aspects, users are constantly switching screens, which not only wastes time but leads to human error. Siloed tools don’t account for dependencies between IT systems and user behavior. The policies and risk models used by each tool don’t align, which makes measuring risk and tracking progress impossible.
As a result, these disjointed tools don’t provide an accurate view of your risk and can easily miss critical gaps in your privileged access strategy.
Without consistent, accurate data, it’s no wonder many executive teams don’t fully understand or appreciate the scope of privilege security.
These conditions are untenable. They aren’t going to give you the insight or capabilities needed to take immediate, effective actions against cyberattacks. If the industry continues in this vein, we believe more organizations will be impacted by ransomware, and an increasing number of people will be unable to access the services they need.
It’s time for a change.
We believe PAM capabilities that address traditional and emerging use cases should be served from inside one unified interface.
This holistic vision is Extended PAM.
Extended PAM enables comprehensive identity and Privileged Access Management across the full attack surface
Extended PAM redefines PAM to treat all users as privileged users and address complex IT environments. It ensures scalability by treating identity as the common thread for authentication and applying policy-based authorization controls to meet zero trust and least privilege best practices.
Our vision for Extended PAM is:
- To prevent identity/credential theft by increasing visibility and discovery across all human and non-human identities
- To establish controls over all privileged access to restrict unnecessary lateral movement
- To limit privilege escalation by adapting access when and where needed with analytics-informed policies
As this vision rapidly becomes the new reality, we’ll be sharing more stories of how companies realize their goals with Extended PAM.
You’ll see how traditional PAM principles and “PAM-like controls” can be implemented in new places and in new ways. The stories we share will extend the concepts of zero trust and least privilege to even more of the day-to-day process for the modern enterprise.
We’re excited to partner with the growing Delinea customer community to create a more secure future.
Read more about our vision for Extended PAM.
Read Part 2: Extended PAM: Intelligent automation for risk-based, adaptive privilege
All-in-One Extended PAM Toolkit