To err is human, but to PAM is divine

2 April 2019 | 3253 Shares

Protecting your business from cybersecurity incursions means taking an approach that’s proactive on several different levels.

Over time, the stance required to protect the organization’s network and its intellectual property has changed. A dozen or so years ago, the emphasis was on perimeter protection, like firewalls and intrusion detection systems. In recent years, the cybersecurity has shifted to include a greater focus on endpoints. After all, technology’s widespread and increasingly portable nature means that potential threats literally walk into the network every day, in the form of memory sticks, laptops, tablets, and ubiquitous smartphones.

As most aspects of our lives now have a digital element (watching TV, buying electricity, banking, food deliveries – the list is endless), the potential for data misappropriation increases. Phishing emails have gained sophistication, and most of us have at one time or another clicked a link (or three) we knew, on reflection, we shouldn’t have. Cybersecurity’s overall strategy has changed therefore to be person-centric, because humans are fallible, and responding to even the most mundane of online messages (one masquerading as from a delivery service, for instance) can compromise entire organizations.

That may seem like an exaggerated claim, designed to drive readers here towards the nearest cybersecurity expert, and one that can be neatly sidestepped as dismissing the marketing hype. However, it only takes one member of staff in your organization to enter login credentials to a rogue service (personal or business) to endanger the company that employs them, because those same credentials could be used to access valuable company resources. People have lousy memories and using the same passwords on multiple accounts is understandable, after all. The same password, even a “strong” one, is no protection at all, if a single stolen version gives access to many different resources, potentially including the employer’s most sensitive services.

There are plenty more risks, too, like passwords shared between employees when details are forgotten, the use of one account by multiple people accessing systems that charge per user (a quick and easy way to keep costs down), and the use of accounts that have been granted administrator access by IT teams keen to solve a problem quickly. It’s on this latter point that Privileged Access Management (PAM) systems and the concept of least-privilege, or zero-trust can protect, as part of an overall cybersecurity strategy. In fact, a robust deployment of a PAM system – as offered by the companies detailed below – helps solve several of the danger points above. First, though, let’s look at some key ideas.

Zero trust

Zero trust is a default position in terms of permissions that assumes that every device appearing on the network, and every user is authorized to… do nothing. At least, initially. It’s like being able to enter an office foyer, but electronic barriers prevent progression through to the elevators. Providing a simple password at this point is not considered enough, ideally; there must be some form of MFA or 2FA (multi-factor or two-factor) authentication to assure the framework that the credentials are being used genuinely. In our lobby example, that might be an electronic swipe card embedded with information that defines access to certain floors in the building.

In cybersecurity terms, the extra layer of authentication could be a mobile app that’s unlocked with a thumbprint, or biometric sensor, like facial recognition on a company laptop. The swipe card could also be used in this context too – progressive organizations might use the same card for buildings access as for system access.

However, once identified beyond a reasonable doubt, the user (and/or their devices) should be granted our next important concept, dynamic trust.

Dynamic trust

On occasion, users and devices might need access to highly confidential information. It’s important, however, that once high privilege levels have been issued, they are also rescinded at an appropriate time, preferably by an automated process. That’s an additional layer of complications and one that’s so ever-changing that only a fully-featured PAM can cope. At scale, having humans grant and revoke access isn’t viable, nor a good use of resources.

Granular access

Every application, data repository, or service will need its own level of privilege on a per-person or per-device level. In the analogy of our office building, someone might be granted access up as far as the third floor, but only to rooms 301 through 304. And when in room 304, they might be able to adjust the air conditioning – but unable to anywhere else in the building. Spinning that around to cybersecurity, managers in HR might need high-level access to Finance Department systems as far as setting salaries & bonuses are concerned but should be unable to raise a purchase order by default. HR interns might need to see salaries (via the same application used by their managers) but not alter them. Moreover, after the intern leaves, all their access privileges should be rescinded across the whole organization.

There’s a great deal more to the cybersecurity picture, of course, and PAM does not claim to be an overarching cybersecurity solution. But at its best, it can help to remove almost all elements of human error (and malicious behavior) in a business. Its installation and management are initially complicated, but the chosen suppliers below present what we at TechHQ believe to be the clearest-to-use and yet most secure solutions available today. Ensuring there’s no misuse of accounts either by accident or design is something with which the following companies can help.


Digital survey and intelligence companies like IDC and Kuppinger Cole use phrases like “a mandatory addition to traditional privilege management systems”, and “saves admins the hours of manual labor that would be required to sort through thousands of logs” to describe the Thycotic offerings, but what’s remarkable is the overall solution’s ease of use for administrators and end-users alike. The company, which has offices in the US, Australia, and Europe provides PAM with several key additions and notable features.

If required, privileges can be elevated on a process level, meaning that essentially, it’s the application that’s granted the privileges (meaning the user can get their work done without interruption) and that enhanced level of access – and indeed any level of access across the board – is managed centrally, according to predefined rules, chains of command (letting department heads grant and revoke their staff’s access, for instance), or as fully automated, rule-based systems.

The solutions are capable of monitoring privileged access, so anomalous, multiple log-ins to high-level systems are flagged as potentially suspicious, and the platform can identify all services, apps and personnel access levels as they’re deployed, and on an ongoing basis, so no loopholes are forgotten and left unprotected.

Read more about Thycotic’s advanced PAM and associated technologies here.


BeyondTrust’s solution dovetails neatly into an IT support workflow, with remote support of any device connected to the internet, wherever in the world. Supporting remote devices and remote access privilege management is a major headache for IT teams and a key aspect of protecting the enterprise.

Privileged Access Management solutions from BeyondTrust also encompass endpoint management to ensure that users can’t access an organization’s data for which they don’t have privileges. That, for many, is both a security concern and a workflow issue: deleting documents or database rows (or tables!) by accident due to access level mismanagement is the bane of many businesses. BeyondTrust’s solutions include a vulnerability oversight & management facility, so companies get an overview of potential issues already at play in the network: that creates the groundwork for policy formulation, and with the BeyondTrust platform, the wherewithal to remove potential problems before they can create dangerous situations.

Many applications, especially legacy software, have a facility by which passwords or other authentication credentials are presented automatically – almost cookie-like behavior. The BeyondTrust solutions can map this behavior and remove it where necessary, thus putting the onus onto the user’s privilege level, as opposed to every user inheriting the application’s access rights.


CyberArk’s PAM systems are, like Thycotic’s, available on-prem or in the cloud, and can also be distributed across a hybrid of facilities. That fits in neatly with many organization’s current security deployments but brings them right up to date. For instance, there may be an internal authentication system that offers single sign-on for LAN users, but cloud-based services provided by third-parties may not be protected – an area that has escaped oversight, until now.

The company’s platform covers off individual endpoint access and manages all apps, including those involved in the very latest in technologies, like container-based development and virtual environments. There’s least-privilege virtual server protection, and specific control for domain controllers, the single loss of which can be disastrous at a stroke.

CyberArk is currently deployed in many blue-chips across the world and is in place in over half of the Fortune 500 companies. Its diverse PAM systems are designed to be extensible and personalize-able, with the industry’s only Privileged Access Security Marketplace, where users can find dozens of joint solutions and plug-ins to integrate and extend the offering as required.

*Some of the companies featured are commercial partners of TechHQ