Keeping Data and Systems Secure With Privileged Access Management

This article was written by the Center for Digital Government.

How government agencies can protect against devastating cyber threats

Research shows that most of today’s cyber attacks occur when a cybercriminal gains access to a system through stolen credentials. Users with extra privileges, particularly IT administrators, are often targeted by threat actors who steal those privileges to access sensitive information and take control of systems. With an increase in virtual and hybrid work, across both the public and private sectors, these kinds of attacks are only becoming more common.

“We are seeing a surge in the number of ransomware attacks in state and local government,” explains Dan Lohrmann, senior fellow for the Center for Digital Government and field CISO for the public sector at Presidio. “Bad actors are no longer hacking their way into systems to conduct these attacks. They are simply using credentials to gain access to sensitive government data.”

Managing Activity

To protect critical systems, cybersecurity leaders at all levels of government must manage and control privileged-user activity.

A Privileged Access Management (PAM) solution helps organizations of all sizes manage and monitor user access, preventing the compromise of credentials by threat actors and lateral movement within an organization if cybercriminals do find their way in. Using a clear audit trail and an authentication system, a zero-trust PAM solution helps government leaders ensure that staff only have access to the information they need to do their jobs.

Despite the vast benefits of a PAM solution, most legacy tools are difficult to deploy, complex and extremely expensive.

“Some organizations purchase PAM solutions with many features, but these solutions are only partially deployed, or staff are only using a fraction of the feature set,” says Zane Bond, head of product at Keeper Security. 

PAM adoption is widespread throughout state and local governments today. In a recent survey of IT professionals, 91% of respondents said their organizations already use some type of PAM solution. Yet, the desire for simplicity is pervasive, with 87% of respondents saying they would prefer a “pared down” form of PAM that is easier to deploy and use. 

With limited budgets, government organizations need to prioritize security while eliminating wasteful spending and optimizing for user adoption. A streamlined, simplified PAM solution allows them to more easily protect against threats while staying within budget. 

Zero Trust and Zero Knowledge

With a zero-trust approach to security, end users must continuously verify their identity anytime they want to access new information, rather than relying on a single login.

Similarly, zero knowledge is a security model that utilizes a unique encryption and data segregation framework to protect against remote data breaches. With zero knowledge, data is encrypted and decrypted at the device level, not on the server. The application never receives or stores human-readable plain-text data, meaning only the user can see any unencrypted data. 

An effective PAM solution can help government leaders create a zero-trust and zero-knowledge standard across their organizations to prevent data breaches altogether or dramatically decrease their impact if one were to occur. 

When deployed properly, the zero-trust model gives IT administrators full visibility into all users, systems and devices; helps ensure compliance with industry and regulatory mandates; and helps prevent cyber attacks caused by compromised user credentials. In the event that a zero-knowledge provider is breached, all the data remains protected. The keys required to decrypt the information are only available to each user on their individual device. 

Easy to Deploy 

Purchasing, deploying and managing disparate software is cost-prohibitive and doesn’t protect against both internal and external threats. Organizations need a solution that seamlessly and quickly deploys and integrates with any tech or identity stack. 

It’s best to adhere to the strictest policy standards for encryption and security. The Federal Risk and Authorization Management Program (FedRAMP) was created by the U.S. government to achieve a standardized approach to security assessment, authorization and continuous monitoring of cloud products and services.

“Getting any software into state and local government can be a challenge. Government leaders should look for vendors that make this process easier by getting the appropriate certifications,” Bond says. A solution that is FedRAMP Authorized, for example, will make it easier for agencies to procure. 

A quick-to-deploy solution is also one that integrates easily into an agency’s existing tech stack. Rapid integration ensures seamless collaboration between existing systems and the new tool, maximizing efficiency and effectiveness in safeguarding critical infrastructure and sensitive information.  With legacy solutions, staff often struggle to keep applications up to date. They must continuously apply patches and ensure that the system integrates with any new toolsets and systems. 

“A modern PAM solution should tie into an organization’s existing portfolio. Staff should not have to install additional software or create separate login control access for each solution,” Bond says. 

An agentless PAM solution is even more streamlined. Installing agents onto each device can be a complicated process, especially for heavily controlled environments like high-security government agencies.  A solution that uses default, built-in operating system controls creates an easier and more effective deployment process.

PAM In the Cloud 

Legacy PAM solutions are often on-premises, requiring organizations to devote time and money to software maintenance. With the rate of staff turnover, this maintenance can become even more difficult.

A cloud-based solution is usually more affordable, making it a particularly appealing option for government agencies with limited budgets. In the cloud, tasks like installing an update become far less cumbersome and time-consuming and require less training for new staff. 

While agencies will want to protect their highest risk assets (particularly IT administrators) first, they can then protect other staff members, including everyone from full-time staff to vendors and contractors. The result is a uniform, centralized strategy for securing all critical accounts and protecting every system within an organization.

A Next-Gen PAM Solution

Today’s IT and security leaders require a PAM solution that combines password, secrets and privileged connection management capabilities, protecting their most sensitive systems with solutions that are quick to deploy, affordable and easy to integrate.

With trained staff and clear policies, implementing the right solution is easy. “It is not enough to tell staff they need to secure their passwords,” Bond says. “Agency leaders must go beyond this and implement a solution that is widely available for employees to use, providing their staff with a simple tool to be secure.”