The management of access and protection to resources and critical information in the corporate network has not yet found anything more consistent than the PAM (Privileged Access Management) practices. And this set of good practices is reflected in the well-known platforms of the IT industry, today widely recommended and actually employed.
However, with the multiplication of devices, with the dispersion of connection points and with an exponential subdivision of entities and modalities of access, the current PAM strategies are already vulnerable. This is because its original conception predates this whole scenario, or at least a good part of it.
One of the problems is in the equation of the aspects of performance, agility, visibility and security. The need to create privileges is greater and the ability to manage passwords and other associated credentials, across the entire cloud, also needs to increase at the same rate. It is not an easy goal to achieve.
Not to mention another impasse that is difficult to resolve. On the one hand, everyone understands that it is necessary to stop this proliferation of privilege credentials (an undeniably correct prudential measure), but on the other hand, the rapid granting of such credentials is crucial for the agility of processes in the business environment.
To increase stress, in this new "foggy" IT scenario, the very notion of a server (or operating system) is already losing its validity. And then it becomes extremely difficult to follow the entire life cycle of a privilege credential, and perhaps even more difficult to establish a policy of assignment of privilege that is both conservative, in terms of security, and dynamic and flexible, in terms of security. with regard to performance.
But there are questions of solution and there are questions of attitude that should not be separated. The "zero trust" security architecture (in the Google and Forrester versions) makes this clear, in determining that access security platforms, no matter how strict, need to act in strict combination with orthodox political mandates.
In other words, instead of bringing a "feeling of security" to the manager, these platforms must demand the establishment of mistrust - end to end, in the entire information process - as a requirement for its operation.
Today, it is still necessary to admit that there are serious vulnerable points, even in companies that have relatively consolidated PAM platforms and policies (or at least with "the feeling of"). Such vulnerabilities are often related to "modus operandi", and other times to aspects of CBT - the Total Cost of Change.
It is not absurd to say that a large part of the invasions occur (and will still occur), not because of the lack of management or adequate tools, but because of the structural situation in which the applications are found today.
Several examples of violations in this regard are on the network for anyone who wants to check out: some quite famous, such as the JP Morgan and Target cases. There are also countless others that are less noisy, but no less impactful, in the world and in Brazil, of PAM solution customers who became victims due to an uncorrected obsolescence in old architectures.
For this type of situation, the only prevention and the only remedy is governance. And this must be duly accompanied by automation and monitoring of access, something that the industry begins to call "operationalization" of the problem.
It was considering these and other aspects that Gartner recently began to recommend abandoning fixed credential strategies and adopting privileged "just-in-time" access. This means that companies will need to invest in contextual analysis platforms. They will be indispensable for analyzing the different dimensions of an access request and for the mobilization and combination of different authentication factors involved in each specific connection.
Security and access managers will therefore need to be able to employ methodologies for the construction of operationalization policies, such as the online analysis of the connection flow, the use of access tickets and the robotic process automation (RPA). All of this being supported by an identity and access governance layer (IGA) comprising all access and identity management platforms.
This new proposal for a just-in-time structure (including the redesign of applications) requires that user companies have a much greater dose of freedom for the constant adjustment and evolution of their platforms. Therefore, they will have to start adopting a new architecture, where security is built into the infrastructure with the DevOps Application model. Only then will they be given the ability to develop accessible tools and interfaces for the various truly secure PAM platforms, whether in the cloud, SaaS or on-premise.
It is with this approach of security oriented to access that the Brazilian team of Netbr has been meeting in a work group involving several traditional players of the industry and articulating resources of partners, know-how and people.
Disclaimer: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies