Easy-to-Implement Privileged Account Governance

Tightly controlled access to data, systems, and software is a cyber security imperative. Yet, companies of all sizes, across all industries, and at varying levels of cyber security competence struggle to manage access policies. When it comes to privileged account management, in particular, the negative repercussions of over-provisioned accounts could be substantial. Administrative rights to critical assets, especially in the hands of an unauthorized or malicious user, could put the company in jeopardy of a data breach which results in productivity delays, financial loss, brand damage, and non-compliance with industry regulations.

Every cyber security professional knows the scope of the problem: 74% of breaches involve access to a privileged account.[i] Forty percent of companies do not have an accurate, up-to-date inventory of how many privileged accounts they have.[ii] Forty-nine percent of companies do not administer strong user access policies.[iii] Still privileged account management is deprioritized within many organizations.[iv] The reasons are plentiful: staffing issues, resource issues, time pressures, competing priorities, and more. However, the digitalization of business requires security teams to improve governance of access controls. In other words, if only a small number of users possess the keys to the organizational kingdom, and those few key holders, themselves, are strictly monitored, the risk of breach is quickly reduced.

One of the arguments against traditional privileged access management (PAM) is complexity. The number of applications and systems organizations rely on are constantly increasing and changing. Users and their roles and responsibilities also fluctuate, as people come and go and need legitimate access to resources to effectively execute on their job requirements. Nonetheless, security teams must ensure that only authorized users can access authorized resources, and that when access is requested (even by an authorized user), each request is tested for validity. It’s a piece of the zero trust puzzle that companies are beginning to embrace—and one that, if implemented correctly, can significantly decrease the number of security incidents.

A wall of security

WALLIX, an international software company focused on privileged account governance, was founded in 2003 as an IT services company specializing in IT managed services for enterprise organizations. Over the years, WALLIX (the name, a portmanteau that plays off the idea of creating “a wall of security for Unix and Linux”) evolved, first, to offer an open source SSH proxy, then to build the foundations of its current solutions for PAM, session monitoring, and remote access management.

During a recent call with several WALLIX principals, the team explained that the company's flagship platform, the WALLIX Bastion, is built for “ease of use, fast integration, and scalability,” said Didier Lesteven, COO of WALLIX. “It is a modular platform with capabilities for password management, least privilege management, session management, and of course access management. WALLIX’s Bastion is an agentless solution and fully integrates with more than 160 technologies, which means it can be provisioned right into our customers’ workflows.”

It’s the simplicity factor that we heard repeatedly during our time with the team. Deployed as a virtual appliance, WALLIX Bastion plugs into deployed LDAP, MFA, SSO, and AD and is compatible with all major cloud providers. Once installed, all configuration and management can be administered through a web-based interface, or it can be pushed to Active Directory, seamlessly fitting into administrators’ established workflows. From the interface, admins can build and enforce granular password policies per user group, configure resource authorization rules, set up alerts, monitor sessions in real time, and record sessions and extract metadata for audit purposes. The solution includes its own password vault but can also be integrated with third-party password vaults, helps security teams ensure privileged accounts aren’t abused or misused, and its native capabilities allow admins to automatically rotate privileged users’ passwords and eliminate hard-coded passwords on systems and service-level accounts.

Originally focused as an expert in PAM, WALLIX has lately broadened its portfolio to respond to a wider scope of cybersecurity challenges in the protection of identities, access, and data. As the European leader in privileged access management, WALLIX is now positioning itself as a global cybersecurity solutions provider addressing Identity Federation, PAM-PEDM, and EPM markets for end-to-end access security. They also offer some interesting features specifically addressing Operational Technologies (OT) environments. These technologies enable them to easily address complex environments including Industrial/OT, hybrid clouds, and remote access to critical infrastructure through zero standing privileges and zero trust approaches to securing the digital transformation.

Limiting exposure

Continuing with the idea of zero trust, the WALLIX team said that the platform limits resource visibility via account segregation, thereby reducing the possibility of breach by an unauthorized user. Further, through user behavior analysis, Bastion can determine permitted from suspicious activity (including unusual command lines and unapproved applications) and terminate sessions when that activity is deemed malicious.

In a very crowded market, WALLIX appears to include all the requisite capabilities of a PAM solution. In addition, WALLIX’s Bastion, BestSafe, and Trustelem solutions knock on the door of zero trust, making it an excellent option for companies looking to better control resource access without ripping and replacing existing infrastructure. While WALLIX, perhaps, currently has greater market presence in Europe, the company maintains worldwide offices and offers its solutions portfolio primarily through a huge reseller network. With more than 1,000 customers worldwide, in sectors including critical infrastructure, finance, and healthcare, WALLIX is not a fly-by-night PAM player and deserves a look.

___________________________________________________________________

[i] https://www.finnpartners.com/

[ii] https://enterprise.verizon.com/resources/reports/dbir/

[iii] https://www.ponemon.org/blog

[iv] https://www.helpnetsecurity.com/2019/05/30/iam-pam-processes/