In the Devolutions State of IT Security in SMBs in 2022-23 survey [report now available!], we asked executives and decision-makers in SMBs to share how they are approaching, handling, and experiencing privileged access management (PAM) in their companies. Here is what we learned, the common challenge that many SMBs face, and what we recommend.
Table of Contents
- Key Findings from the Survey
- Problems Using a Federated System
- What SMBs Should Look for in a Robust PAM Solution
- Benefits of Fully Implementing a PAM Solution
Key Findings from the Survey
- 98% of SMBs are managing privileged accounts. However, only 12% have a fully-deployed PAM solution in place — which means that 88% are less secure and more vulnerable than they believe. And even more alarming is that 52% of SMBs have not implemented any PAM controls at all!
- The two most common reasons why the majority of SMBs do not have a fully-deployed PAM solution in place are that they do not have enough budget (28%), and that PAM is too complex to implement and manage (12%).
- The three most important features that SMBs want in a PAM solution are: automatically expiring privileged access, built-in MFA, and password rotation reset.
- 15% of SMBs credit PAM controls for enhancing their approval workflow, improving productivity, and overall accelerating the velocity of work. A further 22% of SMBs did not experience any post-PAM impact (negative or positive), and 11% said that they experienced some drawbacks.
Problems Using a Federated System
To protect the valuable data and assets in their privileged accounts — a.k.a. “the keys to the kingdom” — SMBs need to establish and enforce both parts of the Identity and Access Management equation:
- Identity management is concerned with WHO an end user is.
- Access management is concerned with WHAT an end-user is authorized to do.
However, a common challenge is that certain technologies — such as legacy systems, phones, and cameras — cannot use a federated system.
So why don’t SMBs solve this by manually creating and maintaining unique identity accounts for each user? While this is technically possible, in reality it is highly impractical considering the volume of different privileged account types that typically exist in the ecosystem, such as:
- Domain Administrator Accounts
- Local Administrator Accounts
- Emergency Access Accounts
- Application Accounts
- System Accounts
- Domain Service Accounts
Fortunately, there is a proven solution to this challenge: SMBs should fully implement a PAM solution that bridges the gap between authentication and authorization, and extends the protection offered by an IAM system into the non-federated identity space.
What SMBs Should Look for in a Robust PAM Solution
SMBs should focus on a robust PAM solution that offers all of the following:
- A vault that stores passwords (and other sensitive data, such as building alarm codes, software license keys, etc.), and which is securely shared between multiple end-users.
- Account checkout, which allows Admins to grant or reject an access request on a case-by-case basis, and if necessary, set time limits.
- Notifications that alert Admins when certain events or actions take place involving end users, roles, vaults, etc.
- Automated mandatory password rotation.
- Account brokering, which automates workflows (e.g., opening a VPN client, launching a remote access protocol, and accessing a privileged account) without providing end-users with passwords in the first place.
- Session activity recording.
- Enables credential rotation on and after every check-out for an RDP session, which mitigates the potential exploitation of the RDP credentials (credentials do not need to be passed to users, as each authentication occurs one time — thereby eliminating the need to rotate credentials).
- Ease-of-deployment and management.
- Affordably priced to suit SMB IT security budgets, which are significantly smaller than large enterprise budgets.
In addition to the above, some more sophisticated PAM solutions support privileged session management (PSM), which utilizes a specialized server that brokers authentication behind-the-scenes, and can also record the activity of remote sessions. PSM is especially important for SMBs that have contractors and “boomerang” employees (i.e., employees who leave the organization and then return). These end users typically need more scrutiny and limited access.
Benefits of Fully Implementing a PAM Solution
By fully implementing a robust PAM solution, SMBs will effectively and sustainably:
- Reduce security risks.
- Shrink the overall size of the attack surface.
- Lower operational costs and complexity.
- Increase visibility and situational awareness.
- Improve regulatory compliance.
In our next deep dive into the Devolutions State of IT Security in SMBs in 2022-23 Survey report, we will look at how SMBs are prioritizing, implementing, and measuring efforts to improve IT security awareness, and how they can improve this area to strengthen the “weakest link” in the IT security defense chain: end users.