October 30, 2023

Still a software developer at heart, I am the products VP at Devolutions, tasked with helping our corporate customers in using our products efficiently, and making sure that our products fulfill their needs by monitoring our workspace in the IT industry. I have worked many years in the Medical Software field, and was 'that' Dev who was always taking care of the network infrastructure because... well... we could not afford to hire an IT guy. This makes me especially in tune with the business requirements of IT staff. Some would say I know just enough to be dangerous, but that's another story...

View more posts

Need Cybersecurity Insurance? Then You Probably Need PAM, Too

Summary

A growing number of cybersecurity insurance providers are requiring that companies have privileged access management (PAM) controls as a pre-condition for getting coverage. In this article, we explore why insurance companies are taking this position, and highlight the PAM controls they are looking for.

Table of Contents

Robust? Yes. But Impenetrable? No.
The Rise of Cybersecurity Insurance
Cybersecurity Insurance Providers: “Show Us the PAM!”
What Do Insurance Providers Want?
How Devolutions' PAM Solution Can Help
The Final Word

This latest dispatch from the cybersecurity landscape has some good news… and some bad news. As per tradition, we’ll first deal with the negative before pivoting to the positive.

Robust? Yes. But Impenetrable? No.

The bad news is that regardless of how robust, up-to-date, and comprehensive a company’s cybersecurity profile might be, it can never be absolutely 100% airtight and ironclad at all times and in all ways. Given enough time and resources, hackers can exploit any threat vector and defeat any defense mechanism.

And while they may never get their hands on the “crown jewels” (i.e., highly valuable confidential or proprietary data), hackers can still inflict a huge financial toll and wreak plenty of havoc. The average cost of a cyberattack now ranges between $120,000 to $1.24 million per incident for small businesses (all figures in this article are USD), and $4.54 million per incident for large enterprises. What’s more, 60% of small businesses shut down within six months of getting hacked.

The Rise of Cybersecurity Insurance

Now, for the good news: some companies that fall victim to a cyberattack may not be obliged to pay an enormous — and in some cases prohibitive — price to investigate and clean up the wreckage, and (as applicable) cover associated costs such as fines, settlements, lawsuit judgements, and reputation rehabilitation. What is this magical thing that prevents companies from a cyberattack nightmare that could last for weeks, months, or even years? Behold, in all of its underwriting glory, the hero known as cybersecurity insurance.

Cybersecurity Insurance Providers: “Show Us the PAM!”

Cybersecurity insurance isn’t a new thing; its earliest form dates back to 1997 (when it was dubbed “cyber insurance”). However, what has emerged in recent years is the role and importance of privileged access management (PAM).

Just as most car insurance providers require that motorists use anti-theft safeguards like alarms and immobilizers, a growing number of cybersecurity insurance providers are insisting that, as a condition of coverage, companies have strong PAM controls in place. And indeed, insurance companies are correct in viewing the roster of privileged account types as a major — and often poorly or wholly unguarded — threat vector. Consider that:

74% of data breaches start with privileged credential abuse.
The gradual accumulation of access rights beyond what an employee needs to perform his job — better known as “privilege creep” — is responsible for 20% of breaches.
55% of organizations don’t know how many privileged accounts they have or where they are located.
Over 50% of privileged accounts never expire or get deprovisioned.

As noted by SecurityWeek.com in an article about the global cybersecurity insurance industry, which is currently valued at $13.9 billion and projected to climb 20.7% by 2032: “One of the strongest likelihoods over the coming years is the growth of cybersecurity requirement impositions; that is, insurers will decline coverage unless the insured conforms to a specified security posture.”

Obviously, strong PAM controls will not be the only “specific security posture” that insurance companies insist upon as a pre-condition for getting coverage. However, there is no doubt that PAM will soon be (if it is not already) viewed not just as a best practice, but as a fundamental necessity.

What Do Insurance Providers Want?

PAM requirements vary across insurance providers. Generally, however, they want to know that companies have minimum control, but preferably advanced controls, in place. Here is a summary of both control levels:

Minimum PAM Control Level Tools & Tactics	Advanced PAM Control Level Tools & Tactics
Enforce multi-factor authentication (MFA) for remote access, either through built-in functionality or integration with third-party tools. Note that SMS-based MFA is being phased out due to the volume of successful SIM-swap attacks.	Implement advanced authentication options such as number matching for all users – not just privileged users. Basic MFA, which was introduced in 2016, is now widely viewed by security experts as insecure.
Enforce the principle of least privilege (POLP), in which end users are only given the access rights they need to carry out their day-to-day tasks. POLP is also critical for preventing the above-noted “privilege creep,” and controlling access to pre-staged privilege accounts reduces the attack surface and maintains compliance with POLP.	Implement Just-In-Time (JIT) privilege elevation, which reduces risks even further by transforming previously high-privilege accounts into ZERO-STANDING-PRIVILEGE accounts. Rather than being exposed 24/7/365, privileged accounts have assigned roles only for the duration of the task at hand.
Update default administrator accounts and configurations, in order to prevent bad actors from taking advantage of commonly available credentials.	Control access to PAM accounts via robust check-out capabilities. This should include built-in approvals to minimize who may request access to a privileged account, and for how long. Incorporating JIT privilege elevation at check-out time also enhances user productivity.
Remove local administrator rights as required on desktops/laptops, and manage local workstation accounts.	Implement JIT user provisioning, which is the next step in JIT privilege elevation. Create privileged accounts as needed for a specific duration, and totally remove them with operations are completed.
Prevent long-running remote access sessions with appropriate session timeouts. A privileged session should only be open for as long as necessary.
Instead of using ultra-powerful administrator accounts, create multiple privileged accounts that establish the permission requirements for each system that administrators must access.

How Devolutions' PAM Solution Can Help

Securing and managing access to privileged accounts is crucial to any organization's security strategy. Privileged access management solutions should provide, at a minimum:

A secured vault for storing privileged data.
A means of enforcing least-privilege principles by delegating actions using role-based access controls.
A method of monitoring and reporting actions for audit and compliance requirements.

Even though a wide variety of PAM providers currently exist, the majority of them were developed to meet the needs of large enterprises. Often, administrators in SMBs find these systems difficult to implement, too complex for end users, and far in excess of their already-strained budgets. This leaves many SMBs without the tools they need to effectively protect the organization's privileged assets.

Devolutions is committed to closing this gap. Here are some of the features that our PAM solution delivers:

Privileged Account Discovery: Automatically scan to discover privileged accounts (user, system, admin, service, database, etc.) from your provider(s).
Automatic and Scheduled Password Rotation: Enforce password rotation upon check-in of a privileged account, or schedule password rotations. This changes both the system and Devolutions Server credentials.
Secure Credential Injection: Inject credentials into remote sessions, without the user knowing the password.
Checkout Request Approval: Users can easily ask admins for permission to check out privileged accounts. Admins are automatically notified and can grant/reject the request as appropriate.

In addition, we are excited to share that JIT provisioning is on our roadmap, and we expect to make significant progress in the months ahead. Currently, our PAM solution supports JIT permission elevation for both Azure and on-premise AD.

Learn more about Devolutions' PAM solution: Privileged Access Management

The Final Word

The growing wave and staggering price of cybercrime is something that SMBs cannot afford to ignore, because contrary to popular belief, SMBs are not too small to be attacked. In fact, compared to larger enterprises, SMBs' relatively weaker defenses make them an attractive and lucrative target.

The grim reality is that companies should no longer ask, “What IF we get hacked?” but instead “How do we minimize the cost and consequences WHEN we get hacked?” Cybersecurity insurance rooted in strong PAM controls can help companies move forward and face the future with clarity and confidence, rather than through confusion and fear.