Implementing PAM to Achieve Zero Trust Security Principles
26 April 2023

The concept of zero trust security has been around for over a decade, with Forrester Research Inc. coining the term back in 2010. Originally, zero trust was synonymous with micro-segmentation, which creates secure zones in data centers and cloud deployments to isolate workloads and protect them individually. This approach is appealing because traditional security perimeters have become ineffective at cybersecurity control due to rapidly evolving technologies like cloud, mobile, and virtualization, which have blurred organizational security boundaries.

Delinea highly recommends a risk-based approach to implementing zero trust security and Privileged Access Management (PAM). They follow Forrester’s ZTX technology controls, which provide a roadmap for addressing key areas. The first quick win in PAM is changing default IDs and passwords for built-in privileged accounts, which maps to the ZTX identity security control. Implementing least privilege controls on endpoint devices like laptops and workstations, such as locking down local admin accounts and granting access to elevated permissions via workflow approval, is another quick win that maps to the ZTX device security control.

The next major area of risk to address is controlling privileged access to an organization’s most business-critical systems, applications, and data. This requires a combination of vaulting and server-level privilege elevation, mapping to the ZTX identity, application, and data security controls. It is crucial to determine which privileged accounts have access to these systems, who has access to those accounts, and when and where access typically occurs.

To protect high-risk accounts, credentials should be kept in an encrypted vault to prevent sharing or reuse, and at least two-factor authentication should be used to access the vault. Credentials should also be rotated frequently, and access should be restricted by time and location. These vaulted accounts should only be used for emergency break-glass situations, and day-to-day administrative tasks should be performed using low-privilege individual accounts. Combining privilege elevation with MFA on server login and access request workflows can further reduce risk.

Creating new privileged accounts is a common tactic used by attackers to move laterally and avoid detection, so it is essential to strictly control the process for creating new privileged accounts. This maps to the ZTX security automation control. All privileged account activity for critical systems should be monitored and recorded, which can be done at the vault/proxy level for sessions initiated from the vault. In case a cybercriminal circumvents the vault, session recording on each server is necessary to ensure full visibility, mapping to the ZTX security analytics control. Recorded session data is valuable in investigating the cause of a breach.

Delinea believes that trust classifications should be dynamic and adaptive to business risks. Cybersecurity classifications of trust and accepted risk should have policies or rules for identities, services, applications, data, and systems. For instance, a policy of “always verify” and “always monitor” can be implemented for third-party vendors or contractor identities. Internal employee classifications can be adaptive based on the sensitivity of the data being accessed, with an “always verify” policy requiring credentials and multi-factor authentication and an “always monitor” policy auditing and recording all activity.

Zero trust is about granting appropriate access to critical assets. Organizations start their journey to zero trust security by prioritizing high-risk areas, such as supply chain, contractors, temporary employees, sensitive networks, and privileged accounts. This initial step helps reduce the risk of attackers abusing accounts that may have less security or visibility. Zero trust is the baseline from which organizations can build trust scores to determine how much security is required for appropriate access to internal networks and systems. Depending on the level of security and control needed, zero trust controls can be implemented broadly or specifically, creating different levels of trust verification at the micro-segment or individual asset level.

Considering this solution for your organisation? DataGroupIT is Africa’s leading Value-Added Distributor (VAD). By partnering with the best selection of established and emerging technology vendors across the globe, we, provide complex solutions for any size business, including Enterprise and SME markets across the African continent. 

Our product portfolio offers comprehensive solutions for IT Security, Infrastructure and Enterprise Software.

We are fully committed to our business partners. Channels & vendors success is our #1 mission. Our professional teams across Africa deliver exceptional sales, presale, logistic, marketing and financial support that create the ultimate platform to accelerate our business partners’ success.

Speak to us today to find out more about this solution and more.

Post by: DGITUser
More Articles from Articles