Don’t Rely Solely on Privileged Access Management (PAM) To Secure Your Accounts

The only way to protect against privileged account access attack is to ensure that only authorized users gain access to privileged accounts

Imagine burglars have stolen the keys to your home, which they then use to get inside and take whatever they want without being detected. A privileged account access breach is a bit like this. Cybercriminals can gain access to a privileged account from which they can steal confidential information and disrupt the normal operations of your business. 

The only way to protect against this type of attack is to ensure that only authorized users gain access to privileged accounts. And while Privileged Access Management (PAM) can help reduce risks, it also provides security teams with a false sense of security.

The Limitations of PAM

There are two types of privileged accounts: administrative privileged accounts and data-privileged accounts. Administrative privileged accounts have elevated access privileges, such as administrative accounts, root accounts, or service accounts. By contrast, data-privileged accounts only have access to sensitive data and information that relates to the user’s job role, such as an HR manager who can only access employee data or a finance manager who can only access financial information.

The issue with PAM is that typically it only protects administrative privileged accounts. This leaves an enormous security hole with data-privileged accounts, which remain under-protected and vulnerable to attackers. 

For example, the graphic with the code below details how to find administrative privileged accounts that don't have multifactor authentication enabled for protection in Azure Active Directory, accounts that may be vulnerable. The problem is this method only helps you discover administrative privileged accounts and, again, does nothing to protect data-privileged accounts.

Detect Unprotected Administrative Privileged Accounts

# Import PowerShell Module 

Import-Module AzureAD 

# Connect to Azure AD 

Connect-AzureAD 

# Get all Azure AD 

users $users = Get-AzureADUser 

# Get Admin users that don't have MFA applied

$nonMfaAdmins = $users | Where-Object { ($_.StrongAuthenticationMethods -eq $null) -and ($_.IsAdmin -eq $true) }

# Display results

$nonMfaAdmins | Select-Object DisplayName, StrongAuthenticationMethods

If we continue with the analogy of your house keys, while PAM may keep your front door safe, it doesn’t protect your windows or basement. What’s more, some estimates suggest that for every administrative privileged account, there are 25 data-privileged accounts, so PAM leaves many more privileged access accounts vulnerable than protected. If you had a firewall that only blocked a minority of attacks, you would consider it broken.   

One of the major vulnerabilities of data-privileged accounts is that they often fall outside of an organization’s MFA policy. Security teams will often only require MFA on administrative privileged accounts, as they may be unaware of the true extent of data-privileged accounts within their organization and what these user accounts have access to. What’s more, given the negative pushback from users that many security teams get when mandating MFA, this can add extra incentive to only protect the small number of administrative privileged accounts within an organization.

How To Solve These Limitations

The problem that many security teams face is that it’s difficult to keep track of every data-privileged account and what these accounts have access to. And the bigger the organization, the harder the task becomes. You then need to add into the equation changes in job roles, employee off-boarding, and numerous other day-to-day business activities that impact user access requirements, and it becomes impossible to monitor manually. 

The code below for Azure Active Directory allows you to find all accounts that are not protected by multifactor authentication and, therefore, may be more vulnerable to attack. It's just as important to protect these accounts as admin accounts since some might be data-privileged.

Detect Unprotected Accounts

# Import PowerShell Module 

Import-Module AzureAD 

# Connect to Azure AD 

Connect-AzureAD 

# Get all Azure AD 

users $users = Get-AzureADUser 

# Get users that didn't apply their MFA

$nonMfaUsers = $users | Where-Object { ($_.StrongAuthenticationMethods -eq $null) } 

# Display Non-MFA Users

$nonMfaUsers | Select-Object DisplayName, StrongAuthenticationMethods

However, with advancements in AI tools, it’s now possible to classify and map an organization's confidential data in motion and use it to autonomously detect data-privileged accounts. Regularly scanning for these accounts can then become part of an organization’s routine security processes. 

Once an organization has oversight of every privileged access account, both administrative and data-privileged accounts, it can then start devising and implementing a strategy that closes down existing vulnerabilities. The first place to start with this is to mandate MFA across all data-privileged accounts and educate these users as to why this is necessary. 

Also, once an organization has oversight of all data-privileged accounts, periodic reviews can be carried out at the departmental level, where line managers review the access levels of each of their team members. Often, employees will have the wrong level of access for their job role as they move around an organization, so AI-powered privileged account analysis combined with human reviews can solve this business problem. 

What’s more, many organizations' offboarding processes are inefficient, meaning ex-employees still have access to their data-privileged accounts long after they leave. Again, regular scanning and identification of these accounts will help to identify these vulnerabilities, so security teams are not put at risk by other internal departments not following the correct procedures when employees leave an organization.    

To finish with our analogy, by combining PAM with AI-powered data-privileged account detection and classification, you’re not only protecting your front door from unauthorized access, but you’re also securing all other entry points into the organization. 


We Provide consulting, implementation, and management services on DevOps, DevSecOps, Cloud, Automated Ops, Microservices, Infrastructure, and Security

Services offered by us: https://www.zippyops.com/services

Our Products: https://www.zippyops.com/products

Our Solutions: https://www.zippyops.com/solutions

For Demo, videos check out YouTube Playlist: https://www.youtube.com/watch?v=4FYvPooN_Tg&list=PLCJ3JpanNyCfXlHahZhYgJH9-rV6ouPro

If this seems interesting, please email us at [email protected] for a call.


Relevant Blogs:

How Data Scientists Can Follow Quality Assurance Best Practices 

AWS IP Address Management 

Container Security: Don't Let Your Guard Down 

How To Use Artificial Intelligence to Ensure Better Security


Recent Comments

No comments

Leave a Comment