Cloud Hosting

The good news is that you dont need to take on everything at once. In fact, we suggest you dont.

We find that most organizations start strong when they adopt PAM getting a vault set up and domain passwords and local shared accounts under control. Then, they start to get complacent. They stagnate on their journey somewhere between stages two and three.

Most organizations start strong then stagnate somewhere between stages two and three.

Meanwhile, the organization keeps growing and the IT environment gets more complex and difficult to manage Service accounts proliferate, unchecked. Identities multiply and become siloed in Active Directory, LDAP, etc. This is especially true for Linux systems in the cloud, with no centralized management like AD. Cloud platforms like AWS have their own IAM services, which leads to more siloed accounts.

Just as technology mushrooms, the number of privileged users grows exponentially. Business users adopt more applications without IT management, engineering teams spin up more systems, and developers store passwords in libraries and code.

Cyber criminals are getting more sophisticated and emboldened all the time.

To protect your growing attack surface, you cant hold your organization at the Basic stage. The jump to Advanced is an important one and its manageable. Lets break it down.

Fundamentally, the Advanced stage of PAM maturity is about implementing a Zero Trust model founded on the Principle of Least Privilege (PoLP). With this approach, users and systems should only have the access and permissions they need to do their jobs, nothing more.

Traditional password vaults offer a basic level of control and fundamental security benefits. Password theft, however, is only one step in a cyber criminals attack chain. Should an attacker successfully gains access to a system, they will also need the ability to export data without detection, so they can sell it on the black market or ransom it off. To further secure your organization, and mature in your PAM program, privilege elevation solutions should be used. This will allow you to assign admin rights to individual tasks, applications, or scripts that require them for a granular level of control.

There are two parts of your attack surface where maintaining least privilege is essential for a strong security posture: user workstations and servers. In both situations, privilege elevation capabilities allow you to easily assign or revoke privileges for a specific period, providing just-in-time, just-enough access when admin control is absolutely necessary.

The rest is here:
Privilege Elevation for Workstations and Servers - Security Boulevard