This exclusive ARN Roundtable, in association with BeyondTrust, assessed the understanding and application of privileged access management (PAM) practices among Australian customers while examining how the channel can play a pivotal role in helping businesses adopt a strategic approach to security architecture.
Privileged access management (PAM) is a complex cyber security strategy that aims to proactively monitor and manage access across enterprise networks.
Preventing cyber security breaches and insider attacks has become imperative for Australian organisations as the COVID-19 pandemic continues to compel vast remote working and networking, leaving IT managers and chief security officers with an ever-widening perimeter.
After a year of devasting cyber attacks, including the Kaseya and Colonial Pipeline infiltrations, customers and partners are learning first-hand the ramifications of poorly secured perimeters and virtual private networks (VPNs).
In addition, according to BeyondTrust Asia Pacific and Japan director of channels and alliances Ben Wong, Australia’s cloud progress has made securing networks even more complicated.
“With the explosion in credentials thanks to the adoption of cloud platforms such as Amazon Web Services (AWS), organisations focused on strengthening their identity and access management (IAM) posture are increasingly turning to PAM to manage privileged users and accounts, whether human or bot,” he explained. “We know that 80 per cent of security breaches relate to privileged access, so getting a handle on this is key.”
So, what exactly is PAM? Essentially, it is a blend of strategy and technology designed to control privileged access and permissions for users, accounts, processes, and systems across an IT environment. In practice, this can reduce an organisation’s attack surface with the aim of either limiting cyber attacks or mitigating the extent of their damage.
However, implementing it on a wide scale is still an ongoing conversation with Australian customers. For some partners, like Oreta, it is already a well-established security tactic. Oreta managing director Sachin Verma explained: “PAM is an integral part of our wider security offering and plays an intrinsic part of Oreta securing Cloud and Network for our customers. As the pace of digital transformation picks up, the importance of securing the access is a top priority.”
On the other hand, though, Dean Calvert, founder of Adelaide partner Calvert Technologies, believes it’s still a work-in-progress for his customer base – small-to-medium-sized businesses.
“At this stage PAM is not something which is coming up in discussions with our customers – I suspect this is more due to their size and complexity and a lack of understanding what it really is and means for them,” he explained. “That being said, it’s a relatively new area for us too so I’ll accept that we need to learn more about it so we can then have intelligent opening conversations with them. PAM is obviously more than just ensuring users are in the appropriate active directory security groups.”
Nevertheless, PAM has become a more pressing issue for Australian partners as the Federal Government increases its compliance requirements in line with its Essential 8 strategy. Combined with a heightened fear due to the increasing prevalence of ransomware attacks, customers are becoming more concerned with protecting their environments.
“Essential 8 is definitely a framework that is being used by a lot of our customers to define their approach and we use it ourselves as an excellent starting point,” explained Intuit Technologies chief revenue officer Phil Dickman. “Ransomware attacks have almost become common news, so we see customers being motivated more by the demands of their own end customers in a business-to-business context and the broader expectations around security ‘best practice’. No doubt the relentless drive towards ongoing 100 per cent remote work for staff also plays a part.”
“Companies are focused on strengthening their security posture and human error is driving the focus on PAM,” he added.
Meanwhile, Craig Sims, managing director of CCNA, said PAM is becoming more visible with the reporting of cyber security attacks and changing government legislation. “PAM is critical for achieving compliance requirements,” he added.
As such, he argued, there are ample opportunities ahead for the channel in this space, especially with regards to protecting a company’s reputation and meeting security compliance.
However, for Calvert, bringing the topic home to SMBs remains a challenge. “Certainly, topics including ransomware, Essential 8 and credential leakage to the Dark Web are all things to help keep [security] top of mind,” he said. “Unfortunately, with many small organisations they simply don’t seem to get it and instead think we’re just trying to up-sell them rather than provide improved protection. We’re fortunate that most of our customers have remained free from ransomware attacks so they can suffer from the ‘if it’s not broken, don’t fix it’ mentality – which can be frustrating.”
Nevertheless, Wayne Simmonds, national head of sales at CrossPoint Technology Solutions, maintained that PAM offered an opportunity to “broaden the security conversation” with customers.
“WFH and location-independent employees present opportunities for managed service providers (MSPs) because of the challenges that it causes clients to manage,” he said. “Wrapping PAM up within a managed security as-a-service offering is a great way to build continuous revenue.”
Oreta’s Verma shares the same view of integrating a security solution as a technical part of a managed services security offering. “This is to ensure that PAM is a service that is offered on a continual basis as opposed to a once-off exercise,” he argued.
But while revenue opportunities may be readily available, the key question for partners will be whether PAM can be a profitable element of their cyber security strategies.
“Implementing PAM can provide immediate return-on-investment (ROI) in terms of reduced service desk tickets and improve employee productivity, where employees are able to have the right level of access to do their jobs at the right time,” said BeyondTrust Asia Pacific director of solutions engineering Scott Hesford.
“Additional ROI can be gained from reduced cyber insurance premiums and by providing the data from a PAM solution to a client’s SIEM system for additional insights and threat mitigation. Reducing the risk and cost of clean-up of any data breach obviously also provides an ROI, even if tougher to measure.”
Dickman also argued: “Pick one tool and stick to it. Invest deeply in those skills. Alternatively – if this is not core to your business, find a really good partner for your own business.”