Blog | 5-minute Read

5 privileged access management (PAM) best practices

Steven Connelly

Head of Identity

Published: 07 December 2023

As the threat from trusted insiders continues to increase, safeguarding access to privileged accounts is essential. We reveal the best practices you should adopt for robust privileged access management (PAM).

A 2022 report from Gartner¹ identified privileged access management as a leading security priority for all organisations.

Not surprising when you consider 20% of all data breaches² come from insider activity and ‘privilege creep.’

Inadequate management of user privileges and access makes your data vulnerable and puts your business at risk.

Which is why we advocate organisations follow some basic best practices when it comes to privileged access management within overall identity and access controls.

Here are five things you should be doing right now.

1. Enforce the principle of least privilege (PoLP)

Implementing PoLP means granting users access to the bare minimum of resources needed to carry out their role.

What’s more, organisations who take this granular approach to access management are closing a potentially big hole in their security posture.

Consider this: 82% of breaches³ come from human activity (be that mistake or malice).

It doesn’t take a genius to realise that users with more access than they need can become a serious risk.

53% of organisations had more than 1000 sensitive files available to ALL employees.⁴

Veritas

By enforcing PoLP you can:

Reduce the risk of a data breach

PoLP removes the issue of over-privilege, which reduces the chance of accidental or malicious leaks.

Limit the impact of malware

While still damaging to the business, if users only have permission to limited resources, you can prevent the virus becoming more widespread.

Better accountability

PoLP helps you know who has access to what, making it easier to track activity and find the source of any potential issues.

The complete guide to Microsoft Entra ID

Download your 34-page guide to Microsoft’s identity tools.

2. Monitor, review, and audit privileged accounts

According to a report from Identity Defined Security Alliance (IDSA), 65% of identity-related breaches came from inadequately managed or compromised privileged accounts.⁵

This is why having visibility over all access privileges is fundamental to good PAM processes and the security of your business.

Which means:

Regular monitoring to ensure unauthorised or unusual activities are quickly detected.
Reviewing and auditing all accounts to ensure only necessary privileges are granted.

3. Implement robust authentication and password policies

According to the latest figures from Microsoft, there were 4,000 password attacks per second globally in 2023.⁶

The reality is, password protection alone is no longer enough.

They’re a notorious weak spot in cyber security posture. Too many people use passwords that can be easily hacked and compromised.

When you’re trying to control who has specific access to particular resources, you can’t afford this level of vulnerability.

At the very least your organisation should be educating its people to apply stronger passwords (your pet’s name and 1 at the end really won’t cut it).

But even then, for best practice, we would advocate the application of multi-factor authentication (MFA).

MFA should go hand in hand with your permissions management. It introduces additional layers to your access controls, with users needing to provide an extra one or more verification factor to access resources.

Which helps:

Ensure the right person is accessing the resource.
Enforce Just-in-Time (JIT) policies by limiting the scope of access to only what is necessary at that time.
Deter attackers who are more likely to target points of least resistance.
Accountability and auditing by creating logs of access attempts and by whom.
Prove due diligence needed to comply with industry regulations around security and data protection.

MFA reduces the risk of compromise by 99.2%.⁷

Microsoft

4. Adopt a zero trust policy and mindset in the business

The idea of a zero trust mindset in identity and access security has grown in prominence over the past few years, in response to growing and more sophisticated attacks.

Its ‘never trust, always verify’ stance underpins the principles of any successful PAM strategy.

Zero trust is based upon the idea that access to sensitive resources, especially by privileged users, is tightly controlled and constantly monitored, reducing the risk of unauthorised access and data breaches.

Which means:

Strict access controls based on permissions or conditions are maintained.
Continuous verification for all users, ensuring it’s the right person trying to gain access to a privileged account.
Potential breaches can be contained, and lateral movement limited by segmenting your network into micro-fragments.
Insider threats can be mitigated thanks to vigilant authentication and ongoing monitoring.

5. Ensure PAM is integral to your identity and access management (IAM) processes

With privileged accounts such a target for attackers, making PAM an integral part of your overall IAM framework isn’t just a case of best practice.

It’s a necessity.

Modern IAM solutions should provide the tools required to manage privileged accounts effectively and efficiently.

For instance, Microsoft Entra ID licence holders have access to a broad range of features that underpin PoLP and zero trust. Allowing organisations to easily set-up MFA and control permissions based on factors such as timeframe, job role, or other conditions (like device or location).

Plus there is Privileged Identity Manager (PIM), available in Entra ID’s P2 licence.

This helps manage, control, and monitor access to key resources across Microsoft Entra ID, Azure, and other Microsoft online services like Microsoft 365 or Microsoft Intune.

PIM features include:

Just-in-time privileged access to resources.
Time-bound access assignments with start and end dates.
Approval requirements for activating privileged roles.
Enforcement of multi-factor authentication for role activation.
Notifications on privileged role activations.
Access reviews to ensure continued necessity of roles.
Detailed audit histories for internal or external audits.

As privileged accounts become increasingly targeted by bad actors, failure to adequately manage them puts your organisation at increasing risk.

This is why we recommend putting the right measures in place, underpinned by a diligent and vigilant culture across the business.

And, by ensuring you have access to the right tools within your IAM solution. So that you can enable robust privileged access management that keeps your resources secure without compromising productivity.

Key takeaways

65% of identity-related breaches came from inadequately managed or compromised privileged accounts.
Regular monitoring and reviewing of privileged accounts is essential to mitigate risk of compromise.
Implementing MFA can reduce compromise risk by 99%.
Adopting a zero trust mindset underpins the fundamentals of modern PAM.
PAM should be integral to your overall IAM framework.

The complete guide to Microsoft Entra ID

Master Microsoft Identity. Grab your free 34-page guide and discover tools that:

Improve identity efficiency by 50%
Reduce data breach risk by 45%

Next steps

Like this? Don’t forget to share.

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

Demos of the latest Microsoft tech
Invites to exclusive events and webinars
Resources that make your job easier

Author

Steven Connelly

Steven Connelly is Kocho’s Head of Identity. As the Head of Identity, he navigates the ever-evolving landscape of digital authentication and security, delivering the best identity solutions for our clients.

Don't Miss