Traditional privilege and entitlement management solutions are no longer enough

Would you give someone the keys to your house when they only need to fix the washing machine?  

Someone who comes to fix the washing machine only needs just-in-time approval to enter the kitchen, complete their task, and leave – not access to your whole house indefinitely. To ensure the protection of the entire house, this approach revokes their privileged access the moment their window of authorised access ends. 

This approach of least privilege and just-in-time is key for public sector organisations adopting cloud and hybrid infrastructures, which can result in a wider surface attack area. Organisations are also increasingly engaging third-party vendors, which demands better management of identities and access to key entitlements in the cloud.  

Moving to a modern privileged access management (PAM) solution is key to adopting a just-in-time least privilege model, reducing entitlement-based risks and protecting dynamic hybrid and multicloud environments, noted BeyondTrust’s Asia Regional Director, Charlie Wood.  

Watch: The evolution of PAM 

Least privilege for least risk 

The changing landscape, the breadth of identity-based attacks, and the different types of privileges have all impacted the evolution of privilege and entitlement management.  

The traditional PAM setups found five to ten years ago were often software deployments that focused on “managing privileged credentials associated with on-premise resources, and did not support things like just-in-time access and entitlements management for the modern dynamic multicloud infrastructures we see today,” explained Wood.  

These old PAM solutions managed privileged credentials via vault, recording the user’s sessions to grant access to standing entitlements. Wood said the problem with traditional solutions is that they are overly permissive, providing standing access to privileges and resources - “the more privileges and access there is, the higher the risk.” 

This is because traditional setups left common blind spots in organisations, such as overprivileged groups. 

Traditional PAM controls end after they grant a user the privileged credential to do their work. The traditional PAM setup cannot ensure that the user does not misuse their level of privilege, either accidentally or intentionally, he explained.  

Granting overprivileged groups full access to cloud applications, even when they only require a few key entitlements, can significantly increase risks – If those identities are compromised, adversaries could gain unrestricted access to potentially sensitive data. 

Sign up for Webinar by renowned cybersecurity expert Paula Januszkiewicz - Identity Defenses: How Attackers Exploit Privilege Gaps & How to Build a Layered Defense 

Modern solutions for modern threats 

As cyber threats evolve, so should the solutions organisations adopt to address identity security gaps and improve operations.  

Wood emphasised that modern PAM solutions must deliver comprehensive visibility across environments, better risk assessment of all identity types, and elimination of permanent privileges and misconfigurations throughout hybrid and multi-cloud infrastructures.  

Identity-based attacks are fundamental to address as “threat actors are no longer breaking in, they are logging in,” warned Wood. Identities can be compromised due to misconfigurations in identity providers (IDP) and gaps between people and processes that attackers take advantage of.  

“The access to compromised identities typically occurs before a threat actor would even hit a PAM workflow, meaning traditional PAM is not aware of these threats.  

“Without visibility of where there is risk associated with identities, it is extremely hard for a business to uncover potential paths to privilege that exist in their organisation,” he said. 

Discover and protect your Paths to Privilege 

Modern PAM tools provide visibility of identity-based risks across a wide surface and silos, enabling organisations to understand and quantify posture-based gaps that an attacker might use to gain a foothold.  

With this knowledge, organisations can improve decision-making around what needs to be protected rather than following prescriptive deployment rollouts driven by vendors. 

Managing the identity attack surface 

Beyond visibility, organisations must adopt a unified approach to managing the identity attack surface - eliminating the blind spots left by traditional, siloed solutions. An integrated platform that combines risk visibility, privilege path mapping, and proactive security controls serves as the foundation for modern identity security, enabling real-time detection, prevention, and response to identity-based threats. 

Solutions like BeyondTrust PathFinder consolidate visibility, management, and governance into a single system, while seamlessly integrating with existing security tools through third-party connectors. By enabling just-in-time access and enforcing zero standing privileges across all environments - from endpoints and servers to the cloud - PathFinder helps reduce the attack surface without sacrificing operational efficiency. 

In the event of an attack, a unified platform enables faster, more precise response, helping to contain threats before they escalate. With holistic, proactive solutions like PathFinder, organisations can shift from reactive firefighting to strategic risk mitigation - protecting access and entitlements before vulnerabilities are exploited. 

As public organisations continue their digital transformation journeys, adopting modern identity security solutions is no longer optional - it is essential for safeguarding sensitive data, maintaining operational continuity, and upholding public trust.