Controlling access is essential to cybersecurity, especially access to privileged accounts like those of data center and cloud administrators.
According to the latest Verizon Data Breach Investigation Report, 81 percent of hacking-related breaches involved either stolen or weak passwords, and 14 percent involved privilege misuse.
Other researchers back that up -- Forrester, for example, estimates that 80 percent of security breaches involved privileged credentials.
"Privileged credentials provide greater scope for stealing data en masse than individual accounts do," Forrester analyst Andras Cser writes in a report. "With privileged credentials, attackers can dump the entire database, bypass network traffic limitation, delete logs to hide their activity, and exfiltrate data easier."
At the very minimum, enterprises should try to implement a least-privilege policy, where employees only have access to the particular systems that they need, and roll out multi-factor authentication.
That might be enough for most employees, but system administrators, who hold the keys to the kingdom, need extra protection for their credentials.
For example, if there's a server that an administrator accesses only once a month, there’s a good chance that the password isn't fully secured and may even be shared among several employees, said Ryan Spanier, director of research at Kudelski Security.
"Most people share passwords because they're hard to remember, especially in a high-stress environment," he said.
There are three main technological approaches to addressing this security problem: SSO, CASB, and PAM.
Single-Sign-On solutions from vendors such as Okta, OneLogin, and Ping Identity allow enterprises to create portals for their employees. The employees can then access all their applications with one login to that portal. Enterprises can manage which employees can access what systems, track usage, and enforce security policies such as multi-factor authentication.
SSO solutions are particularly useful for companies with hybrid deployments -- both on-premises and cloud-based data centers -- where the company wants to keep control of the identity management process, said Jason Macy, CTO at cybersecurity vendor Forum Systems.
"Leveraging existing identity repositories with SSO and federation trust models for cloud integrations is the best approach," he said.
Cloud Access Security Brokers like Skyhigh, Bitglass, and Netskope manage access to cloud services but are generally focused on SaaS platforms. Several larger technology firms also have CASB products, including Symantec, Cisco, and Oracle.
CASB vendors don't just offer a way to log into cloud systems, though, said Mike Schuricht, VP of product management at Bitglass.
They can also monitor data movement in real-time and apply user behavior analytics to detect suspicious activity and trigger two-factor authentication, he said.
Sometimes having multi-factor access and monitoring suspicious activity isn't enough. For the most critical systems, a company might want to issue single-use passwords to administrators, for example.
That's where Privileged Access Management comes in, with vendors like Thycotic, BeyondTrust, and Centrify focusing on securing access to key infrastructure and have the most serious built-in security.
For example, with single-use credentials, even if an employee's machine was infected with a password logger, the stolen password would be useless to a hacker.
Through 2020, according to Gartner, more than half of IaaS and PaaS security failures will be attributed to the security gaps caused by failure to adopt privileged account management technology and processes.
This market is evolving quickly.
Today, for example, less than 5 percent of PAM purchases are delivered as a service (or in the cloud) -- that percentage will go up to 30 percent by 2019, according to Gartner.
Also, by 2020, more than 40 percent of vendors will use machine learning and other predictive analytics to look for suspicious user behaviors, up from under 10 percent today, the company said.