A large financial institution relies on a critical legacy system to process high-volume payment data. The system is no longer supported by its vendor, and its architecture prevents direct modification of its authentication mechanisms. A security architect must implement a compensating control to strengthen security for administrative accounts without disrupting operations. Which of the following solutions is the MOST effective and least disruptive?
Deploy an agent-based Endpoint Detection and Response (EDR) solution on the legacy system.
Isolate the system on a new network segment protected by a stateful firewall.
Implement a Privileged Access Management (PAM) solution to act as a gateway for all administrative access.
Mandate the integration of native multifactor authentication (MFA) for all administrative accounts on the system.
A Privileged Access Management (PAM) solution is the most appropriate choice. PAM acts as a compensating control by creating a secure, proxied gateway for administrative access. It can enforce strong authentication (like MFA) and provide detailed session logging and monitoring without modifying the legacy system itself, thus meeting the requirements of enhanced security with no operational disruption. Mandating native MFA integration is likely infeasible on an unsupported legacy system that cannot be modified. Isolating the system with a firewall is a good security practice but does not strengthen the authentication process for privileged users who already have network access. Deploying a modern EDR agent may not be possible on an obsolete operating system and could cause performance issues, disrupting high-throughput processing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is privileged identity management (PIM)?
Open an interactive chat with Bash
Why is logging and monitoring access important for older systems?
Open an interactive chat with Bash
What are the risks of shared credentials for system technicians?