Most of the recent cyber security breaches have been related to compromised privileged accounts in one way or another. This has resulted in privileged access management (PAM) becoming one of the most talked-about and researched areas of cyber security. We may safely say that in the coming months, every technology leader will be investing considerable amounts of their cyber security budgets in robust and secure PAM implementation.
In layman’s language, we may call PAM a password vault, but in reality, it consists of a cyber security strategy of an organization combined with technologies for maintaining control over elevated access of users, processes, systems, and accounts.
Why PAM is needed
There are many reasons why an organization would need to go with a PAM implementation. The top reason is that the IT teams usually share root, administrator, and many other privileged credentials. This is routinely done in order to share duties. As a result, it becomes impossible to tie actions performed with a single individual. Down the road, it causes security and compliance issues too.
In bigger organisations, long-forgotten privileged accounts are common. These accounts can act as easy access points for hackers. In many cases, that can be a former employee who was able to retain access.
Usually, companies cater privileged accounts and credentials within organisational silos, using internally defined best practices that may vary from one business unit to another. Not only does this make management difficult, but it subjects the company to increased risk. With a PAM solution, companies can tackle all of their privileged accounts from a central location—regardless of platform, hardware device, application, or the operating systems being used.
With advanced PAM solutions, you can get real-time notifications about risky behaviour. Administrators are able to configure alerts or notifications via email or SMS each time privileged users access a particular system. These notifications can be configured to trigger when a policy violation occurs or when higher than usual privileges are assigned to a particular user. Real-time notifications help administrators establish a high level of security in the organisation.
A PAM solution in an organizational ecosystem is also required to fulfil security compliance requirements. To optimize security, cyber security laws in many regions require industries to implement “least privilege access” policies. Such policies ensure that the absolute minimum number of users can access the systems to perform routine activities. PAM solutions also help organizations maintain an audit trail of their privileged users, which is one of the more critical security compliance requirements.
PAM implementation supports efforts for ISO 27001/GDPR compliance by providing complete visibility to administrators over user actions, recording all activities of internal and external users and applications, reinforcing access to critical data, allowing administrators to define rules for each group of users, and generating accurate reports on the root, administrator and other privileged accounts sessions.
Strategies to develop and implement an internal Privileged Access Management
Developing and implementing PAM in an organization can be broken down into five steps
-
Implement Least Privileges
The principle to keep in mind while implementing the least privileges is that every user, program, and process in your ecosystem should have only the minimum necessary privileges to perform their functions. For example, a programmer whose job role is to create a module for better reporting should not have access to company financial records.
Following this principle of least privilege reduces the risk of hackers gaining access to critical or sensitive information by compromising low-level and easier to crack accounts or devices. This also helps in containing the compromises to their area of origin hence stopping the attackers access from spreading to the system at large.
-
Secure the user accounts of employees and contractors
Many organisations have invested heavily in security technologies to protect their information, such as firewalls, encryption, and managed detection and response tools. However, employees and contractors remain highly insecure, since so little has been done to educate them. As a result, we see many cyber attacks are now focusing on the human element.
Security awareness training can address such issues. It ensures employees and contractors are aware of these risks, change their behavior and ensure that your organization remains compliant.
Communication is key. Security leaders should not be afraid of involving employees in security evaluations or creating and communicating their organisational cyber security policy. This helps create alignment when people work on it together.
One method of communication is to appoint cybersecurity advocates in every business unit of the organization. These advocates might not be from the IT team but can work as an extension to CISO, helping employees to remain trained and motivated.
-
Secure user accounts of applications and machine identities
Machine identities outnumber the human identities that enterprises need to manage and protect. Comprehensive account management of non-human users is required to ensure that businesses are not exposed to security and compliance risks.
Non-human privileged access can be more difficult to find and control. They can be in the code, objects, and APIs, so locating them can be tough. Organizations can use scanning tools that help find these types of unknown privilege accounts.
-
Identify, monitor, and stop suspicious user activities
If an organization can identify, detect and respond to compromised user accounts efficiently, they may limit and contain the impact and damage caused.
Firstly as a security leader, you need to establish a baseline of normal user behaviour and then design your detections around it. Sending analytics data from your PAM solution to your security operations center (SOC) can help identify suspicious activity before significant damage occurs.
Red team exercises might prove beneficial in finding out if there is any privileged access that can be obtained to move laterally into other systems. These exercises may also help find privileged credentials that haven’t been onboarded into your PAM solution.
-
Invest in a PAM solution
Investing in a PAM as a service solution might not answer all our problems, but it can be a good starting point for establishing robust access management policies in the company. The security of the PAM solution is critical due to all the essential credentials that it stores.
There is no magical button or solution when it comes to Privileged Access Management. The best way to eliminate or at least minimise the risk is to enable privileged access on-demand. Administrators grant just enough access to complete specific tasks or activities. When the change is completed, the privileges are either detached or the account is totally removed from the environment. This approach dramatically reduces the risk of powerful accounts being exploited by attackers.
To summarise, privilege access represents a significant risk for any organisation. Not only are these accounts key targets for attackers but can be misused by their owners. Control over privileged accounts is a chief requirement of all major compliance regulations. Taking a holistic approach towards privilege access management mitigates risks associated with it.
Further reading
- Managing Non-Human Identities for Vendor Access and Least Privilege Application Management. https://www.idsalliance.org/blog/2021/01/28/managing-non-human-identities-for-vendor-access-and-least-privilege-application-management/
- Secure Privileged Access with ESAE Model. https://blog.netwrix.com/2017/12/26/secure-privileged-access-with-esae-model/
- How to Use Design Thinking for Next-Gen Privileged Access Management Architecture. https://securityintelligence.com/posts/design-thinking-for-privileged-access-management
- https://skillfield.com.au/essential-8-explainer/
Written by: Arsalan Iqtidar Khan