Privileged Access Management (PAM), a Primer
To put it simply, Privileged Access Management (PAM) is an attempt to protect your privileged accounts from abuse and/or misuse. There are many types of accounts within an organization that can cause serious damage if placed into the wrong hands. In today's world, organizations must do everything they can to protect privileged accounts as their misuse can lead to significant loss and damage to your organization (e.g., ransomware, malware, financial fraud, disclosure of trade secrets, damaging systems or data, etc.). In this blog, we'll review privileged access, privileged users in comparison to standard users, the access to various systems they have, and more. It is critical to have these accounts monitored, audited, and meet compliance requirements as the actions they take can have a large impact on an organization's business processes, digital assets, and reputation. By the end of this post, you will have a better understanding of Privileged Access Management and the benefits a solution like this can provide.
Privileged Access: What is it?
In business, it's obvious that you need employees to keep things running smooth and efficiently. Most employees will have a user account of some sort that they can use to accomplish tasks such as logging into machines, sending and receiving emails, and performing daily job duties. These employees are most often referred to as "standard" users and are generally confined to their individual needs. These users should not typically be able to download and install software, configure applications, or similar actions.
This is where privileged access comes into the picture. There will always need to be someone with appropriate permissions to download and install software, create the email addresses that everyone uses, configure the equipment that everyday users don't see, control and monitor systems within an environment, and so much more. These elevated privileges should be tightly controlled and monitored by an organization. These individuals typically have complete control over their respective network(s) because it’s their duty to ensure things are running smoothly and securely, which in turn gives users like this a substantial amount of power over what happens in any given network.
As you could have guessed, this power comes with a target. Hackers will seek out these accounts looking to gain entry into your company's systems through a variety of methods and attacks. This is most commonly done by exploiting personnel or machines. This process can be quick or long and drawn out solely based on an organization's IT Security posture and employee training. Keep in mind that privileged accounts aren't always associated with humans. Examples of Privileged Accounts
Domain Administrators: These are some of the highest privileged accounts that can be found within a domain, giving accounts within this group the power to perform almost any action they want. Domain administrators can make changes to polices that impact the entire domain, have local administrator rights on every server and workstation in the domain, can modify all Active Directory objects, modify DNS and DHCP, download and install software, and much more. It is due to this high level of privileges, as well as the ease in which to hijack them, that accounts such as these are misused and abused in far too many environments.
Local Administrators: A local administrator is confined to the individual workstation or server that it is on. These accounts can modify local security policy, the local firewall, create and delete local users, among other actions. Typically, these accounts are seldomly used which results in them being poorly or incorrectly managed. For example, many environments use the same local administrator username and password on every machine and rarely perform password changes for these accounts.
Service Accounts (Non-Human): Service accounts are typically running specific applications or are associated with dependencies on various machines. Normally if an issue arises with a service account, that results in some sort of outage related to the application that it is associated with. Often, these accounts are over-privileged to make the deployment process quicker and easier and remain over-privileged once deployed. Instead of implementing such accounts with least-privileged access in mind, many will apply the fullest permissions to these accounts to avoid any difficulties that may arise if minimal permissions are applied for deployment. As is the case with local administrator accounts, service account passwords are also rarely changed, though in this case due to the potential complications or service disruptions that may come along with it. Some example dependencies include Windows Services, Scheduled Tasks, Application Pools, and .config files.
Root: Root accounts, also sometimes referred to as a "Super User" account, have no restrictions to the access of commands, directories, files, etc. on a Unix device. These accounts are able to perform operations on any users, modify system configurations, install and remove software, perform firmware updates, and more. In most environments, clients aren't making use of IdMs or PAM tools and these accounts are yet again not appropriately managed and use identical usernames and passwords on every Unix device within the environment.
Application Account: An account specifically used for an application. These accounts are used to configure and administer the application that it is associated with.
SA Accounts: This account is the default system administrator account used for SQL Servers. It is used for the management of SQL, has access to various databases on the server, has the ability to create users, modify permissions within SQL, etc.
As you can probably tell, there is a recurring theme. All of these accounts have so much more they are capable of in comparison to a standard user account and in my experience are widely misused, poorly managed, and not properly audited. They can do almost everything they want to within their specific realm (Windows, Unix, SQL, Network, Applications, etc.). Unfortunately, sometimes these accounts aren't restricted to specific realms but have access to literally everything within an organization. It is incredibly important to have strict rules related to each privileged account and implement controls with zero trust in mind. These ideas have become so important that Cyber insurance almost always requires the usage of a Privileged Access Management solution.
What is Privileged Access Management?
Privileged Access Management (PAM) is a comprehensive strategy designed to help protect the usage of privileged accounts within an enterprise. The goal of PAM is to assist in the mitigation of credential theft along with helping put a stop to privilege misuse and adding additional security layers within an environment. It's designed to have clear and precise auditing as well as provide easy to use governance and enforcement of a variety of security settings such as session recording, proxying, and approvals.
With a successful deployment of PAM, you drastically reduce risk while increasing visibility, compliance, and productivity. The biggest win of a successful PAM deployment is the enforcement of least privilege. The least privilege security model is designed to give users nothing more than they actually need to perform their job duties. During the rollout of a PAM solution, you'd be surprised how quickly you can find the misuse of accounts and privileges. During this implementation, you can swiftly address these security concerns and implement workflows for privileged users that not only reduces their privileges but also increases productivity and visibility. No matter the size of your business, privileged access management will improve your overall security posture and provide you with the confidence and peace of mind you need when running a business. Essential PAM Features There are several different PAM solutions on the market for businesses to implement, with the two most popular solutions being Delinea's Secret Server and CyberArk's Privileged Access Manager. Each of these tools provide features that are essential to an effective PAM solution, such as:
SAML/SSO: Centralizes the authentication process by leveraging an Identity Provider, such as Azure or Okta.
Credential Management: Stores and easily rotates passwords, such as domain administrators to reduce the amount of time a password goes without a password change.
Some tools provide Just-in-Time (JiT) access, one-time passwords, or the changing of passwords upon check-in to even further increase security and prevent the bypassing of a PAM solution.
Even more mature implementations can automate password rotations of application accounts and web passwords.
Account Discovery: Features like this actively scan your network to determine where privileged accounts exist and ensure they get brought into your PAM solution automatically upon discovery of their existence and alert. This can also assist with the onboarding process of privileged accounts that already exist and can change the password upon creation of the account in the PAM tool.
Reporting: Provides several out of the box reports to see the status of accounts within the solution and provides a way to create custom reports to meet your organizations wants and needs. This feature should also allow for a scheduled email of the reports you’re interested in receiving regularly.
Role-Based Access Control (RBAC): Restricts systems access to only authorized users and allows for granular permissions control on folders and accounts within the system.
Threat Analytics: Provides integration with a threat analytics tool to actively monitor and mitigate the risk of a compromised account referencing a baseline of user behavior previously learned. These tools can automatically lockout an account, end a privileged session, and more.
Privileged Session Management: Allows the security team to control where sessions are coming from related to privileged access. For example, only accept RDP connections from a specific set of servers within an environment.
Auditing: One of the most important features that any PAM tool you implement must include is auditing. This provides a clear and precise audit trail in the event of account misuse or abuse and non-repudiation. The best PAM solutions even provide session recording and monitoring for you to review sessions or even restrict specific commands privileged users can utilize.
Compliance: Ensures compliance with SOC2, NIST, GDPR, ISO 270001:2013, FedRAMP, and more to keep customers moving forward in the ever-evolving InfoSec requirements.
Convenience: Provides easy integration to a variety of tools such as SIEM solutions, ServiceNow, Qualys, and much more. A reliable PAM tool provides an easy-to-use API for IT teams to implement and utilize for even more custom integrations.
Conclusion There are many things to consider when it comes to a network's security posture, but Privileged Access Management (PAM) should be at the forefront of those considerations. The misuse of a privileged account can cause a disaster for a company and its clients. It is quite frightening when a company isn't sure when the password of a privileged account was last changed, yet that same account is used daily to configure the core components that keep a company running. By working with a trusted partner, a successful PAM implementation can begin right around the corner. While a mature deployment of PAM can be an extensive process, there are many quick wins you can address early on. In these early stages, you will very quickly see the benefits discussed in this article come to fruition. Deploying a PAM solution strengthens your company’s security posture and gives you the satisfaction of knowing that your privileged accounts are being managed with a best practices approach.
If you would like to learn more about protecting your organization’s Privileged Accounts visit our Privileged Access Management and PAM as a Service (PAMaaS) pages.
Talk to the experts at CyberSolve to see how your organization can implement Cybersecurity to fit your organization’s needs.